I've been messing with this idea on and off for months but never got anything to work, until recently. For those who don't know a Captive Portal is a means of blocking all network traffic other than that on port 80 which is redirected to a page which asks the user to log in, once logged in the network is available to the machine which the user logged in from. Used to control access to wireless access points (such as those dotted around my uni campus).
Now I faniced setting up an simple access point for some friends of mine who i'm sharing a house with. Rather than simply a secure wireless network, because by having user accounts to provide access to the network this access can be easily controlled (certain users having certain rights, regaurdless of what machine, IP, MAC, they access the network from).
I attempted to configure a few of the acptive portal software packages that are around but failed in every attempt because they were far to complex for what I required.
My bit of inspiration was as follows:
Using shorewall to reject all traffic from the local (loc) zone and route port 80 to port 80 on my server which hosts a log in screen. Users log in, are authenitcated and then added to an "allowed" list. This roughly translates to the following:
REDIRECT loc:!$ALLOW_IPS 80 tcp 80 REJECT loc:!$ALLOW_IPS net tcp !80 REJECT net loc:!$ALLOW_IPS tcp !80
Where ALLOW_IPS is set in /usr/share/shorewall/params and modified by scripts running on the server. More complex rules can also be added to shorewall to allow certain users access to certain ports, etc..
I'd be interested if the experts amoung you could see any gaping holes in this concept. the configuration above is only basic and can be expanded on, but its the concet i'm interested in, yes it needs a bit of work, a webserver, some php, but I find this simpler than any packages which i've attempted to use (this is no doubt a reflection of my skill rather than the complexity of the packages!)
Any comments on this concept are welcomed, positive as well as negative!