Industry Standard Security and guest wifi access best practice

Hello All,

I am looking for a solution to provide wifi access in a multi dwelling
residential unit such that it provides as many of the following points
as possible:

1 When a user connects for the first time they see a page displaying a
usage policy and a login screen. Guest login is allowed, but
registered login is optional and recommended, passwords and logins
administered through the building management.

2 The Network Access Controller to provide the ability to throttle down
guest connections to around 256k down, 128k up, while leaving
registered users' connections a great deal more robust.

3 Connection is simple for the end user and requires no VPN client
software.

4 The connection is nonetheless secured in a responsible fashion

5 The equipment may have high initial cost, but must run relatively
trouble free (no on-site IT support needed). Preferibly it will
involve a rack mounted gateway appliance rather than any sort of server
and will be administrated remotely.

6 Wireless subnet roaming would be really nice as well.

I am aware of the basic access controllers such as those provided by
BlueSocket. Basically what I want is a BlueSocket controller that can
secure the wireless connection via SSL VPN so that the wireless portion
is encrypted despite transmission over an open authentication access
point system. However, I do not want to subject the user to multiple
login pages (Authentication and then VPN) which would be necessary it I
use two separate devices.

Inability to run my access points both WPA-PSK encrypted and open means
that I can't reasonably leave guest access "at your own risk" while
securing tennant acces, plus tennants will not be happy switching a
highly random WPA key every week, but I also don't feel secure leaving
the same key in place for a year allowing it to be compromised in that
way.

Any major architectural restructuring is also right out. I can't see
implementing 802.1X as the complexity in supporting tennants would
require an onsite technician. Also transparent domain login
authentication would be a hassle as many of the tennants would be using
business laptops and no alteration to the setup they use at work would
be acceptable.

So far I feel that I am asking too much and that even if a device is
possible to do what I am looking for, it doesn't yet exist. Please
advise. I have spent many hours looking through product brochures and
searching the web and I have found nothing to fit the bill.

Just to clarify, I am asking for product recommendations. If you are
connected to a company which provides a solution, then a sales pitch is
invited.

Thanks in advance,

Tim

Have you checked all of the "hotspot" products listed in the wikis
below?

On 13 Nov 2006 08:50:36 -0800, (E-Mail Removed) wrote in
<(E-Mail Removed). com>:

>Hello All,
>
>I am looking for a solution to provide wifi access in a multi dwelling
>residential unit such that it provides as many of the following points
>as possible:
>
>1 When a user connects for the first time they see a page displaying a
>usage policy and a login screen. Guest login is allowed, but
>registered login is optional and recommended, passwords and logins
>administered through the building management.
>
>2 The Network Access Controller to provide the ability to throttle down
>guest connections to around 256k down, 128k up, while leaving
>registered users' connections a great deal more robust.
>
>3 Connection is simple for the end user and requires no VPN client
>software.
>
>4 The connection is nonetheless secured in a responsible fashion
>
>5 The equipment may have high initial cost, but must run relatively
>trouble free (no on-site IT support needed). Preferibly it will
>involve a rack mounted gateway appliance rather than any sort of server
>and will be administrated remotely.
>
>6 Wireless subnet roaming would be really nice as well.
>
>I am aware of the basic access controllers such as those provided by
>BlueSocket. Basically what I want is a BlueSocket controller that can
>secure the wireless connection via SSL VPN so that the wireless portion
>is encrypted despite transmission over an open authentication access
>point system. However, I do not want to subject the user to multiple
>login pages (Authentication and then VPN) which would be necessary it I
>use two separate devices.
>
>Inability to run my access points both WPA-PSK encrypted and open means
>that I can't reasonably leave guest access "at your own risk" while
>securing tennant acces, plus tennants will not be happy switching a
>highly random WPA key every week, but I also don't feel secure leaving
>the same key in place for a year allowing it to be compromised in that
>way.
>
>Any major architectural restructuring is also right out. I can't see
>implementing 802.1X as the complexity in supporting tennants would
>require an onsite technician. Also transparent domain login
>authentication would be a hassle as many of the tennants would be using
>business laptops and no alteration to the setup they use at work would
>be acceptable.
>
>So far I feel that I am asking too much and that even if a device is
>possible to do what I am looking for, it doesn't yet exist. Please
>advise. I have spent many hours looking through product brochures and
>searching the web and I have found nothing to fit the bill.
>
>Just to clarify, I am asking for product recommendations. If you are
>connected to a company which provides a solution, then a sales pitch is
>invited.
>
>Thanks in advance,
>
>Tim

