Outline

• This page is prepared for development and distribution of the Open Source software "Opengate".
• Opengate is a (captive portal type) user authentication gateway system for networks in public areas.
• Opengate can close the network immediately at the usage termination.
• Opengate can be distributed under GPL (Gnu General Public License).
• Opengate can be applied to wireless LANs, network sockets (outlets), and public terminals.

• Opengate uses Web browsers as the user interface. No specific software is needed in terminals. (Java plug-in is no longer required from Ver.1.4. upwards)

• The initial web request from a terminal is forwarded to the authentication page. If the authentication is accepted, the network is opened and can be accessed freely form the terminal.

• Opengate uses Ajax script or the Java Applet after authentication, to control TCP connections. Therfore, network access can be closed without delay when the client exits the browser or OS.
• In deficient terminals, the user can use the network until the time limit indicated by the user in authentication page. But for security, the network is closed at the detection of no-packet duration or MAC address change.
• In cooperation with the firewall, Opengate can control the packets of all protocols in both IPv4/IPv6. Mail, FTP or other protocols can be used after authenticating through the web browser. 
• Opengate is developed and implemented by the Saga University Japan to control the universities campus-wide open network. 

Redirect Page	Auth Request Page	Accept Page	Usage Start Page (Popped Up)

What's New

• Ver.1.3.15 is released.
  • Fixed browser's long waiting after sending accept page and other small bugs.
• Ver.1.4.0 is released.

  • Added client watch with http keep-alive, which is the alternate to the watch with java applet. In standard browsers, without the java plug-in, network access can be denied by closing the browser. This is a experimental release, so use it at your own risk.

• Ver.1.4.1 is released.
  • Modified JavaScript to run on some systems.
• Ver.1.4.2 is released.

  • In HTTP/1.0 browsers, the Http watch mode is ignored.

• Ver.1.4.3 is released.

  • Moved JavaScript code from html-file to external js-file.  

