On 10 Sep 2006 13:34:37 -0700, "Isaac Grover" <(E-Mail Removed)>
wrote:
>I am needing to set up a wi-fi hotspot at my local coffee shop. I have
>considered ZoneCD and LessNetworks, but those require reliance on an
>outside service which may or may not be there when we need it.
>
>As a result, I have been building my own implementation from scratch on
>FreeBSD, using php and mysql for the authentication, squid for the
>transparent proxy, dansguardian for content checking, but I haven't
>figured out what to use to allow previously unauthenticated users who
>have authenticated full access through the proxy. I've been thinking
>about iptables filtering on mac address, but that seems like overkill,
>especially with having to restart iptables every time a user
>authenticates.
>
>Does anyone here have any suggestions?
Sure. This strikes me as a bit of overkill for a coffee shop. There
are various hot spot implimentations based on NoCatAuth that might be
suitable. If you want proper authentication, use a RADIUS server
either locally or on the internet. (Yeah, I know it might not be
there when you need it). Search Google for "NoCatAuth Hotspot" for
lots of implimentations and mutations.
Proxy servers are nice for security and anonymity, it's an awful
adminstrative time burner. I used to manage a SOCKS 5 proxy firewall
which eventually accumulated more exceptions than rules over the
years. Every stupid program that wanted to update itself over the
internet with it's own favorite IP socket number had to be
individually configured. H.323 was almost impossible to get working.
While a proxy server will certainly block attacks from the internet
and provide some anonymity, methinks simple NAT with a stateful packet
inspection firewall is more than adequate for a coffee shop.
Reading between your lines, it seems that you're writing your own
authentication and authorization system (with PHP and MySQL). That's
fine but RADIUS and 801.1x already do that. However, for a simple
coffee shop, I don't think you need the ultimate in security and
authentication. A simple database to store successful logins and
authorizations, a means to expire entries, and some method of hacker
detection should be adequate.
Your specific question of:
> I haven't figured out what to use to allow previously
> unauthenticated users who have authenticated full access
> through the proxy
can be handled crudely by just dropping a cookie in the clients web
cache with a corresponding entry in the SQL database. When the user
returns and hits the initial splash screen, the web server grabs the
cookie, compares the contents with the SQL database, and bypasses the
login and password authorization ordeal if they match. That's not
terribly secure because the cookie can be sniffed and cloned, but
methinks good enough for a coffee shop environment.
Also, make sure you have some form of "client isolation" or what
Linksys misnamed "AP isolation" to keep clients from seeing each
others traffic or attacking each other. That will save you
considerable grief in a coffee shop environment. Also, bandwidth
managment is a good idea.
Also, from the alt.internet.wireless FAQ:
http://wireless.wikia.com/wiki/Wi-Fi...etup_a_hotspot
--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558
(E-Mail Removed)
#
http://802.11junk.com (E-Mail Removed)
#
http://www.LearnByDestroying.com AE6KS
Similar Threads
Linear Mode