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

Thanks for the response,

Pretty much everything listed there is on a smaller scale than what I'm
looking for and still doesn't address the security concerns I have.
Nonetheless, the information I found there has led to more options by,
if nothing else, informing me of better terminology under which to do
my searching.

I now know the proper term for the unit I'm looking for is a "captive
portal" (probably obvious to the more seasoned in this particular
field, but if you don't know what language to use in a search you don't
get very far until you stumble upon the correct terminology.) but where
my needs differ from what I continue to find is that I would like the
captive portal to establish an SSL VPN session upon completing user
registration (as oposed to merely providing SSL for the registration
process itself) so as to encrypt over the air traffic without using WPA
encryption.

Of course I could have missed something and this product might not
exist because it is a very bad idea.


John Navas wrote:
> Have you checked all of the "hotspot" products listed in the wikis
> below?
>
> On 13 Nov 2006 08:50:36 -0800, (E-Mail Removed) wrote in
> <(E-Mail Removed). com>:
>
> >Hello All,
> >
> >I am looking for a solution to provide wifi access in a multi dwelling
> >residential unit such that it provides as many of the following points
> >as possible:
> >
> >1 When a user connects for the first time they see a page displaying a
> >usage policy and a login screen. Guest login is allowed, but
> >registered login is optional and recommended, passwords and logins
> >administered through the building management.
> >
> >2 The Network Access Controller to provide the ability to throttle down
> >guest connections to around 256k down, 128k up, while leaving
> >registered users' connections a great deal more robust.
> >
> >3 Connection is simple for the end user and requires no VPN client
> >software.
> >
> >4 The connection is nonetheless secured in a responsible fashion
> >
> >5 The equipment may have high initial cost, but must run relatively
> >trouble free (no on-site IT support needed). Preferibly it will
> >involve a rack mounted gateway appliance rather than any sort of server
> >and will be administrated remotely.
> >
> >6 Wireless subnet roaming would be really nice as well.
> >
> >I am aware of the basic access controllers such as those provided by
> >BlueSocket. Basically what I want is a BlueSocket controller that can
> >secure the wireless connection via SSL VPN so that the wireless portion
> >is encrypted despite transmission over an open authentication access
> >point system. However, I do not want to subject the user to multiple
> >login pages (Authentication and then VPN) which would be necessary it I
> >use two separate devices.
> >
> >Inability to run my access points both WPA-PSK encrypted and open means
> >that I can't reasonably leave guest access "at your own risk" while
> >securing tennant acces, plus tennants will not be happy switching a
> >highly random WPA key every week, but I also don't feel secure leaving
> >the same key in place for a year allowing it to be compromised in that
> >way.
> >
> >Any major architectural restructuring is also right out. I can't see
> >implementing 802.1X as the complexity in supporting tennants would
> >require an onsite technician. Also transparent domain login
> >authentication would be a hassle as many of the tennants would be using
> >business laptops and no alteration to the setup they use at work would
> >be acceptable.
> >
> >So far I feel that I am asking too much and that even if a device is
> >possible to do what I am looking for, it doesn't yet exist. Please
> >advise. I have spent many hours looking through product brochures and
> >searching the web and I have found nothing to fit the bill.
> >
> >Just to clarify, I am asking for product recommendations. If you are
> >connected to a company which provides a solution, then a sales pitch is
> >invited.
> >
> >Thanks in advance,
> >
> >Tim
>
> --
> Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
> John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
> Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
> Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