• Ver.1.4.4 is released.
  • Java Applet now starts automatically when Http watch fails.
  • Modified parameter format of HTTP-GET.
  • Added Session ID for identifying clients. 
  • Fixed bug in network read.
• Ver.1.4.5 is released.
  • Added function to indicate UserAgent that is deficient to watch with http/java mode.
• Ver.1.4.6 is released.
  • Changed the mode of archived directory to install properly. Fixed small bugs.
• Ver.1.4.7 is released.
  • Fixed small bugs. Added processing time mesurement code for research.
• Ver.1.4.8 is released.
  • Fixed small bugs and modified pages and measurement items.
• Ver.1.4.9 is released.
  • Changed "hello" timing control from client side to server side.
• Ver.1.4.10 is released.
  • Changed parameter's name and value in config file.
• Ver.1.4.11 is released.
  • Added LDAP/LDAPS authentication. Fixed mulfunctions in exceptional terminals.
• Ver.1.4.12 is released.
  • HTTP-watch seems to work correctly, removed the watch-mode selection in authentication page. If still munfunctions, user previous version.
• Ver.1.4.13 is released.
  • Changed to select time watch mode when duration is set by user in autentication page.
• Ver.1.4.14 is released.
  • Fixed bug at IPv6 disabled.
• Ver.1.4.15 is released.
  • Fixed bug at displaying micro-second time in INFO dump.
• Ver.1.4.16 is released.
  • Fixed bug: IE7 hung-ups.
• Ver.1.4.17 is released.
  • Refined bug fix of IE7 hung-ups. We strongly recommend this update!.
• Ver.1.4.18 is released.
  • Added favicon.ico installation(related to above bug).
• Ver.1.4.19 is released.
  • Modified control of favicon.ico.
• Ver.1.4.20 is released.
  • Modified description of web pages to guide the users to the right way.
• Ver.1.4.21 is released.
  • Modified "Makefile" and Install manual. Modify Javascript to close the network when exiting the httpkeep page.
• Ver.1.4.22 is released.
  • Modified ipfw rules to close established TCP connectionswhen exiting Opengate.
• Ver.1.4.23 is released.
  • Added sequential authentication check using two or more servers. Add timeout for the authentication server response.
• Ver.1.4.24 is released.
  • Added seteuid control. Show auto time setting in auth page.
• Ver.1.4.25 is released.
  • Fixed typo in Makefile (Lockfile -> LockFile).
• Ver.1.4.26 is released.
  • Fixed error on 64-bits machines.
• Ver.1.4.27 is released.
  • Fixed previous fix. Fix ederror in setting the pam default service name.
• Ver.1.4.28 is released.
  • Fixed error in PAM authentication.
• Ver.1.4.29 is released.
  • Added code into perl script to prevent multiple login of the same user.
• Ver.1.4.30 is released.
  • Fixed error in tools/mrtg.
• Ver.1.4.31 is released.
  • The value 'ReconnectTimeout' in Conf file was changed from 10 to 180. THis prevents frequent disconnection, coccuring in some browsers.
• Ver.1.4.32 is released.
  • Fixed "segment-fault" in opengatefwd.
• Ver.1.4.33 is released.
  • Modified install.html.
• Ver.1.4.34 is released.
  • Removed ip6fw in default.
• Ver.1.4.35 is released.
  • Fixed Firefox2 hang up at closing. Consult recentQA.
• Ver.1.4.36 is released.
  • Fixed error with Safari3. Consult recentQA.
• Ver.1.4.37 is released.
  • Fixed error in radius authentication.
• Ver.1.4.38 is released.
  • Modified english document(Contiributed by M. Hawk).
• Ver.1.5.0 is released.
  • Removed JavaApplet support. Removed ip6fw command for IPv6 control and integrated it into ipfw. Added ipfw TAG rule (Different TAG Number can be set in ExtraSet in conf file). Added Sqlite3 database for session logging. Added authentication with HTTP-Cookie (Usage can continue without entering password at PC sleep or usage timeout). Added function to jump back to the requested page on authentication interrupt (It can be selected in conf file). This is a PRELIMINARY/EXPERIMENTAL version. Use carefully.
• Ver.1.5.1 is released.
  • Modified english document. Removed disabled item in conf file.
• Ver.1.5.2 is released.
  • Fixed malfunctions caused by remaining cookie and null http_host.
• Ver.1.5.3 is released.
  • Fixed mutex error occurring on opening sqlite3 db.
• Ver.1.5.4 is released.
  • Fixed error in perl script parameter.
• Ver.1.5.5 is released.
  • Fixed error in LDAP on AMD machine (Contributed by K.Iwao). Modified install.html.
• "Administration Memo" is linked at the bottom of this page.
  • It describes several notices useful for administration of Opengate.
• Ver.1.5.6 is released.
• Fixed ssl error in pop3s and ftps authentication.
• Changed Japanese char-code from jis to utf-8.
• Ver.1.5.7 is released.
• Fixed error in tools/rulechk (Contributed by S.Horikawa).
• Ver.1.5.8 is released.
• Fixed error at arp entry expiring (Contributed by S.Horikawa).
• Ver.1.5.9 is released.
• Fixed errors at including many cookies and in retry.html [contributed by S.Horikawa].
• Ver.1.5.10 is released.
• Fixed error on needless connections [contributed by S.Horikawa].
• Ver.1.5.11 is released.
• Fixed error on favicon request [contributed by S.Horikawa].
• Ver.1.5.12 is released.
• Fixed error on reconnecting [contributed by S.Horikawa].
• Ver.1.5.13 is released.
• Added Shibboleth and HTTP Basic authentication.
• Ver.1.5.14 is released.
• Added NAT/Router detection. If detected info is obtained from OpengateM, it is put out to log.
• OpengateM is released.
• Added an Opengate supplement authentication system OpengateM. Refer the link at the bottom of this page.
• Ver.1.5.15 is released.
• Modified Shibboleth authentication to get user's organization.
• Ver.1.5.16 is released.
• Added retry on accidental disconnection, Added userid as comment on ipfw rule list.
• Ver.1.5.17 is released.
• Removed 2 error messages.
• Ver.1.5.18 is released.
• Modified treatment of overlapped sessions.
• Ver.1.5.19 is released.
• Added version display (exec in shell with -v option).
• Ver.1.5.20 is released.
• Added replacing the parameter redirectedurl in some html files. It is useful in opengatem.
• Ver.1.5.21 is released.
• Added message to avoid popup blocking in httpkeep page.

