SearchSearch   ProfileProfile   Log inLog in   RegisterRegister 

Is this L2 layout possible?
Goto page 1, 2  Next
 
Post new topic   Reply to topic    FirstSpot Forum Index -> Pre-sales Support Forum
View previous topic :: View next topic  
Author Message
istvan.kelemen



Joined: 04 Mar 2015
Posts: 19
Location: Switzerland

PostPosted: Wed Mar 04, 2015 8:15 pm    
Post subject: Is this L2 layout possible?

Wlan Clients ---- AP ----- Access Controller with 8 switchports --- edge router --- internet

The firstspot server will be connected directly to the AC and the AC will be configured to use an external Portal Server (in this case firstspot)

I don't want the traffic to pass trough the firstspot server.

Thx!
Back to top
alan
Forum facilitator


Joined: 26 Sep 2003
Posts: 4435

PostPosted: Thu Mar 05, 2015 7:35 am    
Post subject:

FirstSpot acts as a gateway/router so that traffic needs to go through it.

Refer to http://patronsoft.com/firstspot/topologies.html for an example on FirstSpot topology.
_________________
~ Patronsoft Limited ~
Back to top
istvan.kelemen



Joined: 04 Mar 2015
Posts: 19
Location: Switzerland

PostPosted: Thu Mar 05, 2015 7:45 am    
Post subject:

Hi Alan,

I had seen the topologys page before, but I could not belive :/
Alternatively can I configure Firstspot so NIC1 and NIC2 are in different vlans and the NIC's are looped to one switch? In this case to the WLAN Access Controller.

Like:

AP ---- WLAN AC ---- Firstspot ---- WLAN AC ----- EDGE ROUTER ---- Internet
Back to top
alan
Forum facilitator


Joined: 26 Sep 2003
Posts: 4435

PostPosted: Thu Mar 05, 2015 7:54 am    
Post subject:

Yes, theoretically it is possible. Keep in mind that from FirstSpot point of view, it needs to be transparent and the network needs to act like a normal "gateway" case.

BTW, the reason that the traffic needs to go through FirstSpot is that many of features like Captive Portal, Bandwidth Throttling and URL Tracking, FirstSpot needs to change or inspect the packets directly.
_________________
~ Patronsoft Limited ~
Back to top
istvan.kelemen



Joined: 04 Mar 2015
Posts: 19
Location: Switzerland

PostPosted: Thu Mar 05, 2015 7:58 am    
Post subject:

And what about the encrypted traffic like HTTPS?
Is it also inspected?

What would be the best OS from stability point of view? I'm running the trial version on Win 2012R2
Back to top
alan
Forum facilitator


Joined: 26 Sep 2003
Posts: 4435

PostPosted: Thu Mar 05, 2015 8:01 am    
Post subject:

For https, we cannot inspect as it is encrypted.

From FirstSpot point of view, Windows 2012 should quite stable.
_________________
~ Patronsoft Limited ~
Back to top
istvan.kelemen



Joined: 04 Mar 2015
Posts: 19
Location: Switzerland

PostPosted: Thu Mar 05, 2015 8:05 am    
Post subject:

Is it possible to configure proxy for Firstspot so It inspect HTTPS?

Could you please provide an initial config for the forced login?

The AC side is ready, the traffic is redirected to the firstpot's address on port 5786, shall I redirect any other prts to it?

Thx!
Back to top
alan
Forum facilitator


Joined: 26 Sep 2003
Posts: 4435

PostPosted: Thu Mar 05, 2015 8:08 am    
Post subject:

FirstSpot is designed so that it works well with default setting. In other words, you don't need to change your network in any particular way. To setup for the initial test, please make sure:

1) you turn off all other DHCP server in your network. Make sure the client obtains that the IP from FirstSpot DHCP server

2) there is no router between your client and FirstSpot (i.e. bridge mode in your AP).
_________________
~ Patronsoft Limited ~
Back to top
istvan.kelemen



Joined: 04 Mar 2015
Posts: 19
Location: Switzerland

PostPosted: Thu Mar 05, 2015 11:00 am    
Post subject:

The AC has 2 SSID's, clients connected to the SSID A has to be authenticated before they can access the network.
Clients connected to SSID B does not have to be.

With an enterprise WLC each SSID has different vlan and the AC is their GW as well as DNS proxy. DHCP also runs on the AC.