On 13 Nov 2006 09:47:46 -0800, (E-Mail Removed) wrote in
<(E-Mail Removed) .com>:

>Thanks for the response,
>
>Pretty much everything listed there is on a smaller scale than what I'm
>looking for and still doesn't address the security concerns I have.
>Nonetheless, the information I found there has led to more options by,
>if nothing else, informing me of better terminology under which to do
>my searching.
>
>I now know the proper term for the unit I'm looking for is a "captive
>portal" (probably obvious to the more seasoned in this particular
>field, but if you don't know what language to use in a search you don't
>get very far until you stumble upon the correct terminology.) but where
>my needs differ from what I continue to find is that I would like the
>captive portal to establish an SSL VPN session upon completing user
>registration (as oposed to merely providing SSL for the registration
>process itself) so as to encrypt over the air traffic without using WPA
>encryption.
>
>Of course I could have missed something and this product might not
>exist because it is a very bad idea.

I'm guessing it doesn't exist because there's no seamless way to do it,
and because the available options work well:

1. Use WPA to encrypt wireless traffic, with wireless isolation to
prevent wireless hosts from seeing each other.

2. Support and enforce VPN, either with downloadable software (e.g.,
OpenVPN <http://openvpn.net/>), or VPN support built into the host OS
(e.g., PPTP).

See also HotSpotVPN <http://www.hotspotvpn.com/>

>John Navas wrote:
>> Have you checked all of the "hotspot" products listed in the wikis
>> below?
>>
>> On 13 Nov 2006 08:50:36 -0800, (E-Mail Removed) wrote in
>> <(E-Mail Removed). com>:
>>
>> >Hello All,
>> >
>> >I am looking for a solution to provide wifi access in a multi dwelling
>> >residential unit such that it provides as many of the following points
>> >as possible:
>> >
>> >1 When a user connects for the first time they see a page displaying a
>> >usage policy and a login screen. Guest login is allowed, but
>> >registered login is optional and recommended, passwords and logins
>> >administered through the building management.
>> >
>> >2 The Network Access Controller to provide the ability to throttle down
>> >guest connections to around 256k down, 128k up, while leaving
>> >registered users' connections a great deal more robust.
>> >
>> >3 Connection is simple for the end user and requires no VPN client
>> >software.
>> >
>> >4 The connection is nonetheless secured in a responsible fashion
>> >
>> >5 The equipment may have high initial cost, but must run relatively
>> >trouble free (no on-site IT support needed). Preferibly it will
>> >involve a rack mounted gateway appliance rather than any sort of server
>> >and will be administrated remotely.
>> >
>> >6 Wireless subnet roaming would be really nice as well.
>> >
>> >I am aware of the basic access controllers such as those provided by
>> >BlueSocket. Basically what I want is a BlueSocket controller that can
>> >secure the wireless connection via SSL VPN so that the wireless portion
>> >is encrypted despite transmission over an open authentication access
>> >point system. However, I do not want to subject the user to multiple
>> >login pages (Authentication and then VPN) which would be necessary it I
>> >use two separate devices.
>> >
>> >Inability to run my access points both WPA-PSK encrypted and open means
>> >that I can't reasonably leave guest access "at your own risk" while
>> >securing tennant acces, plus tennants will not be happy switching a
>> >highly random WPA key every week, but I also don't feel secure leaving
>> >the same key in place for a year allowing it to be compromised in that
>> >way.
>> >
>> >Any major architectural restructuring is also right out. I can't see
>> >implementing 802.1X as the complexity in supporting tennants would
>> >require an onsite technician. Also transparent domain login
>> >authentication would be a hassle as many of the tennants would be using
>> >business laptops and no alteration to the setup they use at work would
>> >be acceptable.
>> >
>> >So far I feel that I am asking too much and that even if a device is
>> >possible to do what I am looking for, it doesn't yet exist. Please
>> >advise. I have spent many hours looking through product brochures and
>> >searching the web and I have found nothing to fit the bill.
>> >
>> >Just to clarify, I am asking for product recommendations. If you are
>> >connected to a company which provides a solution, then a sales pitch is
>> >invited.
>> >
>> >Thanks in advance,
>> >
>> >Tim
>>
>> --
>> Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
>> John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
>> Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
>> Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

(E-Mail Removed) hath wroth:

>Pretty much everything listed there is on a smaller scale than what I'm
>looking for ...

