Public Wireless access (ticket / token / schedule based)
What is everyone using for enterprise grade wireless authentication for simple public access (i.e. users that are non-employee that need internet access (non-PCI) while in your building). Obviously I will hang this off a DMZ switch outside of my private LAN. Looking for something vendor driven, don't have time for anything home grown or unsupported / community based. Thanks, Bill Lewis Hot Topic
"Bill Lewis" <blewis@hottopic.com> writes:
What is everyone using for enterprise grade wireless authentication for simple public access (i.e. users that are non-employee that need internet access (non-PCI) while in your building). Obviously I will hang this off a DMZ switch outside of my private LAN. Looking for something vendor driven, don't have time for anything home grown or unsupported / community based.
Assuming that this is for your offices not your retail outlets... Is there some reason you can't run it wide open without even so much as a captive-portal-check-the-box thing? All of the commercial boxes I've seen for doing what you say you want to do have been Deeply Unsatisfactory in some way (Nomadix is at the top of the list here). If you lose the authentication altogether and just make sure that there is a bandwidth lid on per host overall usage plus more conservative limits for things like the usual torrent ports and of course blocking certain other ports entirely... you've just eliminated the administrative overhead of issuing credentials to your visitors and streamlined your entire process. Doable? -r
On Mon, Dec 27, 2010 at 11:50 PM, Robert E. Seastrom <rs@seastrom.com> wrote:
Assuming that this is for your offices not your retail outlets...
Is there some reason you can't run it wide open without even so much as a captive-portal-check-the-box thing? All of the commercial boxes I've seen for doing what you say you want to do have been Deeply Unsatisfactory in some way (Nomadix is at the top of the list here).
yea, just buy a dsl line from your local telco, plug in a dlink and ... call it done.
-----Original Message----- From: Robert E. Seastrom [mailto:rs@seastrom.com] Sent: Monday, December 27, 2010 11:51 PM To: Bill Lewis Cc: nanog@nanog.org Subject: Re: Public Wireless access (ticket / token / schedule based)
Is there some reason you can't run it wide open without even so much as a captive-portal-check-the-box thing? All of the commercial boxes I've seen for doing what you say you want to do have been Deeply Unsatisfactory in some way (Nomadix is at the top of the list here).
If you lose the authentication altogether and just make sure that there is a bandwidth lid on per host overall usage plus more conservative limits for things like the usual torrent ports and of course blocking certain other ports entirely... you've just eliminated the administrative overhead of issuing credentials to your visitors and streamlined your entire process.
As Robert mentioned, all the current solutions are deeply unsatisfactory and full of holes. Most of the authentication based solutions simply whitelist the user based on their MAC address which is altogether easy to spoof (simply clone the MAC of an authenticated user and you are clear for takeoff)... Why incur the overhead of managing credentials with something that can so easily circumvented. Leave things wide open on a sandboxed subnet with the usual protections (rate limits, blocked ports), IMO is the easiest approach... Stefan Fouant
On 12/28/2010 11:18 AM, Stefan Fouant wrote:
Leave things wide open on a sandboxed subnet with the usual protections (rate limits, blocked ports), IMO is the easiest approach...
One concern in higher ed that was amplified by CALEA was the notion that an "open" network precluded you from the private network exemption. So "free open unauthenticated WiFi" carries some excess baggage with it. Jeff
We've had some good success with the Cisco wireless LAN controllers in our office. The reception staff are given "Lobby Admin" access that let's them create users with a default expiry of a day (but can go up to 90 days I think). The wireless is technically open, but they can't do anything until they authenticate through the controller's web GUI. They we have access lists to control what they can do while on the wireless. Sent from my “contract free” BlackBerry® smartphone on the WIND network. -----Original Message----- From: "Bill Lewis" <blewis@hottopic.com> Date: Mon, 27 Dec 2010 12:15:55 To: <nanog@nanog.org> Subject: Public Wireless access (ticket / token / schedule based) What is everyone using for enterprise grade wireless authentication for simple public access (i.e. users that are non-employee that need internet access (non-PCI) while in your building). Obviously I will hang this off a DMZ switch outside of my private LAN. Looking for something vendor driven, don't have time for anything home grown or unsupported / community based. Thanks, Bill Lewis Hot Topic
-----Original Message----- From: james@jamesstewartsmith.com [mailto:james@jamesstewartsmith.com] Sent: Tuesday, December 28, 2010 11:55 AM To: Bill Lewis; nanog@nanog.org Subject: Re: Public Wireless access (ticket / token / schedule based)
We've had some good success with the Cisco wireless LAN controllers in our office. The reception staff are given "Lobby Admin" access that let's them create users with a default expiry of a day (but can go up to 90 days I think). The wireless is technically open, but they can't do anything until they authenticate through the controller's web GUI. They we have access lists to control what they can do while on the wireless.
James, Just out of curiosity, how does this solution prevent unauthorized users from gaining access to the system by the aforementioned MAC spoofing technique? Stefan Fouant
participants (6)
-
Bill Lewis
-
Christopher Morrow
-
james@jamesstewartsmith.com
-
Jeff Kell
-
Robert E. Seastrom
-
Stefan Fouant