views:

805

answers:

2

I am looking into captive portals for my organization. I see a lot of them out there that will allow a user to pass once they a.)enter credentials or b.)pay money. What I'm looking for is a bit different. Let me go into some basics about my system, I am running a windows based network using active directory and an internal DNS. I have an intranet in which our employees use daily and it uses the person's Windows credentials to authenticate them on the system.

The employees have to enter time daily, and if they don't then I would like to have a captive portal redirect them to their time entry page and not let them out into the vast internet world until their time is entered.

I am a developer so I can write a script that returns a True or False to the system, but what I need is a system that can interact with AD logons and that can run this script once a user requests access outside out network.

EDIT: I accepted an answer as the answer to my question, however, after looking into the coding for the sockets based method I do not have the time.

as a workaround, I have found that my firewall has a customizable disclaimer page that allows javascript. I will query a webservice to see if time is entered then trigger the disclaimer page's "Allow" function, otherwise i will redirect to the time entry page. seems like a simple enough solution, the only issue is if the person keeps their browser session open overnight.

A: 

Well nowadays I only really code in .NET, some of the OSS may have better ideas.

I can't see anyway of doing this without using a proxy, preferable a transparent proxy server on the gateway. There must have people who have written such things. Of course every commercial wifi hotspot has one, but you presumably want one that runs on a sever not a device.

I have no real idea about this but it is something I have thought about in the past.

You may be able to find a router/firewall box that has the feature. Microsoft IAS my have a plug in that does this (it is unlikely to be cheap). A brief look on google did not turn up much in the way of other software that does this.

Wingate - Might do it, I couldn't figure it out

Otherwise you could code a transparent proxy application (which means, unless you write embedded code, you'll need to use the app server as the default gateway), or just an ordinary proxy if you can lock down users browser proxy settings. I guess coding this is possibly not a easy option! But it is possible. You could even use IIS and ASP.NET.

iisproxy is a proxy implemeted as an IIS ISAPI filter with source code. I suspect this is in C or C++.

On Codeplex is a revrse proxy code sample. You could change it and extend to a full proxy.

You might to be able to do the whole thing with sockets and get out of the application layer altogether. This might make life simpler, so I expect there is a reason it can't be done like this! Have the sockets based proxy redirect to the non-compliant users to the time recording app, when they have filled in their time sheet just pass all the data beween the sockets transparently.

I'd be interested in what you or anyone comes up with because I've always wanted an AUP to appear with a continue box once a day to users in our office. Better still it could list how much time the user spent yesterday on face book etc. if the proxy collected that info. Just enough to alter people's behaviour I think. In fact there are loads of useful things that can be done with an easy to alter or extensible HTTP proxy.

Christopher Edwards
This looks to be a good plan, i will see about coding a sockets based application. I don't have any experience in that but i bet it would be a great learning endeavor.
Russ Bradberry
please see my edit above as i wasn't able to use this method.
Russ Bradberry
A: 

Christopher Edwards is more or less right. A Captive portal is basically a firewall that transparently forwards all connections to a local Web Server asking for user authentication. After successful authentication the firewall rules are reconfigured for the IP of the authenticated user so he/she can access Internet or other network.

You could setup your own Captive portal by means of scripts and a web server or a proxy, but what is mandatory is that physically all the network traffic crosses the machine acting as firewall.

I have experience with an OSS distribution called m0n0wall that is based on a BSD distribution and it can be embedded directly on dedicated hardware or be installed on any PC. This distribution, though OSS, is really professional and offers basically the same or more functinality than any commercial FW appliance (i.e. Watchguard products, or Cisco Products). It offers a web administration interface to completly administer the firewall.

The only issue if you decide to go this way is that m0n0wall Captive portal has only two ways of authentication: local user database list or external Radius Server. In your case what you need is to setup an external Radius server that integrates in the AD authentication services. Here is an example of how to do it.

Fernando Miguélez