Could you elaborate on the "scale" that you're looking for?
Number of connected wireless clients?
Number of connected wired clients?
Type and bandwidth or backhaul? Number of backhauls?
Approximate area of required coverage?
Type of building construction? Number of floors?
Indoor, outdoor, or both?
Is "illumination" from outside the building possible?
Availability of offsite support and admin?
Any monitoring required?
How do you plan to deal with abuse, worm infected machines, outages,
support, account administration, and billing?

In effect, you're asking for a detailed bid and proposal, which is
rather difficult without numbers.

There are a few assumption in your list of requirements. One that's
wrong is the you cannot simultaneously run WPA encryption and open
access on the same wireless router. See Sonicwall "security zones"
and the beta version of DD-WRT 2.4 for how it's done. Also, the
latest FON firmware has this feature. Some 3com access points also
support this feature. Look for devices that support multiple SSID's
as they usually also have this feature. I can dig out the models
later if your interested.

Another assumption is that you can deploy such a system without any
available maintenance or support services. That's not going to work.
In effect, you're setting up something similar to a wire line ISP, but
with the added entertainment value of a non-reliable delivery
mechanism. Your customers need to have someone to call for help or
they won't pay the bill.

Gotta run...
--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Unfortunately for my situation those alternatives don't really provide
what I am looking for.

1 WPA-like I said the key would be too complicated for me to force end
users to change it frequently (they would not be happy having to do it,
especially as when I change the key on my end it kicks off all users
who have yet to change). Further, lack of end user expertise
translates to dollars spent on supporting IT personnel.

2 VPN use-This is something I want to rule out from the start. First,
it requires me either to put an IPSEC gateway in place and pay for
proprietary clients or it requires server infrastructure to maintain
and either way it means supporting a piece of software on a client's
computer. I don't want clients to need to do anything technical
because they will mess it up and I will be responsible. My experience
with IPSEC VPN clients has not been positive. Likewise, providing
instructions on how to set up OS based VPN connections will also result
in tech calls.

The picture I'm trying to paint is that people will be connecting
equipment and expecting it to work. Who knows what time of day or
night this will be, but if they can't figure it out they will expect
immediate answers.

Further, I may need to connect wireless devices other than PC's that
don't support WPA, and if they did then rule out changing the key ever.
With an access gateway I could at least white list the MAC and give
the device open access. This is secondary and I may need to compromise
on it no matter what.

I may get stuck allowing guest users access to the WPA key, but
entering this key exactly one time is the most I feel I can expect of
the end user.

I don't see why there couldn't be a seamless way to add SSL VPN
capability to a captive portal. All traffic is open an unencrypted up
to the portal, but then the user connects to log in, and ends up on a
secure connection through authentication. Upon authentication the
device would establish a tunnel between itself and the client and all
traffic between it and the client would be encrypted. Seems reasonable
to me, but it must not be for some reason or else I'm sure some company
out there would be doing it.