Download

Download Files

The code "****" in "opengate****.tar.gz" indicates the version.
Please download either the latest stable version or the newest version.
The archives "opengate1.1.*.tar.gz" support IPv4 only. Versions "opengate1.3.*" support the IPv4/IPv6 dual stack system.
Versions "opengate1.4.*" include watching with HTTP Keep-Alive. In Version opengate1.5.* JavaApplet is removed, and ipfw-TAG/SQLite/Cookie-auth/etc is added.

Development and Management

Development and management is done by the owner of this page.

Development Staff

Project page  sourceforge.net CVS repository until Ver.1.0.0. If you want to participate in the project, please contact to the owner of this page.

Background

To support educational and research activities, a lot of "public terminals", "network sockets" and "wireless LANs" were implemented throughout the campus. Considering the many incidents such as computer cracking or copyright infringement that were occurring on the network, authentication and usage log methods before network access is granted, quickly became a necessity. Seeing it can prove quite difficult to maintain such systems in terminals for public use, network sockets, and wireless LANs, Opengate was developed to address these issues.

Purpose

Usage

When a user tries to access any given site, the authentication request page is returned. The user enters user a ID and password. Network access is granted to the client terminal when the accept pages are displayed. Network access is denied when closing the browser.

Function and Requirements

Only a Web browser is required for the terminal. For the gateway, a Web server and firewall software are required. At present, Opengate is being developed on a FreeBSD system, using ipfw as the firewall software. Opengate can communicate with many authentication methods, such as FTP, POP3, POP3S, FTPS, RADIUS, LDAP, and PAM. Opengate is loaded as CGI, sends a Java Applet or Ajax script to the terminal, and watches the existence of the terminal. 

Workings of Opengate

1. By default, the gateway firewall is closed.

2. A user tries to access some web site through the gateway.
3. The gateway steals the packet and sends back the authentication page.
4. The server process - loaded as CGI - accepts the user information. The process authenticates the user and opens the firewall for the requesting terminal.
5. The process sends a Java Applet or Ajax script to the terminal and sets up a TCP connection to watch the existence of the terminal (~ Comet).
6. If above watching fails, the process closes the firewall after a set time, a MAC address change or if no packets are exchanged in a set time frame.
7. Periodically, the process performs message exchanges with the terminal.
8. The process closes the firewall when the TCP connection is closed.
9. Server process records usage log when opening and closing the firewall.

Features & Merits

1. Simple User Interface: Opengate uses the clients web browser for GUI interaction.

2. Broad Applicability: Opengate works independent of client OS's such as Windows, Windows Ce, Mac OS, Linux, etc. Opengate is compatible with various connection technologies such as wireless LANs, network outlets, and open service terminals.

3. Real Time: Because Opengate employs a Java Applet or Ajax script for checking terminal status, user disconnection can be detected in real time without extra software.

4. Low Maintenance Costs: Opengate authenticates users by using your existing FTP, POP,RADIUS,LDAP servers. Opengate requires no setup procedure for the client terminals.

