Wireless Hotspots in a Large Environment?

matth asks: "So here at work we provide wireless internet access to customers all over our city, and into suburbia, via Alvarion radio gear. We have a large number of customers that are places like pubs, libraries, restaurants, etc. We would like to, in conjunction with these locations, setup up a public Wi-Fi network. The problem is getting the mac address back through to a central authorization server. What experience have others had in setting up a Wi-Fi hotspot network over a city, and allowing a user to register at one location and get on at any of the various locales?"

Boston Area Example

[Anonymous Coward]

I'm not affiliated with these guys, but I've been surfing in and out every once in a while. You might want to ask them a question on their forum. http://www.newburyopen.net/ [newburyopen.net]

NoCatNet

[waffle zero]

Have you looked into NoCatNet [nocat.net]? The group works on a wireless network and the software that makes it possible (NoCatAuth). From what I gather the prefered configuration involves a central authentication server seperate from each gateway.

One way to do it.

[bob_jordan]

You could allow everyone to connect regardless but use a VPN client on the customers machine to allow internet access.

The only problem here is that people could connect just to play online games with other connected people or run VOIP style apps but would this be a problem? If you only intend to charge for internet access, allowing people IP access to each other would be a way of getting them to try the system first.

Bob.

Radius

[sfire]

With my work, I have hostapd [epitest.fi] set up with a radius server [freeradius.org] for authentication. I specifically use x.509 certs, but you could probably use leap, or some other 802.1x.

WiFi network authentication

[8282now]

One way to do it would be require that all ap's utilize an external authentication system, usually via radius server, tacacs or other authentication server. When a user is auth'd on one, grab the corresponding mac and permit for whatever session period you choose.

I understand that the nocat system is also great for authenticated access.

I SHOULD ALSO NOTE

[matth]

We are trying to make it as easy for the customer (ie no third party software).. and would like to have a 'greeting' page that comes up if they aren't authenticated by bring up a web browser.

mac addresses

[akb]

The problem is getting the mac address back through to a central authorization server.

Relying on MAC addresses is not secure. VPN, 802.1x, and NoCat are better.

Re:Simple Solution

[Yottabyte84]

I worf for a WiFi ISP. We set up our hotspots like this. Wide open. It's not worth the trouble to do authentication.

Re:Simple Solution

[DA-MAN]

How/who do you charge? Do you use NoCat or some other authentication software or just let anyone on and accept donations?

Re:Simple Solution

[matth]

See the issue we are faceing is:

A) We want to make it free (I think that's what the higher ups are thinking).. but want a slight level of accountability.. (I argue what's to keep someone from filling the form in laksjdflkajsdflkjasdflkj) but anyway.

B) The higherups would like a 'splash page' that is displayed when you aren't authorized, which, ot my knowledge, can't be done via 802.1x radius. (which BTW seems to work fairly nice.. hehe)

Re:Simple Solution

[DA-MAN]

A) We want to make it free (I think that's what the higher ups are thinking).. but want a slight level of accountability.. (I argue what's to keep someone from filling the form in laksjdflkajsdflkjasdflkj) but anyway.

Sounds good, why not require an authentication system like NoCat and only allow certain types of traffic in and out, like http, https, ssh, pop, imap, and block the rest.

B) The higherups would like a 'splash page' that is displayed when you aren't authorized, which, ot my knowledge, can't b

Re:Simple Solution

[Yottabyte84]

We charge the businesses where the service is offered. We also happen to be a company that offers DSL, so we run DSL lines out, and use those instead of T1, which saves massive amounts of money. The businesses pay for it because it gets the students (there is a faily big university in town) will sit around, and buy food and drinks while doing homework and whatnot.

Allegany County Maryland

[ej0c]

You may not want to follow folks who can't spell Allegheny, but the leaders of the Cumberland Gap area have set a pretty audacious task. They want people in their remote mountain area to all have access.
http://www.gov.allconet.org/about.htm

Allconet2 seems to be the wifi part:
http://prime.allconet.org/allconet2/

http://gov.allconet.org/tech/welcome.htm

Ed

NoCat is the only way to go

[seancallaway]

Some friends of mine are planning to start an ISP that provides wireless internet access (no overhead of the dial-up lines and its faster). Being the geek that I am, they asked me to design their infrastructure. They are placing Wireless Access Points connected to gateways in a few locations around the city. Those gateways (running NoCat) look to a central authentication server (also running NoCat, but with MySQL) to verify usernames and passwords. If you're charging for access as they are, you can setup th

Nomadix / Colubris / IP3?

[darrelld2]

I'm not sure what you are trying to do, but odds are you want to make sure the user authenticates to a Radius server. Any one of the boxes mentioned above will allow you to controll the splash page, etc. Colubris is actually an Access Point also, so it kills two birds with one stone. Your users associate to it, it NAT's out through the Alvarion box (which accepts one MAC address, right?). Bingo, problem solved. Then you need to set up authentication and process your money....Done deal.