Has there been any discussion on how to put an authentication server on a mesh network so that one must authenticate to the server prior to be given access to the internet through a node marked as a mesh gateway?
Has anyone done this? Any tutorials out there? We have both linux or windows boxes available to use for this, and vlan capable switches.
Thanks
Mark
For controlled access one could setup a proxy server at a location on a server on the LAN port. Devices on the LAN port can use the Internet even without the meshgw checkbox being checked. Users can then put this proxy server in their browser or other program. The proxy can do any policy control you want (authentication, filtering, compression, file resizing, etc) before passing it on to the original user. All without breaking other network connections on the mesh.
While one could theoretically do this on all the connections with an enterprise level firewall (Yes I'm lucky I have enterprise grade firewalls) this has two down falls 1) if a user can't get authenticated through the nearest gateway they are out of luck because the routing protocol happens way below the application layer 2) there is no gueantee of constancy and the authentication response packets may never make it back if the mesh network is jumping around between gateways.
the proxy requires configuration but it provides the least impact to smooth network operations.
Squid is a common open source proxy. It's actually used in a large commercial product as well (in addition to their own proprietary additions). There are many authentication methods for it.
http://www.squid-cache.org/Misc/authenticators.html
I have thoughts on deploying one myself to provide access to Internet resources to my mesh users, especially to resources that default to or require https. My hope is to use a proxy decryption method, such that the clients on the mesh receive everything in plaintext. I will have a warning on the Proxy information page that it is all in cleartext, and that authentication to "secure" websites should not be used as passwords would be sent in the clear on the mesh. The Proxy information page will remind users that it should be used only for Part 97 purposes and that all access is logged.