[Chilli] [Patch] Disable user-caused logout when UAM is not used
David Bird
david at coova.com
Wed May 19 04:38:51 UTC 2010
Thanks Pieter,
Though, I don't really expect it to be an issue since generally your
802.1x users will not even know of the portal (unless you want them to).
Also, when using 802.1x, it doesn't necessarily mean you *can not* use
the captive portal... For instance, you might grant 802.1x network
access based on something other than a user login (maybe a Desktop
login, or even just an anonymously) and then present the captive portal
for further login.
David
On Tue, 2010-05-18 at 17:14 +0200, IT-Systemmanagement Pieter Hollants
wrote:
> Currently, users have the possiblity to logout by accessing
> http://<chilliIP>:<chilliPort>/logout or by accessing http://logout.
> This makes sense with UAM, where the webbrowser was the "authentication
> device" used to gain access to the Internet.
>
> With EAPOL, WPA and MAC authentication, however, the "login" occurs
> using the client operating system's methods and dialogs, so this is
> where the user also expects to perform a "logoff", eg. by disassociating
> from the WPA-EAP perotected WLAN. (Yes, I know CoovaChilli itself can't
> notice a disassociation unless the access point sends accounting
> information).
>
> So to be consistent, the user-caused logout methods described above
> should not work outside of UAM, since that will only cause confusion:
> the user will be redirected to the uamhomepage Website and while he
> _can_ logon again there, this mixes up different auth. types and defeats
> the purpose of WPA-EAP.
>
> The attached patch therefore disables "logout" for all downlink
> protocols except UAM. It doesn't yet prevent authentication scripts from
> presenting a logout button, that's up to a seperate patch.
>
> Please review.
>
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
More information about the Chilli
mailing list