John Navas wrote:
> On 13 Nov 2006 09:47:46 -0800, (E-Mail Removed) wrote in
> <(E-Mail Removed) .com>:
>
> >Thanks for the response,
> >
> >Pretty much everything listed there is on a smaller scale than what I'm
> >looking for and still doesn't address the security concerns I have.
> >Nonetheless, the information I found there has led to more options by,
> >if nothing else, informing me of better terminology under which to do
> >my searching.
> >
> >I now know the proper term for the unit I'm looking for is a "captive
> >portal" (probably obvious to the more seasoned in this particular
> >field, but if you don't know what language to use in a search you don't
> >get very far until you stumble upon the correct terminology.) but where
> >my needs differ from what I continue to find is that I would like the
> >captive portal to establish an SSL VPN session upon completing user
> >registration (as oposed to merely providing SSL for the registration
> >process itself) so as to encrypt over the air traffic without using WPA
> >encryption.
> >
> >Of course I could have missed something and this product might not
> >exist because it is a very bad idea.
>
> I'm guessing it doesn't exist because there's no seamless way to do it,
> and because the available options work well:
>
> 1. Use WPA to encrypt wireless traffic, with wireless isolation to
> prevent wireless hosts from seeing each other.
>
> 2. Support and enforce VPN, either with downloadable software (e.g.,
> OpenVPN <http://openvpn.net/>), or VPN support built into the host OS
> (e.g., PPTP).
>
> See also HotSpotVPN <http://www.hotspotvpn.com/>
>
> >John Navas wrote:
> >> Have you checked all of the "hotspot" products listed in the wikis
> >> below?
> >>
> >> On 13 Nov 2006 08:50:36 -0800, (E-Mail Removed) wrote in
> >> <(E-Mail Removed). com>:
> >>
> >> >Hello All,
> >> >
> >> >I am looking for a solution to provide wifi access in a multi dwelling
> >> >residential unit such that it provides as many of the following points
> >> >as possible:
> >> >
> >> >1 When a user connects for the first time they see a page displaying a
> >> >usage policy and a login screen. Guest login is allowed, but
> >> >registered login is optional and recommended, passwords and logins
> >> >administered through the building management.
> >> >
> >> >2 The Network Access Controller to provide the ability to throttle down
> >> >guest connections to around 256k down, 128k up, while leaving
> >> >registered users' connections a great deal more robust.
> >> >
> >> >3 Connection is simple for the end user and requires no VPN client
> >> >software.
> >> >
> >> >4 The connection is nonetheless secured in a responsible fashion
> >> >
> >> >5 The equipment may have high initial cost, but must run relatively
> >> >trouble free (no on-site IT support needed). Preferibly it will
> >> >involve a rack mounted gateway appliance rather than any sort of server
> >> >and will be administrated remotely.
> >> >
> >> >6 Wireless subnet roaming would be really nice as well.
> >> >
> >> >I am aware of the basic access controllers such as those provided by
> >> >BlueSocket. Basically what I want is a BlueSocket controller that can
> >> >secure the wireless connection via SSL VPN so that the wireless portion
> >> >is encrypted despite transmission over an open authentication access
> >> >point system. However, I do not want to subject the user to multiple
> >> >login pages (Authentication and then VPN) which would be necessary it I
> >> >use two separate devices.
> >> >
> >> >Inability to run my access points both WPA-PSK encrypted and open means
> >> >that I can't reasonably leave guest access "at your own risk" while
> >> >securing tennant acces, plus tennants will not be happy switching a
> >> >highly random WPA key every week, but I also don't feel secure leaving
> >> >the same key in place for a year allowing it to be compromised in that
> >> >way.
> >> >
> >> >Any major architectural restructuring is also right out. I can't see
> >> >implementing 802.1X as the complexity in supporting tennants would
> >> >require an onsite technician. Also transparent domain login
> >> >authentication would be a hassle as many of the tennants would be using
> >> >business laptops and no alteration to the setup they use at work would
> >> >be acceptable.
> >> >
> >> >So far I feel that I am asking too much and that even if a device is
> >> >possible to do what I am looking for, it doesn't yet exist. Please
> >> >advise. I have spent many hours looking through product brochures and
> >> >searching the web and I have found nothing to fit the bill.
> >> >
> >> >Just to clarify, I am asking for product recommendations. If you are
> >> >connected to a company which provides a solution, then a sales pitch is
> >> >invited.
> >> >
> >> >Thanks in advance,
> >> >
> >> >Tim
> >>
> >> --
> >> Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
> >> John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
> >> Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
> >> Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
>
> --
> Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
> John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
> Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
> Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

On 13 Nov 2006 12:36:12 -0800, (E-Mail Removed) wrote in
<(E-Mail Removed). com>:

>Unfortunately for my situation those alternatives don't really provide
>what I am looking for.
>
>1 WPA-like I said the key would be too complicated for me to force end
>users to change it frequently (they would not be happy having to do it,
>especially as when I change the key on my end it kicks off all users

No need -- *encryption* security of WPA has nothing to do with key
strength. The key is only for *authentication* (not encryption), and
can be made very weak when no authentication is needed; e.g., passphrase
of "password" or "key". Encryption will still be strong, and wireless
isolation can be used to keep one host from eavesdropping another.

