ARPMiner
ARPMiner is a multi-purpose access control software runs under Windows
(Vista, Windows 7/8/10, 2008-2019 Server). ARPMiner can be used as a HotSpot system, NAT gateway and a PPPoE Server.
ARPMiner consists of a GUI and a service application called TekSpot that provides PPPoE, HTTP, DHCP server and a proxy DNS services. RADIUS Accounting and PPP encrytpion are supported in only SP edition.
ARPMiner supports three modes of operation for access control; Network Address Translation (NAT), bridge mode and PPPoE server mode.
Network Address Translation, NAT (Routed) Operation Mode
Sample NAT (Routed) Configuration
ARPMiner will translate source IP address and port number (Port translation is performed when it’s needed, ARPMiner performs symmetric NAT by default) while forwarding a packet from Private Network to the Internet. ARPMiner will stop Windows Internet Connection Sharing (ICS) at startup if it is enabled. Please also make sure that IP routing is disabled on ARPMiner installed machine.
ARPMiner uses an Auxiliary IP address (192.168.88.2/24 in the example above) for IP address translation on the Public Network side. Windows machine would reject return packets from the Internet if the translation was performed using public interface IP address (192.168.88.3/24 in the example above).
Auxiliary IP address is chosen automatically but you can also set it manually. You must set it to an IP address which is not used in the public network when you set it manually for proper operation.
Built-in DHCP server deployment is optional. Built-in DHCP server will assign an IP address from its IP pool to the client on the private network (Either wireless or wired). Assigned IP subnet mask will be the same with the Private Interface of the ARPMiner installed machine. DNS server and gateway IP address will be assigned as the Private Network IP address of the ARPMiner running machine.
You must set gateway IP address as the Private Network IP address of the ARPMiner running machine and set a DHCP IP pool range with same subnet of the IP address as the Private Network IP address when you choose to use an external DHCP server on the private network. ARPMiner will automatically set private interface IP address and subnet mask. DHCP IP pool address and address count will be updated when you set private interface IP address and subnet mask.
ARPMiner allows you set private interface IP address and subnet mask directly from the management interface. IP address and subnet mask of interface will be changed at operating system level when you save the settings changes in ARPMiner.
You can enable Sponsored Authorization allow HotSpot users to request access from a corporate employee via e-mail. ARPMiner sends a request for access on behalf of the user to user specified sponsor e-mail address. Please see Sponsored Authorization section in the ARPMiner manual for more details. You need also configure an SMTP account in SMTP tab for this feature. Local or RADIUS authentication will not be used when this feature is enabled. This feature can be used only with NAT and Bridge operating modes.
Bridge Operation Mode
Bridge Mode Configuration
ARPMiner acts as a bridge in bridge operation mode. ARPMiner transparently performs packet forwarding between public and private networks and maintains its own MAC address table for the private network.
ARPMiner Settings / Operating Mode tab
This operation mode enables you to perform access control for the private network without any topology change in your network. NAT should be performed by the Internet router if it’s needed. You do not need to assign an IP address to the private network interface of ARPMiner installed machine and ARPMiner will reset private interface IP address to an IP address in 169.254.0.0/16 subnet automatically when this operation mode is set.
Built-in DHCP server deployment is also optional in this operation mode. Built-in DHCP server will assign an IP address from its IP pool to the client on the private network (Either wireless or wired). Assigned IP subnet mask will be the same with the Public Interface of the ARPMiner installed machine. DNS server as the Public Network IP address of the ARPMiner running machine and Gateway as the default gateway of the ARPMiner running machine will be assigned to the DHCP clients.
PPPoE Server Operation Mode
ARPMiner does not perform Network or MAC address translation in PPPoE Server Operation Mode. TekRADIUS authenticates user sessions using PAP, CHAP, MS-CHAP-v1 or MS-CHAP-v2 authentication methods based on client preference. MS-CHAP-v1 or MS-CHAP-v2 must be set as authentication method in client settings for MPPE encryption. Encryption level (40/128 bits) is also determined by either client settings or MS-MPPE-Encryption-Types attribute received in RADIUS authorization response.
ARPMiner will stop Windows Internet Connection Sharing (ICS) at startup if it is enabled. Please also make sure that IP routing is disabled on ARPMiner installed machine.
Features
- Simple design and easy to use user interface.
- Simple interface for user definitions
- Real time monitoring of connected users.
- NAT and bridge operation modes for HotSpot Captive Portal.
- PPPoE Server with MPPE (40/128 bits) Encryption.
- PAP, CHAP, MS-CHAP-v1 and MS-CHAP-v2 authentication methods.
- Built-in HTTP server with enhanced SSL and CGI/1.1 support, built-in DHCP server and DNS proxy.
- RADIUS AAA support (Commercial editions only). ARPMiner accepts Packet of Disconnect (PoD) from RADIUS servers.
- RADIUS MAC authentication.
- Sponsored authorization. You can enable Sponsored Authorization allow HotSpot users to request access from a corporate employee via e-mail. ARPMiner sends a request for access on behalf user to user specified sponsor e-mail address.
- DNS redirection.
- Client Id (Ethernet MAC address) in DNS requests (Experimental).
- WISPr 2.0 authentication and partial RADIUS dictionary support.
- Customizable HTTP interface.
- Allow access to web servers specified in Walled Garden for unauthorized users.
- Performance monitoring through Windows Performance Monitor.
- RFC 8908 Captive Portal API and RFC 8910 Captive-Portal Identification in DHCP and Router Advertisements (RAs) support.