Hello,
You are right, that's why I also plan to set a filter on the connection
to make sure that those IP's (the portal and the DNS servers) are the
only one the customer can reach.
My thought when I woke up this morning is to check in rlm_perl whether
the response was a 'change password' MS-CHAP-Error value (648), note
down the name, then return a HANDLED. I seem to have noticed that
freeradius will not send a reply when you return HANDLED. If so, the
client will most likely retry the request, at which point you can catch
the same username in pre-auth or pre-proxy and redo the request into a
default user that goes to the top up page.
Does that seem like a work-around or not?
Cheers
Eric
Ivan Kalik wrote:
And how is user supposed to open that "topup page" if he is looking for
Google, for instance?
Instead of Google's IPs your DNS servers would return your web server,
with
the "topup page".
What you want *is* a captive portal - it will
capture the user and redirect him from the requested page onto the one
you
want him to see.
I didn't say I agree with the DNS scheme.
I do agree that a captive portal is the best solution.
I was simply mentioning that it is not always possible.
It is possible - that's what you are making. DNS scheme is not going to
work. All user has to do to defeat that is to change the assigned DNS
servers - and he can surf the net. You need a proper captive portal where
user can't simply change DNS info and/or assigned IP and escape.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
