Alcasar
| Developer(s) | alcasar team |
|---|---|
| Engine | |
| Operating system | Linux |
| Type | NAC - captive portal |
| Licence | GNU (L)GPLv3+ |
| Website | http://www.alcasar.net |
Search Alcasar on Amazon.
ALCASAR is an open source and free captive portal which uses the Network Access Control.
This portal is a bridge between a consultation network and the Internet. It authenticates, attributes and protects users' access regardless their connected equipments.
Moreover this portal incorporates a filtering solution, in order to protect minor at school or people in public places.
In France, ALCASAR allows people in charge of consultation network to meet the law.
Objectives
ALCASAR was created to meet three objectives:[1]
- Authentificate and control connexions
- in order to control the acces to the Internet, the responsible of the organism or the administrator of ALCASAR needs to create a account (login and password) for each user who want use the Internet. Without a correct login and password, the connexion to the Internet is not possible and the user is intercepted by the portal. In fact, ALCASAR is like a access lock for all internet services.
- Trace and attributes connection while protecting privacy
- ALCASAR allows to the responsible of the organism to meet the requirements of access policy and use of consultation network to the Internet. For example, in France, the owner of the internet connection is responsible faces the law. It's why ALCASAR traces while protecting each user privacy.
- Compliance with these guidelines: Data Retention Directive, French law for the confidence in the digital economy[2], ANSSI advice (ANSSI-CSPN-2009/04).
- Secure the consultation network
- ALCASAR uses a Firewall (computing) and a antivirus software in order to protect users. Moreover, a filtering solution can be enabled by the administrator in order to forbid the access to a list of websites (based on the Blacklists UT1[3]).
Solution
ALCASAR constituts of a simple computer integrating all functionality of a captive portal. This computeur is set up between the Internet and a consultation network (user computer, mobile phone, network-attached storage, etc.).
As regards the components of the Internet service provider (ISP) and the caracteristics of the consultation network (Wifi, ethernet, PLC) this portal is fully independent.
The devices on the consultation network can be of any type (laptop, GSM, tablet, etc.). No modification on the device is required. When a user on the consultation network call a website, he is intercepted by ALCASAR and must use his login and password to have an acces to the Internet.
Regarding the installation of Alcasar, it is easy. A simple script installs all packages needed.
Components
A basic computer with two network interfaces
- Secure operating system : Mageia (a Linux computer operating system)
- A firewall and a filtering router
- Interception gateway with DHCP server
- Authentication, Authorization, and Accounting (AAA protocol) server : RADIUS
- A database server : MariaDB
- Connector to external directory servers : LDAP
- A stream accelerator (WEB ans FTP)
- A time server
- Deployment, update and management scripts
- A secure WEB control panel:
- management of users and users groups
- management of the filtering (domain name, URL, internet protocol)
- backup of logs files
- connections statistics report
- firewall report (in real time)
- activity report
Limits
Like most captive portals, ALCASAR combines the authentication process (login + password) to the MAC address and IP address of the user equipment. These two addresses are easily usurpables for an hacker provided that he is logged on the consultation network (MAC / IP spoofing). He can bypass the portal with the ids of an other user. To prevent this, ALCASAR incorporates special processes (Watchdog timer) that analyzes the network regularly and disconnects the user usurped ( the administrator is notified ).
In addition, the majority of recent networking hardware (Network switch, wireless access points, etc.) offers protection systems against these spoofing techniques ("anti-spoofing"(Alcatel-lucent / cisco / linksys), "Hub&Spoke limit" (Huawei / dlink), "Client isolation" (airview /, belkin / etc.).
In the case where the security of the network is very strong, Alcasar allows authenticate users with its internal RADIUS server and the 802.1x protocol. Very robust, this protocol still requires that users exploit a particular software on their equipment (supplicant (computer)).
Moreover, ALCASAR is working just on one linux distribution: Mageia.
See also
According to a study released in May 2011 by the reporter Thierry Martineau for the newspaper MISC[4], Alcasar takes in consideration the usurping ways to have an acces to the Internet (DSN, identity theft). Moreover, in case of a survey, the backup of logs files is a good solution to follow the flow of each users.
References
- ↑ "Alcasar Website". Alcasar Team.
- ↑ "Loi pour la confiance dans l'économie numérique". Wikipedia.
- ↑ "Blacklists UT1". University of Toulouse (France).
- ↑ Thierry Martineau (22 April 2011). "ALCASAR, LE PORTAIL CAPTIF QUI A FAIT SES PREUVES" (in French). pp. 58–63.CS1 maint: Unrecognized language (link)
- Text of the European Directive "2006/24/CE"
- Text of the Law on Confidence in the Digital Economy (LCEN)
- ANSSI Recommendations Regarding the Implementation of a Logging System
- Article in the MISC journal
- WEB site of the project
Category:Free software Category:Unix software
This article "Alcasar" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:Alcasar. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.
