[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
StockholmOpen.Net is an authentication mechanism for a public access network. Internet access is provided by different operators, and users are able to dynamically choose which operator to use, ie, the access network is operator neutral.
Users are required to authenticate to the network in order to gain access. This is done on a secure web page where the user fills in username and password. Before authentication, users are redirected to the login page if the user tries to access another webpage. When the user disconnects from the network, access is again denied. This means that users are required to login each time they want to access the network.
The network consists of two types of services: public services common to the whole network, and provider specific services. The common services are what "holds everything together". They provide configuration to requesting clients and act as a relay to the provider specific services. The provider specific services are what do the actual authentication, and includes the access server.
The access server is responsible for opening and closing rules in a firewall and thus allowing users to reach the services provided by the provider. These services will typically be access to the global Internet.
The common services in the public network are:
This service registers new MAC addresses with a chosen operator and relays DHCP requests to the operators DHCP server based on the choice made by the user. When a new user (with a previously unregistered network card) connects to the registration webpage, he is presented with a choice of upstream providers and the choice is stored in a database. This database is used in following connections to relay DHCP requests.
The common services should be located in the same machine. For each provider, the following services must exist:
This is an ordinary DHCP server. The policy of IP address allocation is not enforced by the system. Either automatic, dynamic or manual allocation could be used. For simplicity, dynamic allocation is recommended.
The DHCP server must be placed outside the open network, in the providers own network, unreachable from unauthenticated users. Otherwise, the functionality of the common relay agent will be disturbed.
This service is where users sends his/her credentials in order to login to the network. The user is presented with a web frontend, which is assumed to be secured via an https connection, although this is not a requirement of the system.
Upon successful authentication, the access server communicates with the dynamic firewall to open up a rule, allowing the user access to the upstream network.
The actual authentication need not be performed in the access server. The access server could include a client module that speaks to an authentication server, for example RADIUS or Kerberos.
The acces server would then send the user credentials to the authentication server for verification. The authentication server could be common to other services that the operator provides and be located inside the ISPs own network.
The dynamic firewall in the current system is a standard PC running Linux and iptables. The firewall could also be a dedicated router that can be remotely controlled.
The firewall should be configured to drop all packets from a yet unauthenticated user (based on MAC and IP address). If there are certain services that are required for unauthenticated users, such as DNS, there can be static rules that open those services.
[Top] | [Contents] | [Index] | [ ? ] |
[Top] | [Contents] | [Index] | [ ? ] |
1. The basics
[Top] | [Contents] | [Index] | [ ? ] |
Button | Name | Go to | From 1.2.3 go to |
---|---|---|---|
[ < ] | Back | previous section in reading order | 1.2.2 |
[ > ] | Forward | next section in reading order | 1.2.4 |
[ << ] | FastBack | previous or up-and-previous section | 1.1 |
[ Up ] | Up | up section | 1.2 |
[ >> ] | FastForward | next or up-and-next section | 1.3 |
[Top] | Top | cover (top) of document | |
[Contents] | Contents | table of contents | |
[Index] | Index | concept index | |
[ ? ] | About | this page |