Introduction

Sweetspot is an Open Source implementation of the Network Access Controller software that could be used in conjunction with Captive Portal authentication and accounting technique in wired or wireless LANs (AKA hotspots).

This software is largely based on the code produced by famous ChilliSpot project, though Sweetspot is more focused on:

  • IP-layer rather than MAC-layer operations, what appears to the architecture of choice in large-scale networks
  • Simplicity in design and transparency in implementation.

Similarly to Chillispot, Sweetspot is a user-land daemon whose primary activity involves carrying IP packets from one network interface over to another. In typical configuration, Sweetspot resides in-between two IP networks: one is populated with broadband users (inner network) and another is the Internet (outer network). Effectively, all traffic between broadband user and the Internet goes through Sweetspot what makes it an ideal place for performing access control and accounting.

More specifically, Sweetspot is aware of a pool of IP addresses assigned to broadband users. IP addresses in this pool logically appear in either "captured" or "released" state. When IP address is "captured", certain traffic from inner network outwards would be re-directed ( DNAT 'ed) to other target, where user authentication may be performed, while other packets would be blocked. Once user authenticates his IP address, Sweetspot brings it into a "released" state where most traffic would just pass through.

User authentication is performed in a protocol-specific manner. Most commonly, http connections are re-directed to an authentication web server. Another application to consider for example would be VoIP traffic re-directed to an IVR based authentication system.

Once broadband user's IP address is "released", Sweetspot counts passing octets destined from/to particular IP address and keeps track on session duration and idling time. If it happens so, that either of these figures hit user-specific limit, as set to Sweetspot upon user authentication, IP address would return into "captured" state. Sweetspot session can also be terminated by its owner user in a protocol-specific way consistent with authentication procedure.

On session authentication and termination, Sweetspot generates accounting start and stop events. In typical configuration, conventional RADIUS detail file is written.

Design

The Sweetspot daemon can be viewed as a pipeline between two network interfaces with a valve in-between. This valve takes shape of a packet filter that can either pass or drop or redirect packets passing through. Authenticated IP addresses can be assigned individual packet filters or no packet filter at all. In contrary, all "captured" sessions share a single packet filter which may cause captivity and enforce user authentication for certain targets/protocols while it may also open up loopholes to freely available services.

A consequence of this design decision is that most Sweetspot configuration and features are available through mangling its packet filters, especially the one being assigned to unauthenticated IP addresses.

Back to the notion of Sweetspot daemon as a "valve" -- the way to control it is through sending it messages using command-line tool (called sweetuam) from anywhere on the network. These messages carry commands to the Sweetspot daemon to turn particular IP address into "captured" or "released" state and may also include finer options like traffic limits or packet filter name to apply to session.

Installation

For a typical setup you might need a stand-alone machine sitting at the border of your broadband network. Packets from broadband network destined to whatever Internet host will pass through Sweetspot.

Sweetspot installation is as simple as doing ./configure && make && make install. Then:

  1. In /usr/local/etc/sweetspot/sweetspot.conf configure inner-interface and outer-interface settings to point to your broadband and Internet network interfaces respectively.
  2. Staying in /usr/local/etc/sweetspot/sweetspot.conf configure user-networks to list the range of IPs being assigned to your broadband clients. Sweetspot would switch packets for these IPs and drop all others.
  3. If you intend to do source NAT for your broadband users, configure snat-public-networks to list IP address(es) that will act as public SNAT endpoints.
  4. In /usr/local/etc/sweetspot/filters/anonymous configure dnat targets to make Sweetspot re-directing certain type of traffic (likely http/https) to your authentication server.
Also, make sure that:
  1. The inner-interface has host netmask (255.255.255.255) configured, so that all locally generated packets will not be routed to directly connected broadband network e.g., will always pass through Sweetspot.
  2. In-kernel IP packet forwarding is disabled by echo 0 > /proc/sys/net/ipv4/ip_forward as this is going to be done by Sweetspot from now on. Don't forget to fix this in your rc scripts so that IP forwarding would remain disabled upon reboot.
  3. Border router for Sweetspot outer-interface has static route for broadband networks behind Sweetspot inner-interface. That's necessary with Linux, as it doesn't do proxy ARP when IP forwarding is disabled. An alternative could be setting up static ARP entries for broadband networks at the Sweetspot outer-interface.

Once everything is ready, run /usr/local/sbin/sweetspot and watch /var/log/sweetspot.log file for possible errors. Then try to verify Sweetspot captivity by using the Internet from a broadband client. If there's no connectivity, try running /usr/local/sbin/sweetuam UP tool at the command line to trigger your broadband IP address into "released" state at Sweetspot daemon.

If it works as expected, your next step would be to build /usr/local/sbin/sweetuam tool invocation into your authentication software. There's a Perl module in the distribution for Sweetspot session management.

In case you are capturing web traffic to force user authentication:

  1. Set up your Apache HTTP server using doc/apache-partial.conf config file snippet as shipped with Sweetspot distribution.
  2. Copy the doc/sweetspot.cgi, doc/sweetauth.cgi scripts into your Apache cgi-bin directory and fix $host variable in these scripts pointing to your authentication server FQDN. If your Sweetspot does SNAT, these default web authentication scripts should be modified to invoke /usr/local/sbin/sweetuam for private<->public IP address resolution.

Now try browsing the Internet from your broadband network. If everything is working alright, you will be captured and brought onto web authentication page. Once authenticated there (or just skipping authentication), you will obtain Internet connectivity.

Precautions and Misfeatures

This is a beta-quality software. Besides possible bugs and glitches, UAM protocol ciphering is not yet implemented. This implies that sweetspot<->sweetuam communication would be, at least, secured by system IP filters.

Be advised that both layer-2 and layer-3 address-based authentication is inherently insecure. Malicious user may sniff and take over somebody's else MAC and/or IP address thus committing abuse. IP address based authentication appears even more vulnerable as it may be a bit easer for user to fake IP compared to MAC address.

In order to minimize the risk try to set up your switches or Wi-Fi access points in a way that they would remember MAC<->IP pairs to make sure that there's no, at least, IP-only fake.

In a broadband network, disallow direct IP-to-IP communication as well as broadcasts propagation. In case of IP address take over this measure would ease the impact of possible IP address conflict,

Though WPA/WPA2 seems to be the real solution to these security issues, neither is widely implemented on an average system at the time being.

Sweetspot has been developed on a Linux system and has not been tested anywhere else at the time. Though, it's written in plain C for a POSIX system so chances are it would run on certain other boxen.

Download, license and support

This software can be freely downloaded in source form from SourceForge download servers .

Sweetspot inherits ChilliSpot license which is GPL.

Please, report problems, fixes and feature requests to sweetspot-users@lists.sourceforge.net.


Written by Ilya Etingof, 2007. Your sweets are welcome!
SourceForge Logo