>who have yet to change). Further, lack of end user expertise
>translates to dollars spent on supporting IT personnel.

That will be an issue no matter what you do.

>2 VPN use-This is something I want to rule out from the start. First,
>it requires me either to put an IPSEC gateway in place and pay for
>proprietary clients or it requires server infrastructure to maintain
>and either way it means supporting a piece of software on a client's
>computer. I don't want clients to need to do anything technical
>because they will mess it up and I will be responsible. My experience
>with IPSEC VPN clients has not been positive. Likewise, providing
>instructions on how to set up OS based VPN connections will also result
>in tech calls.

IPSEC isn't the only choice -- read what I wrote more carefully.

>The picture I'm trying to paint is that people will be connecting
>equipment and expecting it to work. Who knows what time of day or
>night this will be, but if they can't figure it out they will expect
>immediate answers.

That's going to happen no matter what you do.

>Further, I may need to connect wireless devices other than PC's that
>don't support WPA, and if they did then rule out changing the key ever.

Then they probably won't support other forms of security.

> With an access gateway I could at least white list the MAC and give
>the device open access. This is secondary and I may need to compromise
>on it no matter what.

MAC *isn't* a viable authentication option -- too easily spoofed.

>I may get stuck allowing guest users access to the WPA key, but
>entering this key exactly one time is the most I feel I can expect of
>the end user.

See above.

>I don't see why there couldn't be a seamless way to add SSL VPN
>capability to a captive portal.

Then you need to bone up on how VPN works. There's no way for a gateway
to switch all connections into SSL mode.

>All traffic is open an unencrypted up
>to the portal, but then the user connects to log in, and ends up on a
>secure connection through authentication. Upon authentication the
>device would establish a tunnel between itself and the client and all
>traffic between it and the client would be encrypted. Seems reasonable
>to me, but it must not be for some reason or else I'm sure some company
>out there would be doing it.

It's not reasonable -- security depends on support in the device.

