-----Original Message----- From: Robert E. Seastrom [mailto:rs@seastrom.com] Sent: Monday, December 27, 2010 11:51 PM To: Bill Lewis Cc: nanog@nanog.org Subject: Re: Public Wireless access (ticket / token / schedule based)
Is there some reason you can't run it wide open without even so much as a captive-portal-check-the-box thing? All of the commercial boxes I've seen for doing what you say you want to do have been Deeply Unsatisfactory in some way (Nomadix is at the top of the list here).
If you lose the authentication altogether and just make sure that there is a bandwidth lid on per host overall usage plus more conservative limits for things like the usual torrent ports and of course blocking certain other ports entirely... you've just eliminated the administrative overhead of issuing credentials to your visitors and streamlined your entire process.
As Robert mentioned, all the current solutions are deeply unsatisfactory and full of holes. Most of the authentication based solutions simply whitelist the user based on their MAC address which is altogether easy to spoof (simply clone the MAC of an authenticated user and you are clear for takeoff)... Why incur the overhead of managing credentials with something that can so easily circumvented. Leave things wide open on a sandboxed subnet with the usual protections (rate limits, blocked ports), IMO is the easiest approach... Stefan Fouant