OpengateM Home Page
OpengateM - A MAC address based network
user authentication system for campus-wide network
What's New |
Block diagram |
Registration and usage of terminals without Web |
Screen Shots |
Difference to Opengate |
Difference to Simple Restriction by MAC |
Sub systems |
Q and A |
Another System |
Caution: Project main page is moved to
This page may not follow the main page.
- This page is prepared for development and distribution of the Open
Source software "OpengateM".
- OpengateM is an authentication system for various user terminals
brought into the local network. Unlike Opengate, it is not available on
the public terminals of common use.
- As OpengateM controls the network based on the MAC address, it is
to use and compatible to various terminals. In comparison with the
simple MAC address based system, it is characterized by the scalability
and the low management burden.
- It is suited for campus network environment to which various users
bring in various terminals. It is not suited for the network environment
needing high security.
- OpengateM checks the packet at the gateway, and opens the firewall
when the source MAC address is found in the database, where allowable
MAC addresses and the owners are registered. Even if many terminals are
registered, the load of the gateway is only related to the terminals using
the network now.
- User oneself can register his/her terminal on the registration page
- The tables below show the comparison between this system, Opengate and
the simple MAC based system.
- OpengateM is developed and implemented by the Saga University Japan to
control the universities campus-wide open network.
The procedure is shown in the figure below. The user accesses any Web
page. If the terminal is registered and valid, the page is normally
displayed. If the terminal is unregistered or expired, the
authentication is requested and the registration or updating page is
displayed. Other protocol can be used under the system, though Web is
needed at the timing of registration and updating. The procedure for
the terminals without Web function is also prepared.
|MAC Regisration Page
||MAC Updating Page
- It can be used together with Opengate on the same gateway as an
Opengate supplement system. Also, it can be used without Opengate.
- Only a network connection function is required for the terminal.
It is compatible to various devices with WiFi, such as smart phones,
tablets, note PCs, audio/video players and more.
- Enormous users can be registered, though the users using the
network at a moment is limited by the processing capacity of the
gateway and firewall.
- In our load test, it processes concurrent access from more than
several thousand terminals on 1Gbps network. When the huge number
of packet arrive, the capture of some packets is failed.
Therefore, checking of a new terminal is postponed to the next packet
from the terminal. But, terminals already checked can be used
without influence. The packets are not stacked and the daemon does
not collapse by overload.
- The user ID and password are required only at the registration and
updating of the database. No authentication interrupts at using the
network. Minimum guidance is required for usage.
- The user management is integrated into the database. No
registration is needed to each access point or firewall.
- It prepares easy methods for MAC address registration. In most
methods, the address is acquired automatically. The address can be
linked to the user ID acquired from various authentication systems (FTP,
POP3, POP3S, FTPS, RADIUS, LDAP, PAM, shibboleth, HttpBasic).
- It is possible to skip authentication and only show the splash page
for an agreement or usage policy. In this case, the usage log is
recorded based on MAC address. The splash page can be shown
periodically. Specified terminals can be denied.
- It is possible to register correct data without large management
cost, by using the captive portal type authentication and automatic MAC
address acquisition on the terminals having Web.
- It uses popular hardware and open-source software.
- Permission or suppression of specific ports or sites can be controlled
by devising the firewall rules.
- It can save the usage log including user ID.
- It has automatic usage expiration. A warning email arrives before the
limit date. The user oneself checks the usage log and extends the
limit. Thus it is easy to notice the illegal use.
- It have a function to detect NAT / router insertion, as the
checking of terminal's MAC address is not available via NAT/router.
- It can be modified and distributed under GPL(GNU General Public
- Ver.1.0.0 is released.
- The system image using VirtualBox are
- Ver.0.9.7 is released.
- Added no authentication and splash page only management(opengatemown).
- The construction procedure and the system image using VirtualBox are
- Ver.0.9.6 is released.
- Fixed CLang warning messages(all).
- Modified PHP scripts(opengatemmng).
- Ver.0.9.5 is released.
- Modified registration and update pages(opengatemreg/mown/mup).
- Ver.0.9.4 is released.
- Modified update page(opengatemup). Reduced emails(opengatemmail).
- Ver.0.9.3 is released.
- Added PHP script to send report mail to the detected user. It
cooperates with watch function of Ver.0.9.1 (phpsrc).
- Ver.0.9.2 is released.
- Added edit function for dev-name and mail (opengatemup). Changed
strncpy to strlcpy(all).
- Ver.0.9.1 is released.
- Added watch function for specific addresses. See opengatemd page
- Ver.0.9.0 is released.
- Added status P(=Pause). Changed log table in update page to chart
Following link has download files. The code "****" in "opengatem****.tar.gz"
indicates the version.
Please download the newest version. Refer to the documents linked to this
page for the installation procedure.
We link the construction procedure and the system image using VirtualBox
Please use it for inspection and the system construction.