Publications

• "Opengate": A Gateway System Which Can Authenticate And Record Users (In Japanese), K. Watanabe, H. Eto, S. Tadaki, and Y. Watanabe, IPSJ SIG Notes IN99-95, TM99-61,OFS99-48, 43-48(2000) . PDF
• Introduction to Opengate: a network authentication system (In Japanese), Y. Watanabe, Annual report of Computer and Network Center, Saga University, No.1, pp.29-32(2001)PDF
• An User Authentication Gateway System With Simple User Interface, Low Administration Cost And Wide Applicability (In Japanese), Y. Watanabe, K. Watanabe, H. Eto, and S. Tadaki, IPSJ Journal, Vol.42, No.12, pp.2802-2809(2001)PDF (Notice)
• An Authentication System for Public and Mobile Terminals and Its Operation with Diskless Boot Mechanism (In Japanese), S. Tadaki, H. Eto, K. Watanabe, Y. Watanabe, Journal for Academic Computing and Networking, No. 5, pp.15-20 (2001)PDF
• Usage of educational LAN (In Japanese), K. Watanabe, Annual report of Computer and Network Center, Saga University, No.2, pp.67-70(2002)PDF
• Usage of wireless campus LAN (In Japanese), K. Watanabe, Annual report of Computer and Network Center, Saga University, No.2, pp.71-76(2002)PDF
• Toward new information infrastructure for education - Campus wide open network based on an authentication system(In Japanese), H. Eto, S. Tadaki, K. Watanabe, Y. Watanabe, Journal for Academic Computing and Networking, No.6, pp.13-20(2002)PDF
• Management of a network including mobile terminals - Practice of Opengate in Saga University(In Japanese), S. Tadaki, H. Eto, K. Watanabe, Y. Watanabe, IPSJ Symposium Series , Vol.2004 No.3, pp.85-90 (2004) PDF.
• Implementation of IPv6 Functions for Opengate(In Japanese), K. Eguchi, K. Watanabe, IPSJ SIG Notes 004-DSM-36, pp. 7-12(2005.3)PDF
• Implementation and operation of large scale network for users' mobile computers by Opengate (In Japanese), S. Tadaki, H. Eto, K. Watanabe, Y. Watanabe, IPSJ Journal, Vol.46, No.4, pp.922-929(2005.4)PDF (Notice).
• Development of network authentication system using Java Servlet(In Japanese), T. Nomura, S. Tobo, Y. Watanabe, K. Watanabe, H. Eto, S. Tadaki, Journal for Academic Computing and Networking, No.9, pp.85-89(2005.9)PDF
• Development of Opengate client by Java(In Japanese), K. Manabe, K. Eguchi, K. Watanabe, Journal for Academic Computing and Networking, No.9, pp.91-94(2005.9)PDF.
• Opengate and the LAN for terminals in Saga University (In Japanese), Y. Watanabe, H. Eto, M.. Otani, K. Watanabe, S. Tadaki, jus Symposium, Tottori University of Environmental Studies, 9.22(2005)PDF (Trans. to English)
• Implementation of IPv6 functions for a network user authentication system Opengate, Makoto Otani, Katsuhiko Eguchi,Hirofumi Eto,Kenzi Watanabe, Shin-ichi Tadaki,Yoshiaki Watanabe, ACM SIGUCCS Fall 2005,Monterey,California,pp.283-286(2005.Nov.6-9)(In English). PDF
• Development of a network user authentication system for IPv4/IPv6 dual stack network (In Japanese), Makoto Otani, Katsuhiko Eguchi and Kenzi Watanabe, IPSJ Journal, Vol.47,No.4,pp.1146-1156(2006)PDF (Notice)
• Improvement of the network user authentication system Opengate for IPv4/IPv6 network (In Japanese), Makoto Otani, Hirofumi Eto, Kenzi Watanabe, Shin-ichi Tadaki, Yoshiaki Watanabe, IPSJ SIG Notes 2006-DSM-43, pp.19-24(2006.9)PDF
• Improvement and operation of the network user authentication system Opengate (In Japanese), Makoto Otani, Hirofumi Eto, Kenzi Watanabe, Shin-ichi Tadaki, Yoshiaki Watanabe, Journal for Academic Computing and Networking, No.10, pp.97-102(2006.9)PDF
