Unauthenticated Access for specific devices

There will come a time when you need to setup the PublicIP system to allow what is called “Unauthenticated Access” for a specific device. The ability to allow a device on the wireless side of the PublicIP system makes sense when you look at what types of wireless devices exist!

Take, for instance, a wireless VOIP phone. It “connects” to a wireless access point but does not have the capability to “authenticate” with the PublicIP Portal since the VOIP phone does not have the concept of web pages or authentication with a web-based username and password. How would you allow such a device to work through the PublicIP system?

A second application would be a laptop or wireless PDA you may be using to monitor the PublicIP system and don’t want to have to authenticate with the system each time you want to use it!

A third application may be a few laptops that are used for instructional purposes. In a Library setting you may have classes and want to use laptops for portability. Not having to authenticate with the wireless system makes the use of the laptop almost completely seamless – it really does look like “magic” to patrons!

Ok – so you have a reason to setup the PublicIP system for unauthenticatd access. If you are using the Premium Mode then it is a breeze to setup as the Premium Control Server has settings that allow you to configure the zone for such operation…. of course this is a “feature” of the Premium System and is not available through the Free PublicIP Closed-Mode Server. How do you go about configuring a couple of devices to work through the zonecd machine without the controls available on the control server?

You have to perfrom this feat with a script file that will execute the proper commands to configure the firewall in the zonecd machine!

While using a script file to configure the zonecd machine for such use is possible you have to weigh the time it takes vs what your time is worth!  If you have to make changes all of the time it is much easier to use the PublicIP Premium Service to configure the zone. Not only is it very easy to configure a zone for unauthenticated access for a wireless device but if you are making change more than once or twice a month it will save you time and money (how much is YOUR time worth!).

Ok – enough of the soap-box – here is what you need to do!

We use a “hook” in the PublicIP system’s bootup process to execute a script file called init.sh which will contain the commands needed to configure the firewall to allow a device access through the zonecd machine without authentication.

NOTE:  When a device is configured for unauthenticated access there will be NO accounting records of what the device does in the system.  The reason is because we are manually adding a firewall rule to the zonecd machine that neither the zonecd control processes or the control server are aware of.  Since the firewall rule bypasses the control system the control system has no way to monitor the use by the unauthenticated access enabled device.

Here is what the command looks like to allow unauthenticated access:

/usr/local/nocat/bin/access.fw permit 00:02:2d:aa:bb:cc 10.0.0.105 Member

Now – here is a breakdown of the command to explain what is happening:

The first part is the actual command to execute:

/usr/local/nocat/bin/access.fw

The next part tells the firewall to “Permit” the device specified by the MAC address with the assigned IP to pass through the firewall using the Class type access permissions.

So – the “Permit” part informs the firewall program we are Permitting the device with the MAC address of 00:02:2d:aa:bb:cc and the IP address of 10.0.0.105 to pass through the firewall with the permission levels of the Classification of  Member .

Now – what is this classification thing about?

Well, the PublicIP system has four distinct classifications:

Firewall Definition   PublicIP Definition
     
Protected   Protected
Liberated   Liberated
Member   Trusted
Super   Super
For the most part the defined names are the same but there are some differences…  You have to use the correct Class name in the command for it to work properly – in other words, if you use Protected but want to allow access to a port that is not defined as accessable in the Protected Class then you will not be able to use that port!

Now – we have a basic understanding of the command – we can put it into an executable script that will run during the bootup sequence of the PublicIP zonecd machine.

Here is the script itself:

#!/bin/sh
#

# Replace the MAC and IP with the device’s values…

/usr/local/nocat/bin/access.fw permit 00:02:2d:aa:bb:cc 10.0.0.105 Member

# end
Pretty simple – eh??

Now – if you don’t already have an init.sh script file in the /mnt/floppy/zonecd directory on the PublicIP zonecd machine you will need to create it and put the above script in the file and configure it for executable permissions (See the article on how to setup ssh for the detailed instructions).

If, on the other hand, you already have an init.sh script file you just add the line starting with the command /usr/local/nocat/bin/access.fw along with the remainder of the line in the existing init.sh script file and the command will be executed when the zonecd machine is rebooted.

I hope this makes some sense – if you have problems with this please leave a posting in the forums section of the website so I can answer your questions and it will also be available for others to see for answers as well!

Leave a Reply

You must be logged in to post a comment.