All the user traffic on SSID A is redirected to the Firstspot server's port 5786.

I am going to test this scenario today.

I have created a test user account.
So far, by default Firstspot is configured to authenticate users, right?
Back to top
istvan.kelemen



Joined: 04 Mar 2015
Posts: 19
Location: Switzerland

PostPosted: Thu Mar 05, 2015 11:03 am    
Post subject:

The AC has 2 SSID's, clients connected to the SSID A has to be authenticated before they can access the network.
Clients connected to SSID B does not have to be.

With an enterprise WLC each SSID has different vlan and the AC is their GW as well as DNS proxy. DHCP also runs on the AC.

All the user traffic on SSID A is redirected to the Firstspot server's port 5786.

I am going to test this scenario today.

I have created a test user account.
So far, by default Firstspot is configured to authenticate users, right?
Back to top
alan
Forum facilitator


Joined: 26 Sep 2003
Posts: 4435

PostPosted: Thu Mar 05, 2015 11:11 am    
Post subject:

FirstSpot is not designed that way. FirstSpot works purely in TCP/IP level and it doesn't look into concept like SSID.

Please follow my instruction at least initially first. You might be able to make change later to suit your environment, but it is important to get the basic working first.
_________________
~ Patronsoft Limited ~
Back to top
istvan.kelemen



Joined: 04 Mar 2015
Posts: 19
Location: Switzerland

PostPosted: Thu Mar 05, 2015 12:14 pm    
Post subject:

This is the scenario now:

http://s8.postimg.org/xp7g8mx9h/wlan_scenario.png

Traffic coming from SSID 2 is not redirected but from SSID 1 it is.

What hapens:

Traffic reaches Firstspor server, user lands on the login page. After the user is succesfully logged in, instead of getting redirected to the fixed page it is redirected to https://192.168.211.2/fixedpageexample.com
If the user tries to open a wab page it will redirected to the login page again...

I think Firstspot server does not notify the AC, so the AC is not aware about the client's authentication status and it keeps redirecting the traffic to the login page.

I think I can solv this problem by using FS as the GW for SSID 1.
But anyway, is that possible to configure so FS cooperates with the AC?
Back to top
istvan.kelemen



Joined: 04 Mar 2015
Posts: 19
Location: Switzerland

PostPosted: Thu Mar 05, 2015 12:16 pm    
Post subject:

Sorry, I have forgotten the second pic

http://s7.postimg.org/k1eab17or/fail.png
Back to top
alan
Forum facilitator


Joined: 26 Sep 2003
Posts: 4435

PostPosted: Thu Mar 05, 2015 1:20 pm    
Post subject:

Cannot really see the two pictures as they are not clear.

The easiest way is to simply turn off any captive portal related feature in your AC, and let FirstSpot handle all the authentication. That way the flow is the most natural and should be enough for your need.

You can configure FirstSpot to redirect to a fixed page (e.g. a page in your AC) after FirstSpot authentication. It is possible to customize that redirect URL so that it includes information like client MAC address so that it can be recognized by your AC.
_________________
~ Patronsoft Limited ~
Back to top
istvan.kelemen



Joined: 04 Mar 2015
Posts: 19
Location: Switzerland

PostPosted: Thu Mar 05, 2015 1:51 pm    
Post subject:

Yes, I have turned out everything on my AC, FS and the clients are in the same L2 domain.

I have set www.livescore.com as the fixed page, but after the client had succesfully authenticated, the browser redirected to
https://172.20.0.1/livescore.com

when unauthenticated clients connect to https://www.facebook.com

the following message is shown

Your connection is not private

Attackers might be trying to steal your information from www.facebook.com (for example, passwords, messages, or credit cards).

ReloadHide advanced
www.facebook.com normally uses encryption to protect your information. When Chrome tried to connect to www.facebook.com this time, the website sent back unusual and incorrect credentials. Either an attacker is trying to pretend to be www.facebook.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Chrome stopped the connection before any data was exchanged.

You cannot visit www.facebook.com right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

NET::ERR_CERT_AUTHORITY_INVALID



when an unauthenticated client tries to connect to https://www.paypal.com the page opens even the user is still unauthenticated!
Back to top
Display posts from previous:   
Post new topic   Reply to topic    FirstSpot Forum Index -> Pre-sales Support Forum All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group