• Detection of client usage termination by using HTTP keep-alive (In Japanese), Yoshiaki Watanabe, Kiyoshi Mase, JCEEE Kyushu 2006, Miyazaki Univ., 2006.9.28, 09-1A-09(2006.9)PDF
• Development of the new Opengate capable of detecting usage termination by HTTP Keep-Alive (In Japanese), Makoto Otani, Hirofumi Eto, Kenzi Watanabe, Shin-ichi Tadaki, Yoshiaki Watanabe, IPSJ SIG Notes 2007-DSM-44, pp.65-70 (2007.3.9).PDF
• Development and Operation of a Network Authentication System with Detecting Usage Termination by Watching HTTP Connection (In Japanese), Makoto Otani, Hirofumi Eto, Kenzi Watanabe, Shin-ichi Tadaki, Yoshiaki Watanabe, Journal for Academic Computing and Networking, No.11,pp.87-91,(2007.9.14).PDF
• Installation and Operation of New Opengate with Detecting Usage Termination by Watching HTTP Connection (In Japanese), Makoto Otani, Hirofumi Eto, Kenzi Watanabe, Shin-ichi Tadaki, Yoshiaki Watanabe, IPSJ SIG Notes 2007-DSM-47,pp.31-36,(2007.9.21).PDF
• Installation to the Authentication Network of UPKI Initiative Server Certificate (In Japanese), Makoto Otani, Hirofumi Eto, Kenzi Watanabe, Shin-ichi Tadaki, Yoshiaki Watanabe, Journal for Academic Computing and Networking, No.12,pp.103-107,(2008.9.12).PDF
• Usage of the Name Resolution in Opengate (In Japanese), Makoto Otani, Hirofumi Eto, Kenzi Watanabe, Shin-ichi Tadaki, Yoshiaki Watanabe, IPSJ SIG Notes 2008-IOT-3,p.55-p.60,(2008.9.19).PDF
• Single Sign-on with Opengate (In Japanese), Hirofumi Eto, Makoto Otani, Kenzi Watanabe, Shin-ichi Tadaki, IPSJ SIG Notes 2009-IOT-4,p.259-p.264/IEICE Technical Report SITE2008-88,IA2008-111, pp.259-264,(2009.3.6).PDF
• Development and Smooth Installation of a Network Authentication System with Detecting Usage Termination by Watching HTTP Connection (In Japanese), Makoto Otani, Hirofumi Eto, Kenzi Watanabe, Shin-ichi Tadaki, Yoshiaki Watanabe, IPSJ Journal, Vol.50, No.3, pp.1032-1042(2009.3)PDF (Notice)
• Forced Display of Portal Site with Single Sign-On (In Japanese), Makoto Otani, Hirofumi Eto, Kenzi Watanabe, Shin-ichi Tadaki, Yoshiaki Watanabe, IPSJ SIG Notes 2009-IOT-5,pp.1-6,(2009.5.28).PDF
• Construction of the network based on a campus portal (In Japanese), Makoto Otani, Hirofumi Eto, Kenzi Watanabe, Shin-ichi Tadaki, Yoshiaki Watanabe, Journal for Academic Computing and Networking, No.13, pp.135-139(2009.9)PDF
• Construction of the virtual network based on the portal site (In Japanese), Makoto Otani, Hirofumi Eto, Kenzi Watanabe, Shin-ichi Tadaki, Yoshiaki Watanabe, Internet and Operation Technology Symposium(IOTS2009) (2009.12.10)PDF
• Development of the Network User Authentication System Supporting Single Sign-On (In Japanese), Makoto Otani, Hirofumi Eto, Kenzi Watanabe, Shin-ichi Tadaki, Yoshiaki Watanabe, IPSJ Journal, Vol.51,No.3,pp.1031-1039(2010.3)PDF (Notice)).
• Operation of SSO-Opengate Using virtual machine (In Japanese), Makoto Otani, Hirofumi Eto, Kenzi Watanabe, Shin-ichi Tadaki, Yoshiaki Watanabe, IPSJ SIG Notes 2010-IOT-5 (2010.5.13).PDF
• OpengateM: MAC-address base authentication system complementary to Opengate (In Japanese), Yoshiaki Watanabe, Makoto Otani, Hirofumi Eto, Shin-ichi Tadaki, Kenzi Watanabe, IPSJ SIG Notes 2012-IOT-16, pp.1-6 (2012.03.16).PDF
• Opengate on Cloud, Kenzi Watanabe, Makoto Otani, Shin-ichi Tadaki and Yoshiaki Watanabe, The 26th IEEE International Conference on Advanced Information Networking and Applications (AINA-2012), Fukuoka Institute of Technology (FIT), Fukuoka, Japan (2012.03.28) PDF

Misc

Another Opengate

OpengateM - a MAC address based network user authentication system