MAC ADDRESS AUTHENTICATION


It may be desirable on some networks to deny masquerading services to
unknown clients until they accept an AUP and/or are authenticated.

To set up MAC address authentication, start by setting up a webserver,
possibly on a non-standard port, such as 81.  This will ensure that
any normal web services are not affected.  New clients will be directed
to the default page of this webserver.

It's possible to use php to deliver an Acceptable Use Policy, require
acceptance and optionally require a password, then use sudo to update
MAC_AUTH_FILE and restart netmasq.  This is a much better solution
than using DHCP to give unknown clients incomplete network settings.

Be sure to include the MAC addresses of important hosts in the
/etc/netmasq/trustedmac.conf file.  For example, if your dns servers
are behind the firewall, they will need to be included.  This guarantees
access to these hosts if they are not included in the MAC_AUTH_FILE.

Next create the parent directory and set permissions for the MAC_AUTH_FILE
for each interface which will use MAC authentication.  Since only root
has access to /etc/netmasq, this file will need to be located where
the appropriate users or processes can write to it.

Edit the configuration file for each interface requiring MAC authen-
tication and enter the AUTH_IP_PORT address.  Notice this cannot be
a URL--it must be a numeric IP address followed by a colon and a tcp
port number.  Include the MAC_AUTH_FILE, MAC_AUTH_FILE_OWNER and
MAC_AUTH_FILE_GROUP settings.  If this host provides dns to the
subnet, uncomment the "mac tcp" lines.  Otherwise new clients will
not be able to open the web page which lets them authenticate.

Run netmasq to enable the changes.  To add a new client, just append
the new MAC address to the MAC_AUTH_FILE and rerun netmasq.