NoCatAuth ,这个和802.1x一起发展来的东西,已经很多年没用更新了,NoCatAuth的好处是不需要配置客户端,基本所有无线的网络都可以使用它来验证,因为它是在网关那里拦截数据,通过iptables之类的防火墙动态建立规则,拦截或者通过用户请求,所以用户能连上wap也不能连上网关以外,防止有人勾线。
不过缺点也很明显,还是做不到所谓的安全wap网络。。。
这两天研究了一下,基本上搭建好了,用mysql,没有管理页面。。。
首先是安装。。。弹出。。。
No supported firewalls detected! Check your path.”
Supported firewalls include: iptables, ipchains, ipf, pf.
因为版本太旧了,检测写死只能在linux核心2.4上面装,改一下检测脚本就好了。。。
vi bin/detect-fw.sh
elif which iptables >/dev/null 2>&1 && \
test X”`uname -sr | cut -d. -f-2`” = X”Linux 2.4″; then
FIREWALL=iptables
FW_BIN=iptables
把Linux 2.4 改成 Linux 2.6,好了,linux上面一般都是用iptables的了
顺便改了一下,让它支持单账号单用户,有多的话就踢人。
主要就是修改gateway的lib/NoCat/Gateway.pm
permit 函数那里加上
sub permit {
my ( $self, $peer, $class ) = @_;
my $fw = $self->firewall( GatewayAddr => $peer->gateway_ip );
my $action;
# delete the same user
while ( my ($token, $pcheck) = each %{$self->{Peer}} ) {
$self->log( 5, “debug User:”, $pcheck->user, ” Mac:”, $pcheck->mac);
if ( $pcheck->user eq $peer->user and $pcheck->mac ne $peer->mac) {
$self->log( 5, “User:”, $pcheck->user, ” Mac:”, $pcheck->mac, ” has been replaced by new Mac:”, $peer->mac);
$self->deny($pcheck);
}
}
但是这样还不够,它是分了子线程出来的,在deny的时候会通知父节点,其实就是用一长串字符串调用pipe,所以deny和permit的操作写到了一起,要把它分开来处理,要修改函数 accept_child,改成下面的样子,增加了split分开每个消息而已。。。
sub accept_child {
my ($self, $listen) = @_;
my $r = read( $listen, my $msg_o, 500_000 ); # arbitrary limit
if ($r) {
my @msgs = split(/InitCmd/, $msg_o);
for my $msg (@msgs) {
next if ( length($msg) eq 0 );
# The child process has news about a peer.
# Parse that info and store it.
my $peer = $self->peer( $self->parse(“InitCmd”.$msg) );
my $action = delete( $peer->{Action} ) || “”;
$self->log( 10, “Got notification $action of peer”, $peer->id );
if ( $action eq DENY ) {
$self->remove_peer( $peer );
} else {
$self->add_peer( $peer );
}
if ( $action eq PERMIT ) {
# Increment this only once per connection.
$self->{TotalConnections}++;
# Note the connection time.
$self->{LastConnectionTime} = scalar localtime;
}
}
} elsif (not defined $r) {
$self->log( 2, “Can’t read from child pipe: $!” );
}
# if $r returned false, but not undef, then the child quit
# normally, but with nothing to say?
$self->pool->remove( $listen );
my $result = $listen->close;
$self->log( 10, “Child process returned $result” ) if $r;
}
这样改好以后重启就可以实现单账号单网卡登陆了,一旦有人盗用你的账号,你就被人踢。。。。郁闷吧,哈哈。
搞了两天估计都是无用功了,要安全。。。那就用最高级的WPA AES吧。。。
明天继续看WPA PEAP 模式登陆,用FreeRadius就可以实现,应该不是太难吧。。。
Leave a Reply