Introduction
Sweetspot is an Open Source implementation of the Network Access Controller software that could be used in conjunction with Captive Portal authentication and accounting technique in wired or wireless LANs (AKA hotspots). This software is largely based on the code produced by famous ChilliSpot project, though Sweetspot is more focused on:
Similarly to Chillispot, Sweetspot is a user-land daemon whose primary activity involves carrying IP packets from one network interface over to another. In typical configuration, Sweetspot resides in-between two IP networks: one is populated with broadband users (inner network) and another is the Internet (outer network). Effectively, all traffic between broadband user and the Internet goes through Sweetspot what makes it an ideal place for performing access control and accounting. More specifically, Sweetspot is aware of a pool of IP addresses assigned to broadband users. IP addresses in this pool logically appear in either "captured" or "released" state. When IP address is "captured", certain traffic from inner network outwards would be re-directed ( DNAT 'ed) to other target, where user authentication may be performed, while other packets would be blocked. Once user authenticates his IP address, Sweetspot brings it into a "released" state where most traffic would just pass through. User authentication is performed in a protocol-specific manner. Most commonly, http connections are re-directed to an authentication web server. Another application to consider for example would be VoIP traffic re-directed to an IVR based authentication system. Once broadband user's IP address is "released", Sweetspot counts passing octets destined from/to particular IP address and keeps track on session duration and idling time. If it happens so, that either of these figures hit user-specific limit, as set to Sweetspot upon user authentication, IP address would return into "captured" state. Sweetspot session can also be terminated by its owner user in a protocol-specific way consistent with authentication procedure. On session authentication and termination, Sweetspot generates accounting start and stop events. In typical configuration, conventional RADIUS detail file is written. Design The Sweetspot daemon can be viewed as a pipeline between two network interfaces with a valve in-between. This valve takes shape of a packet filter that can either pass or drop or redirect packets passing through. Authenticated IP addresses can be assigned individual packet filters or no packet filter at all. In contrary, all "captured" sessions share a single packet filter which may cause captivity and enforce user authentication for certain targets/protocols while it may also open up loopholes to freely available services. A consequence of this design decision is that most Sweetspot configuration and features are available through mangling its packet filters, especially the one being assigned to unauthenticated IP addresses. Back to the notion of Sweetspot daemon as a "valve" -- the way to control it is through sending it messages using command-line tool (called sweetuam) from anywhere on the network. These messages carry commands to the Sweetspot daemon to turn particular IP address into "captured" or "released" state and may also include finer options like traffic limits or packet filter name to apply to session. Installation For a typical setup you might need a stand-alone machine sitting at the border of your broadband network. Packets from broadband network destined to whatever Internet host will pass through Sweetspot. Sweetspot installation is as simple as doing ./configure && make && make install. Then:
Once everything is ready, run /usr/local/sbin/sweetspot and watch
/var/log/sweetspot.log file for possible errors. Then try to verify
Sweetspot captivity by using the Internet from a broadband client. If there's
no connectivity, try running
/usr/local/sbin/sweetuam UP If it works as expected, your next step would be to build /usr/local/sbin/sweetuam tool invocation into your authentication software. There's a Perl module in the distribution for Sweetspot session management. In case you are capturing web traffic to force user authentication:
Now try browsing the Internet from your broadband network. If everything is working alright, you will be captured and brought onto web authentication page. Once authenticated there (or just skipping authentication), you will obtain Internet connectivity. Precautions and Misfeatures This is a beta-quality software. Besides possible bugs and glitches, UAM protocol ciphering is not yet implemented. This implies that sweetspot<->sweetuam communication would be, at least, secured by system IP filters. Be advised that both layer-2 and layer-3 address-based authentication is inherently insecure. Malicious user may sniff and take over somebody's else MAC and/or IP address thus committing abuse. IP address based authentication appears even more vulnerable as it may be a bit easer for user to fake IP compared to MAC address. In order to minimize the risk try to set up your switches or Wi-Fi access points in a way that they would remember MAC<->IP pairs to make sure that there's no, at least, IP-only fake. In a broadband network, disallow direct IP-to-IP communication as well as broadcasts propagation. In case of IP address take over this measure would ease the impact of possible IP address conflict, Though WPA/WPA2 seems to be the real solution to these security issues, neither is widely implemented on an average system at the time being. Sweetspot has been developed on a Linux system and has not been tested anywhere else at the time. Though, it's written in plain C for a POSIX system so chances are it would run on certain other boxen. Download, license and support This software can be freely downloaded in source form from SourceForge download servers . Sweetspot inherits ChilliSpot license which is GPL. Please, report problems, fixes and feature requests to sweetspot-users@lists.sourceforge.net. Written by Ilya Etingof, 2007. Your sweets are welcome! |