Trial of Opengate/OpengateM on VirtualBox
Trial of Opengate/OpengateM on VirtualBox
The Main Projecct Page is
http://en.osdn.jp/projects/opengatem/. It includes Git repository.
Th following figure shows the overview of the system. The terminal
with Web can be registered by oneself. The terminal without Web
needs the operation of the administrator. The updating can be done by
oneself by using a PC or other Web based device.
The following figure shows the block diagram of the system. A
daemon captures the packet and opens the firewall when the database knows
the address in the packet. The firewall is closed when no packet is
detected for a while. There are several management systems for the
Registration and usage of terminals without Web
The registration of the terminal without Web is supervised by the
administrator. The administrator identifies the terminal by access
trials. The updating of the registration is done by oneself by using
a PC having the Web function.
|MAC Check Page
||MAC Regisration Page
Difference to Opengate
| Applicable to public terminal for plural users and
Personal terminal for one user
| Applicable to personal terminal for one user
| Needs functions of standard Web and background
| Needs functions of internet connection only
| Needs to enter password at every usage
|Needs to enter password at address
| Close network immediately - Usage termination is
detected by watching page
|Close network after time delay - When no packet is
detected for a while
Difference to Simple Restriction by MAC
| Simple Restriction by MAC
(General case. Different cases may exist)
| Limits number of users by maximum registration for
a control device.
| Includes many users, as rules are controlled
| Has no usage log for each user
| Has usage log for each user
(UserID, MAC address, IP address, Time)
| Needs the operation of many control devices.
|Controlled by a central database.
| Has no usage expiration.
|Includes usage expiration and expansion.
|Difficult to find the abuse
|Includes confirmation of usage log at
|Requires some procedure to get and
register MAC address
|Includes procedures to get and
register MAC address.
|May includes typo in MAC address
|Includes automatic MAC address
|Needs administrator's burden at
|For terminals with Web, needs no
|Has NO guide for unregistered users
|Can forward unregistered users to
registration page or other authentication.
|Controls all users uniformly (Only
narrowing down by firewall).
|Can pass/deny specific sites/ports by
(E.g., a site/port can be accessed without restriction)
The system consists of the following subsystems.
|System for opening and closing network
|All of gateways
||A daemon to check packets and to open/close the network
|A server which can be accessed from gateways
|Database to store the MAC address and userid for acceptable users
|System for MAC address registration
|Some of gateways
|A Web system to register MAC address of Non-Web device
|System for MAC address updating
|A server which can access to database
|A Web system to update MAC address registration
|System for owner to manage MAC address
|Some of gateways
||A Web system for the owner to manage MAC address without
|Misc system for management
|A server which can access to database
||Optional misc programs with PHP
- Registration by owner without administrator (terminals with web)
- An user accesses registration page, and registers the
authentication information and the MAC address acquired
automatically. The page can be shown as Captive Portal.
- Registration by administrator
- An user with a terminal goes to the registration area, and request
the registration to the administrator.
- The administrator acquires the MAC address of the terminal
automatically, and registers it to the database with the user ID.
- Batch registration
- SQL script sample for batch registration is included in archive.
- When the user starts to use, the daemon on the gateway confirms the
MAC address, inserts a pass rule into the firewall, and logs the
- The daemon deletes the pass rule from the firewall, if there is no
network use for a while (e.g., 3 hours).
- At Web accessing from no-admittance MAC address, the
registration/update page is displayed after confirming
ID/password(in proper setting). Opengate page is displayed in other
- The usage permission expires for a certain period (e.g., 1 month). A
warning email arrives before the limit date.
- The user updates the limit date by Web.
Q and A
Some questions and their answers are described in Q
- OpengateM: MAC-address base authentication system complementary to
Opengate (In Japanese), Yoshiaki Watanabe, Makoto Otani, Hirofumi Eto,
Shin-ichi Tadaki, Kenzi Watanabe, IPSJ SIG Notes 2012-IOT-16, pp.1-6
- A MAC address based network user authentication system OpengateM in
campus scale networks (In Japanese), Makoto Otani, Hirofumi Eto, Kenzi
Watanabe, Shin-ichi Tadaki, Yoshiaki Watanabe, IPSJ SIG Notes
2012-IOT-19, pp.1-6 (2012.09.28).PDF
- A MAC address based authentication system applicable to campus-scale
network, Yoshiaki Watanabe, Makoto Otani, Hirofumi Eto, Kenzi Watanabe
and Shin-ichi Tadaki, The 15th Asia-Pacific Network Operations and
Management Symposium (APNOMS2013), Hiroshima, Japan (2013.09.27) PDF
Another System : Opengate
Opengate is a Web based network user authentication system. Refer
If you have any questions or advice regarding this page, please
send a message to the following address:
Yoshiaki Watanabe :
Makoto Otani :