>John Navas wrote:
>> On 13 Nov 2006 09:47:46 -0800, (E-Mail Removed) wrote in
>> <(E-Mail Removed) .com>:
>>
>> >Thanks for the response,
>> >
>> >Pretty much everything listed there is on a smaller scale than what I'm
>> >looking for and still doesn't address the security concerns I have.
>> >Nonetheless, the information I found there has led to more options by,
>> >if nothing else, informing me of better terminology under which to do
>> >my searching.
>> >
>> >I now know the proper term for the unit I'm looking for is a "captive
>> >portal" (probably obvious to the more seasoned in this particular
>> >field, but if you don't know what language to use in a search you don't
>> >get very far until you stumble upon the correct terminology.) but where
>> >my needs differ from what I continue to find is that I would like the
>> >captive portal to establish an SSL VPN session upon completing user
>> >registration (as oposed to merely providing SSL for the registration
>> >process itself) so as to encrypt over the air traffic without using WPA
>> >encryption.
>> >
>> >Of course I could have missed something and this product might not
>> >exist because it is a very bad idea.
>>
>> I'm guessing it doesn't exist because there's no seamless way to do it,
>> and because the available options work well:
>>
>> 1. Use WPA to encrypt wireless traffic, with wireless isolation to
>> prevent wireless hosts from seeing each other.
>>
>> 2. Support and enforce VPN, either with downloadable software (e.g.,
>> OpenVPN <http://openvpn.net/>), or VPN support built into the host OS
>> (e.g., PPTP).
>>
>> See also HotSpotVPN <http://www.hotspotvpn.com/>
>>
>> >John Navas wrote:
>> >> Have you checked all of the "hotspot" products listed in the wikis
>> >> below?
>> >>
>> >> On 13 Nov 2006 08:50:36 -0800, (E-Mail Removed) wrote in
>> >> <(E-Mail Removed). com>:
>> >>
>> >> >Hello All,
>> >> >
>> >> >I am looking for a solution to provide wifi access in a multi dwelling
>> >> >residential unit such that it provides as many of the following points
>> >> >as possible:
>> >> >
>> >> >1 When a user connects for the first time they see a page displaying a
>> >> >usage policy and a login screen. Guest login is allowed, but
>> >> >registered login is optional and recommended, passwords and logins
>> >> >administered through the building management.
>> >> >
>> >> >2 The Network Access Controller to provide the ability to throttle down
>> >> >guest connections to around 256k down, 128k up, while leaving
>> >> >registered users' connections a great deal more robust.
>> >> >
>> >> >3 Connection is simple for the end user and requires no VPN client
>> >> >software.
>> >> >
>> >> >4 The connection is nonetheless secured in a responsible fashion
>> >> >
>> >> >5 The equipment may have high initial cost, but must run relatively
>> >> >trouble free (no on-site IT support needed). Preferibly it will
>> >> >involve a rack mounted gateway appliance rather than any sort of server
>> >> >and will be administrated remotely.
>> >> >
>> >> >6 Wireless subnet roaming would be really nice as well.
>> >> >
>> >> >I am aware of the basic access controllers such as those provided by
>> >> >BlueSocket. Basically what I want is a BlueSocket controller that can
>> >> >secure the wireless connection via SSL VPN so that the wireless portion
>> >> >is encrypted despite transmission over an open authentication access
>> >> >point system. However, I do not want to subject the user to multiple
>> >> >login pages (Authentication and then VPN) which would be necessary it I
>> >> >use two separate devices.
>> >> >
>> >> >Inability to run my access points both WPA-PSK encrypted and open means
>> >> >that I can't reasonably leave guest access "at your own risk" while
>> >> >securing tennant acces, plus tennants will not be happy switching a
>> >> >highly random WPA key every week, but I also don't feel secure leaving
>> >> >the same key in place for a year allowing it to be compromised in that
>> >> >way.
>> >> >
>> >> >Any major architectural restructuring is also right out. I can't see
>> >> >implementing 802.1X as the complexity in supporting tennants would
>> >> >require an onsite technician. Also transparent domain login
>> >> >authentication would be a hassle as many of the tennants would be using
>> >> >business laptops and no alteration to the setup they use at work would
>> >> >be acceptable.
>> >> >
>> >> >So far I feel that I am asking too much and that even if a device is
>> >> >possible to do what I am looking for, it doesn't yet exist. Please
>> >> >advise. I have spent many hours looking through product brochures and
>> >> >searching the web and I have found nothing to fit the bill.
>> >> >
>> >> >Just to clarify, I am asking for product recommendations. If you are
>> >> >connected to a company which provides a solution, then a sales pitch is
>> >> >invited.
>> >> >
>> >> >Thanks in advance,

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

Scale is left intentionally ambiguous as I am not looking to suit a
specific project, but instead am looking for a conceptual approach to
this project. However, when I made the comment previously I was
indicating that the hotspot devices where the WAP and authentication
unit were integrated are not sufficient. What I need is a system that
ties multiple wireless access points together for authentication and
security. I am specifically looking for prices for a vendor neutral
access controller to serve the above objective. If the access
controller provides the necessary functions but must be paired with
same brand access points then I will still consider it.

As far as help desk functions, I know that the tennants will need tech
support. Don't get me wrong, this has always been understood.
However, what is specifically unacceptable is requiring technician
intervention to grant a system access to the network. Also
unacceptable is a system which cannot accomodate remote administration.
An end user can only be expected to handle so much before a
professional is required to intervene. In a corporate setting one does
not give the employees a checklist of instructions on how to get hooked
in to the 802.1X system, the IT staff does this. In a hotel one does
not keep a staff IT person around to help out with the complimentary
WIFI access. You either have ultra-secure and complex, minimally
secure and easy, or something in between. My goal is to figure out how
to gain basicly secure internet connections (WPA level or better) for
tennants and guests without making it any more complicated than logging
in to a hotel or airport hotspot.

