Re: Wi-fi hotspot implementations
- From: Jeff Liebermann <jeffl@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 12 Sep 2006 01:58:16 GMT
On 10 Sep 2006 13:34:37 -0700, "Isaac Grover" <isaac.grover@xxxxxxxxx>
wrote:
I am needing to set up a wi-fi hotspot at my local coffee shop. I have
considered ZoneCD and LessNetworks, but those require reliance on an
outside service which may or may not be there when we need it.
As a result, I have been building my own implementation from scratch on
FreeBSD, using php and mysql for the authentication, squid for the
transparent proxy, dansguardian for content checking, but I haven't
figured out what to use to allow previously unauthenticated users who
have authenticated full access through the proxy. I've been thinking
about iptables filtering on mac address, but that seems like overkill,
especially with having to restart iptables every time a user
authenticates.
Does anyone here have any suggestions?
Sure. This strikes me as a bit of overkill for a coffee shop. There
are various hot spot implimentations based on NoCatAuth that might be
suitable. If you want proper authentication, use a RADIUS server
either locally or on the internet. (Yeah, I know it might not be
there when you need it). Search Google for "NoCatAuth Hotspot" for
lots of implimentations and mutations.
Proxy servers are nice for security and anonymity, it's an awful
adminstrative time burner. I used to manage a SOCKS 5 proxy firewall
which eventually accumulated more exceptions than rules over the
years. Every stupid program that wanted to update itself over the
internet with it's own favorite IP socket number had to be
individually configured. H.323 was almost impossible to get working.
While a proxy server will certainly block attacks from the internet
and provide some anonymity, methinks simple NAT with a stateful packet
inspection firewall is more than adequate for a coffee shop.
Reading between your lines, it seems that you're writing your own
authentication and authorization system (with PHP and MySQL). That's
fine but RADIUS and 801.1x already do that. However, for a simple
coffee shop, I don't think you need the ultimate in security and
authentication. A simple database to store successful logins and
authorizations, a means to expire entries, and some method of hacker
detection should be adequate.
Your specific question of:
I haven't figured out what to use to allow previouslycan be handled crudely by just dropping a cookie in the clients web
unauthenticated users who have authenticated full access
through the proxy
cache with a corresponding entry in the SQL database. When the user
returns and hits the initial splash screen, the web server grabs the
cookie, compares the contents with the SQL database, and bypasses the
login and password authorization ordeal if they match. That's not
terribly secure because the cookie can be sniffed and cloned, but
methinks good enough for a coffee shop environment.
Also, make sure you have some form of "client isolation" or what
Linksys misnamed "AP isolation" to keep clients from seeing each
others traffic or attacking each other. That will save you
considerable grief in a coffee shop environment. Also, bandwidth
managment is a good idea.
Also, from the alt.internet.wireless FAQ:
http://wireless.wikia.com/wiki/Wi-Fi_How_To#Setup_a_hotspot
--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 jeffl@xxxxxxxxxxxxxxxxxxxxxx
# http://802.11junk.com jeffl@xxxxxxxxxx
# http://www.LearnByDestroying.com AE6KS
.
- References:
- Wi-fi hotspot implementations
- From: Isaac Grover
- Wi-fi hotspot implementations
- Prev by Date: Re: new/Re: Wireless Range
- Next by Date: Re: Who is Using My Wireless Network?
- Previous by thread: Re: Wi-fi hotspot implementations
- Next by thread: win98SE and Belkin card
- Index(es):
Relevant Pages
|
