I am trying to find a way to perform this process on the system(OpenWRT):
When the user connects to the network the system should notify the user(MAC & IP) connection to my backend(maybe a python application running somewhere)
The backend will perform a command on the system to put the user in a specific profile(I don't know if it is possible to assign profiles to the users)
There will be just two profiles:
- To allow the limited internet browsing to specific sites(Not sure if we can configure a sites whitelist)
- To allow the full internet browsing
I just want to know if this is possible in some manner, I am new with OpenWRT and willing to use it as my main network router.
Appreciated is any help.
2 general approaches, also used for kid-protection: Use a transparent (intercepting) proxy, i.g. squid-proxy, or do "selective" DNS. The DNS-based approach is easier to implement, but also easier to be bypassed. Usage of VPN on the client will bypass both approaches.
Note, that "whitelisting" of sites should take into consideration the linked sites. Not so trivial to evaluate.
Are you trying to achieve something like 802.1x MAC authentication? If the script will reside on the router, you can just use a macfilter into the wireless configuration.
Filtering/authenticating by the MAC adress only does not bring any security to the network, and can be easyly bypassed. You may consider some additional authentication if not already in place.
I was thinking if there is something more "native" inside OpenWRT, instead of using external tools such like squid or even a DNS based approach.
What would be ideal is to put the client in a profile such like the Mikrotik users profiles, then restrict the navigation based on each profile.
The VPN shouldn't be a issue because there could be a whitelist to block the VPN servers.
I am not trying a MAC authentication, I just want to identify the user if they disconnect/connect again, then move them to the right profile, the limited or the full one.
OK; I just realized/remembered that it's is possible as a network client to know other client's MAC/IP, so I know it is unsecure, but I could implement a login.. (Need to re-think about the process)
Alright, let's forget the MAC/IP identity, I'm still in need of the user profiles, like the RouterOS(Mikrotik) ones.
You may check this article: https://openwrt.org/docs/guide-user/network/wifi/wireless.security.8021x
How are you planning to identify the user? A captive portal? WPA enterprise?
What functionalities (not offered by a "guest wifi" ) do you need?
I'm planning to create some kind of captive portal, but need to rethink the business, is it even possible to login to the wifi using dynamic passwords? I'm asking this thinking on the end user experience.
So, same wifi network..
In that way, the users won't need to identify their selves each time when connecting to the net
So, the RADIUS server could handle the user authentication?, I am not understanding very well the purpose of this server, could you please give me some clues. Thank you
You should read and (hopefully) understand the article, nvladimirov linked. Everything there. Otherwise, first start with some docs about RADIUS.
Yes, exactly. The Mikrotik thing looks like a Radius to me.
If you have an Active Directory, LDAP or something similar already in place, the Radius server can use it directly.
Yes, if there's some backend to create and provide the passwords to the router/raduis server.
Awesome! Didn't know about the existance of this RADIUS Server, I will definitely study it deeply, thank you