Thanks,

Tim




Jeff Liebermann wrote:
> (E-Mail Removed) hath wroth:
>
> >Pretty much everything listed there is on a smaller scale than what I'm
> >looking for ...
>
> Could you elaborate on the "scale" that you're looking for?
> Number of connected wireless clients?
> Number of connected wired clients?
> Type and bandwidth or backhaul? Number of backhauls?
> Approximate area of required coverage?
> Type of building construction? Number of floors?
> Indoor, outdoor, or both?
> Is "illumination" from outside the building possible?
> Availability of offsite support and admin?
> Any monitoring required?
> How do you plan to deal with abuse, worm infected machines, outages,
> support, account administration, and billing?
>
> In effect, you're asking for a detailed bid and proposal, which is
> rather difficult without numbers.
>
> There are a few assumption in your list of requirements. One that's
> wrong is the you cannot simultaneously run WPA encryption and open
> access on the same wireless router. See Sonicwall "security zones"
> and the beta version of DD-WRT 2.4 for how it's done. Also, the
> latest FON firmware has this feature. Some 3com access points also
> support this feature. Look for devices that support multiple SSID's
> as they usually also have this feature. I can dig out the models
> later if your interested.
>
> Another assumption is that you can deploy such a system without any
> available maintenance or support services. That's not going to work.
> In effect, you're setting up something similar to a wire line ISP, but
> with the added entertainment value of a non-reliable delivery
> mechanism. Your customers need to have someone to call for help or
> they won't pay the bill.
>
> Gotta run...
> --
> Jeff Liebermann (E-Mail Removed)
> 150 Felker St #D http://www.LearnByDestroying.com
> Santa Cruz CA 95060 http://802.11junk.com
> Skype: JeffLiebermann AE6KS 831-336-2558

I'm a relative newcomer to the wireless game, and perhaps for that reason I
see things a bit differently.
I may be mistaken on a few things, but here goes...

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Hello All,
>
> I am looking for a solution to provide wifi access in a multi dwelling
> residential unit such that it provides as many of the following points
> as possible:
>
> 1 When a user connects for the first time they see a page displaying a
> usage policy and a login screen. Guest login is allowed, but
> registered login is optional and recommended, passwords and logins
> administered through the building management.
>
> 2 The Network Access Controller to provide the ability to throttle down
> guest connections to around 256k down, 128k up, while leaving
> registered users' connections a great deal more robust.
>

Seems to me you have two classes of users, so you need two sub-nets here.
Since they are both internet only, there is no need to interconnect them
Therefore two separate wired/wireless routers should satisy things
separate channels, separate id's etc
configure each to suit the separate needs

> 3 Connection is simple for the end user and requires no VPN client
> software.
>

Usual windoze idiot-proof connections...

> 4 The connection is nonetheless secured in a responsible fashion

conflicts with above, so separate them

>
8<---------------------------------

How do you intend to service these clients? Specifically, what kind of
internet connection will you have?
Does your ISP allow you to sub-let your connection?
What about spammers who use your unsecured connection to do their stuff?

Stuart

John Navas <(E-Mail Removed)> wrote in
news(E-Mail Removed):

> No need -- *encryption* security of WPA has nothing to do with
> key strength. The key is only for *authentication* (not
> encryption), and can be made very weak when no authentication is
> needed; e.g., passphrase of "password" or "key". Encryption
> will still be strong, ...
>
>

You *appear* to be contradicting your own advice re WPA: i.e. "ALERT:
WPA can be less secure than WEP", "USE A PASSPHRASE WITH MORE THAN 20
CHARACTERS" and "the only value PSK has is if only truly random keys
are used", etc. What have I misunderstood?