WebNAG: a Web-based Network Authentication Gateway project

This page contains early documentation for the WebNAG project. Essentially WebNAG does a similar job to the NoCat wireless authentication package - both allow users to authenticate onto a network via web-based splash pages (and both are GPLed software).

This software has been running (in various slightly older forms) at numerous sites within the University of Cambridge including King's College, the Graduate Union, and the Varsity newspaper office. In all three cases a WebNAG server provides wifi authentication via Raven. At King's a second WebNAG server provides automatic network configuration and student/Fellow network registration via DHCP.

News

I am hoping to rework the software into a more modular form so that it can be used in a wider variety of contexts. I currently have running Xen 3 guest domains running WebNAG under both Debian and SUSE, and have created a LiveCD version of the gateway (runs on a recycled PII with hardware detection nicely).

As I'm probably going to inadvertently break various things trying to improve the software, I should note for the record now that, albeit very basic, release 0.3 has shown itself to be quite disturbingly stable - none of the installations have required admin intervention, and some have been running for nearly two years!

What's hopefully coming up: (in vaguely decreasing order of priority)

  • A SUSE version of the install instructions / WebNAG distribution.
  • Move from Perl CGI to mod_perl and re-engineer the security watchdog accordingly - this will make life more pleasant in all sorts of ways.
  • Support for multiple authentication mechanisms from the same splash page. Update: a number of deployments of WebNAG do use multiple parallel authentication paths. The process for doing so can be explained on request, but is not included in the documentation yet.
  • An administrative interface.
  • A modular file-structure to allow easier customisation of the system. Many possibilities for how this might be done, e.g. Makefiles, use of Apache configuration support, etc.

History

I rewrote the NoCat software because I wanted to simplify its core design. Over months of running NoCat gateways (that I'd modified to meet University Computing rules and to use the Raven authentication system), I had problems with these gateways occasionally having ports jam open such that they allowed unauthenticated users to gain access to the Internet. Given that "disposable" computers are now quite often of rather high specification, I feel some of the original design goals of NoCat are less important than they were. NoCat provided an excellent opportunity to educate myself in what was needed for such software, however - I am very grateful to its authors for releasing its source code freely to the Internet community.

Release 0.3

For now, most of the documentation of WebNAG is carried within its INSTALL file. I recommend you first browse an HTMLised version of the INSTALL file, to get an idea of what's involved.

Notes from those who have installed recently:

  • The Apache 2.2 series Debian package in Etch does not seem by default to enable mod_proxy and mod_proxy_http enabled. The standard setup of WebNAG requires both of these Apache modules to be enabled.
  • There is no need to build the Perl URI module on distributions such as Debian, on which you can just install the liburi-perl package.
  • Dan Scott has written up directions for installation on SUSE 10.3. They are intended to augment the existing Debian installation instructions linked from this page. From looking at Dan's experience, it seems that there isn't an easy way to set up SUID Perl scripts under SUSE - please let me know if you have a solution. Dan's approach was to set up sudo to allow the Perl scripts to run iptables as root. I have converted his write-up into plain text.

Due to the need to customise installations per deployment, there will be some differences between files at different sites even within a given release. Most files contain a CVS version header - these provide a more specific indicator of the software version. Release 0.3 seems to be stable. I've given it a low version number simply because the source code isn't particularly beautiful (but then, there's not much of it either), there are some minor annoyances in the user interface, but particularly because it's Perl CGI. I'd not expect to get near 1.0 versions until it's all mod_perl, and has a few more authentication / authorisation abstractions included for the sake of easy extensibility and reconfigurability (e.g. allowing straightforward integration of multiple authentication methods (including non-Raven ones) from a single NAG splash screen, and supporting the remote control of non-local gateways and/or switches/routers).

Future plans

I have a long-term research agenda relating to this software. I will elaborate further when I get some spare time (and the software is further evolved).

© 2005 - 2010 David Eyers