Is this L2 layout possible?

istvan.kelemen · Joined: 04 Mar 2015 Posts: 19 Location: Switzerland

Wlan Clients ---- AP ----- Access Controller with 8 switchports --- edge router --- internet

The firstspot server will be connected directly to the AC and the AC will be configured to use an external Portal Server (in this case firstspot)

I don't want the traffic to pass trough the firstspot server.

Thx!

alan · **Forum facilitator** Joined: 26 Sep 2003 Posts: 4435

FirstSpot acts as a gateway/router so that traffic needs to go through it.

Refer to http://patronsoft.com/firstspot/topologies.html for an example on FirstSpot topology.
_________________
~ Patronsoft Limited ~

istvan.kelemen · Joined: 04 Mar 2015 Posts: 19 Location: Switzerland

Hi Alan,

I had seen the topologys page before, but I could not belive :/
Alternatively can I configure Firstspot so NIC1 and NIC2 are in different vlans and the NIC's are looped to one switch? In this case to the WLAN Access Controller.

Like:

AP ---- WLAN AC ---- Firstspot ---- WLAN AC ----- EDGE ROUTER ---- Internet

alan · **Forum facilitator** Joined: 26 Sep 2003 Posts: 4435

Yes, theoretically it is possible. Keep in mind that from FirstSpot point of view, it needs to be transparent and the network needs to act like a normal "gateway" case.

BTW, the reason that the traffic needs to go through FirstSpot is that many of features like Captive Portal, Bandwidth Throttling and URL Tracking, FirstSpot needs to change or inspect the packets directly.
_________________
~ Patronsoft Limited ~

istvan.kelemen · Joined: 04 Mar 2015 Posts: 19 Location: Switzerland

And what about the encrypted traffic like HTTPS?
Is it also inspected?

What would be the best OS from stability point of view? I'm running the trial version on Win 2012R2

alan · **Forum facilitator** Joined: 26 Sep 2003 Posts: 4435

For https, we cannot inspect as it is encrypted.

From FirstSpot point of view, Windows 2012 should quite stable.
_________________
~ Patronsoft Limited ~

istvan.kelemen · Joined: 04 Mar 2015 Posts: 19 Location: Switzerland

Is it possible to configure proxy for Firstspot so It inspect HTTPS?

Could you please provide an initial config for the forced login?

The AC side is ready, the traffic is redirected to the firstpot's address on port 5786, shall I redirect any other prts to it?

Thx!

alan · **Forum facilitator** Joined: 26 Sep 2003 Posts: 4435

FirstSpot is designed so that it works well with default setting. In other words, you don't need to change your network in any particular way. To setup for the initial test, please make sure:

1) you turn off all other DHCP server in your network. Make sure the client obtains that the IP from FirstSpot DHCP server

2) there is no router between your client and FirstSpot (i.e. bridge mode in your AP).
_________________
~ Patronsoft Limited ~

istvan.kelemen · Joined: 04 Mar 2015 Posts: 19 Location: Switzerland

The AC has 2 SSID's, clients connected to the SSID A has to be authenticated before they can access the network.
Clients connected to SSID B does not have to be.

With an enterprise WLC each SSID has different vlan and the AC is their GW as well as DNS proxy. DHCP also runs on the AC.

All the user traffic on SSID A is redirected to the Firstspot server's port 5786.

I am going to test this scenario today.

I have created a test user account.
So far, by default Firstspot is configured to authenticate users, right?

istvan.kelemen · Joined: 04 Mar 2015 Posts: 19 Location: Switzerland

The AC has 2 SSID's, clients connected to the SSID A has to be authenticated before they can access the network.
Clients connected to SSID B does not have to be.

With an enterprise WLC each SSID has different vlan and the AC is their GW as well as DNS proxy. DHCP also runs on the AC.

All the user traffic on SSID A is redirected to the Firstspot server's port 5786.

I am going to test this scenario today.

I have created a test user account.
So far, by default Firstspot is configured to authenticate users, right?

alan · **Forum facilitator** Joined: 26 Sep 2003 Posts: 4435

FirstSpot is not designed that way. FirstSpot works purely in TCP/IP level and it doesn't look into concept like SSID.

Please follow my instruction at least initially first. You might be able to make change later to suit your environment, but it is important to get the basic working first.
_________________
~ Patronsoft Limited ~

istvan.kelemen · Joined: 04 Mar 2015 Posts: 19 Location: Switzerland

This is the scenario now:

http://s8.postimg.org/xp7g8mx9h/wlan_scenario.png

Traffic coming from SSID 2 is not redirected but from SSID 1 it is.

What hapens:

Traffic reaches Firstspor server, user lands on the login page. After the user is succesfully logged in, instead of getting redirected to the fixed page it is redirected to https://192.168.211.2/fixedpageexample.com
If the user tries to open a wab page it will redirected to the login page again...

I think Firstspot server does not notify the AC, so the AC is not aware about the client's authentication status and it keeps redirecting the traffic to the login page.

I think I can solv this problem by using FS as the GW for SSID 1.
But anyway, is that possible to configure so FS cooperates with the AC?

istvan.kelemen · Joined: 04 Mar 2015 Posts: 19 Location: Switzerland

Sorry, I have forgotten the second pic

http://s7.postimg.org/k1eab17or/fail.png

alan · **Forum facilitator** Joined: 26 Sep 2003 Posts: 4435

Cannot really see the two pictures as they are not clear.

The easiest way is to simply turn off any captive portal related feature in your AC, and let FirstSpot handle all the authentication. That way the flow is the most natural and should be enough for your need.

You can configure FirstSpot to redirect to a fixed page (e.g. a page in your AC) after FirstSpot authentication. It is possible to customize that redirect URL so that it includes information like client MAC address so that it can be recognized by your AC.
_________________
~ Patronsoft Limited ~

istvan.kelemen · Joined: 04 Mar 2015 Posts: 19 Location: Switzerland

Yes, I have turned out everything on my AC, FS and the clients are in the same L2 domain.

I have set www.livescore.com as the fixed page, but after the client had succesfully authenticated, the browser redirected to
https://172.20.0.1/livescore.com

when unauthenticated clients connect to https://www.facebook.com

the following message is shown

Your connection is not private

Attackers might be trying to steal your information from www.facebook.com (for example, passwords, messages, or credit cards).

ReloadHide advanced
www.facebook.com normally uses encryption to protect your information. When Chrome tried to connect to www.facebook.com this time, the website sent back unusual and incorrect credentials. Either an attacker is trying to pretend to be www.facebook.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Chrome stopped the connection before any data was exchanged.

You cannot visit www.facebook.com right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

NET::ERR_CERT_AUTHORITY_INVALID

when an unauthenticated client tries to connect to https://www.paypal.com the page opens even the user is still unauthenticated!