> > So! Here is what I apparently need to do: I need a captive portal that > will show the users our acceptable use policy (AUP) and also let them > download a custom written tool that will automatically configure their > wireless connection to connect to a second, and hidden, SSID that is the > normal SSID. The custom tool has already been written, by yours truly. > Now here is the kicker, once they have accepted the AUP they should be > automatically registered and PF should kick them from the first SSID and > (if it is even possible) redirect them to the second SSID.
I'm pretty sure this depends on your OS. If your tool careful put the second SSID as a more important SSID it might work. > > > > I know PF can do the captive portal, and the AUP page. But can it > redirect a user to a specific SSID like it does for VLans? No. This is not controllable in any way by the server side. Connecting to an SSID comes from the client and the client alone. PacketFence disconnects the user, if the client is configured to 'prefer' one SSID over another it'll go to it. Just run PacketFence as usual, once people registers they'll be disconnected and if your tool is careful about SSID priority, it should work like you expect. > Also, when PF sees a > registered user I would want it to shove them over to the secure SSID, > that way my secure SSID can stay hidden. No redirection but you can run your tool again to make sure the hidden SSID is prioritized. I'm not 100% sure about what I'm about to say (but still fairly confident) so wireless experts please correct me if I'm wrong. If your SSID is hidden, you'll need to force the client to try to connect to it even if it's not visible (duh! hidden). The downside of that is that there are [malicious] tools that will emulate an SSID that is explicitly requested so you need to make sure that you properly validate your infrastructure otherwise your users could be fooled into connecting onto rogue APs. If you were to broadcast your SSIDs, then an attacker in another location would need to guess the proper SSID in other for him to trick your client to connect to it which is arguably more complicated than just waiting for the client to ask for it. So forcing client to connect to hidden SSIDs is considered a form of information leakage. All that to say that hidden SSIDs don't provide any real security benefit (someone listening will see them) and, even worse, have security implications (the ones I just mentionned). Cheers! -- Olivier Bilodeau [email protected] :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
