2015-08-20 - Re: [GRASE-Hotspot] Re: Connection through proxy

Header Data

From: HIDDEN TREASURES <in***e@gmail.com>
Message Hash: 8737dfbd2b12befef9057104d091377931ea197afe80c3a8309204165f7dff25
Message ID: <CAHOoWJdz_FjDAcz1FRQRe0XaFL=yTdmbUomwsnSOq+xawDxq5Q@mail.gmail.com>
Reply To: <b7e00cc6-ff9f-49ca-ba5c-c0d34e745f6c@grasehotspot.org>
UTC Datetime: 2015-08-20 03:24:29 UTC
Raw Date: Thu, 20 Aug 2015 11:24:29 +0100

Raw message 

Hello Brett and all grase hotspot contributor,

Here is my believe and thought; for brett scenario, authenticate your grase
server on your ISA box (you can achieve this by installing desktop
environment on your grase box in doing it from CLI seems hard) and ensure
you have access to the wider internet network from the grase box, connect
with to grase box with a student ipad and see if you have joy.

Want to believe it should give you joy.

Regards.

On Mon, Aug 17, 2015 at 6:50 AM, Luis Alberto Guzman Garcia <
l.***g@gmail.com> wrote:

> I'm not any kind of developer i'm more like a *hobbyist*,so please be patient
>
>
> But as a result of several tests i resume the way i understand how it
> works, (please correct me if i'm wrong).
>
> The proxy is responsible for managing the connections from the machine to
> the Internet (the outgoing network most of the time), it can filter, store,
> manage, do many wonderful things.
>
> For enabling a transparent proxy we need another set of configurations,
> these are the iptables rules, these will route *automagically* all the
> traffic from users without needing to configure something, they may even
> not notice it 'coz it's done from another network layer(?).
>
> Then we have the encrypted traffic, the SSL or 443 traffic, this is
> another different story, since the SSL support for a proxy (AFAIK) does
> brakes the purpose of the encrypted traffic, since it has to be
> de-encrypted, to be checked/filtered/storaged/modified according to the
> proxy rules, then re-encrypted to be sent to the final user, this requires
> the certs and other configurations from the device connecting.
> It's very much like a man in the middle attack, so then we need to be
> careful about it and the laws in out state, region, country if applicable.
>
> Then as i read, you have installed Grase Hotspot on a *buntu 12.04 box,
> which is the release that i use for all my research.
>
> If i understand correctly, the configurations that you download allow to
> configure the SSL traffic part on let's call it *main network*, then you
> use GRASE for the captive portal reason so people on a wireless device can
> easily get the required set of configurations to get to the *main network*,
> but since your Internet access has been already filtered/*proxied* you
> can't download the configurations files.
>
> I think that if you match your *buntu box proxy configuration with your
> higher proxy device, using a *transparent proxy and a non-ssl site* then
> it is possible for your students/clients to access the configurations
> file(s), download them and then surf with the new configuration files to
> the *main network* and get Internet access.
>
> But if you try to use a SSL site the you need to configure 2 layers of
> proxies, the GRASE one and then the one that feeds Internet/gateway to your
> GRASE hotspot, wich will result in a PITA.
>
> I've been using GRASE for not longer than a week, i haven't have the time
> to test it out completely, but i see that it has this packages
>
> grase-conf-squid3-3.3
> grase-conf-squid3-3.1
>
> So is my sincere opinion that it must be easier than expected to set a
> transparent proxy that match the *main network* proxy configuration in
> order to be able to get the files needed to configure your new users fixed
> internet network.
>
> If i'm wrong or if i loose the point of the question please let me know :)
>
> Cheers!
>
> PS. English is not my mother language so please excuse if it reads a
> little bit weird :)
> --
> Luis
>
>
> El martes, 4 de agosto de 2015, 22:05:30 (UTC-5), Brett escribió:
>>
>> Hi
>>
>> Have just set up 3.8 on Ubuntu 12.x (decided to try it this way first
>> rather than install 14+). Works great however as a school we have an issue
>> we need to solve. We are using it to allow students to connect to a Meraki
>> based MDM and configure their own wireless. So certainly students can
>> connect to the Grase Hotspot server and login but cannot access the wider
>> internet as we are behind a proxy.
>>
>> Our schools proxy setup for general student use is an ISA box which
>> requires authentication. We also have access to an external proxy provided
>> by the isp (netspace) which requires special authorization (ie credentials
>> which are manually entered and not for public release)
>>
>> I can get a student iPad without a problem to locate the landing page and
>> login, however to proceed further students would have to go into the
>> settings for the wireless network point, add an IP for the proxy and a port
>> and then add in their network credentials to connect to the Meraki MDM and
>> install certs and profiles. They would then need to disable this proxy
>> setup and return to the http:/logout page to logout. You can see this would
>> be a problematic procedure for students as a self service connection system.
>>
>> So my question is there anyway to connect the hotspot internet via our
>> proxy so that it is transparent to students but credentials are stored on
>> the server running Grase?(and not exposed to students)
>>
>>  I'd hoped that Grase might pick up system wide proxies set as an
>> environment variable but it seems not so. Really keen for some help as we
>> have come this far and the kiosk appears otherwise to do precisely what we
>> need (thank you!!)
>>
>> TIA Brett
>>
>> --
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org
> ---
> You received this message because you are subscribed to the Google Groups
> "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gr***e@grasehotspot.org.
> To post to this group, send email to gr***t@grasehotspot.org.
> Visit this group at
> http://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
> To view this discussion on the web visit
> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/b7e00cc6-ff9f-49ca-ba5c-c0d34e745f6c%40grasehotspot.org
> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/b7e00cc6-ff9f-49ca-ba5c-c0d34e745f6c%40grasehotspot.org?utm_medium=email&utm_source=footer>
> .
>



-- 
Ifeoluwa Opeyemi O.
*www.ifeoluwaopeyemi.com <http://www.ifeoluwaopeyemi.com>*

Hidden Treasure Computers Limited
*RC894550*
www.htreasure.com
in***e@gmail.com
*+234 803 9254 192*

Thread