I am needing to set up a wi-fi hotspot at my local coffee shop. I have considered ZoneCD and LessNetworks, but those require reliance on an outside service which may or may not be there when we need it.
As a result, I have been building my own implementation from scratch on FreeBSD, using php and mysql for the authentication, squid for the transparent proxy, dansguardian for content checking, but I haven't figured out what to use to allow previously unauthenticated users who have authenticated full access through the proxy. I've been thinking about iptables filtering on mac address, but that seems like overkill, especially with having to restart iptables every time a user authenticates.
Does anyone here have any suggestions?
-- Isaac Grover, Owner Quality Computer Services of River Falls, Wisconsin Affordable I. T. Consulting, Web Design, and Web Hosting. Commercial and Residential Inquiries Welcomed. Web:
Sure. This strikes me as a bit of overkill for a coffee shop. There are various hot spot implimentations based on NoCatAuth that might be suitable. If you want proper authentication, use a RADIUS server either locally or on the internet. (Yeah, I know it might not be there when you need it). Search Google for "NoCatAuth Hotspot" for lots of implimentations and mutations.
Proxy servers are nice for security and anonymity, it's an awful adminstrative time burner. I used to manage a SOCKS 5 proxy firewall which eventually accumulated more exceptions than rules over the years. Every stupid program that wanted to update itself over the internet with it's own favorite IP socket number had to be individually configured. H.323 was almost impossible to get working. While a proxy server will certainly block attacks from the internet and provide some anonymity, methinks simple NAT with a stateful packet inspection firewall is more than adequate for a coffee shop.
Reading between your lines, it seems that you're writing your own authentication and authorization system (with PHP and MySQL). That's fine but RADIUS and 801.1x already do that. However, for a simple coffee shop, I don't think you need the ultimate in security and authentication. A simple database to store successful logins and authorizations, a means to expire entries, and some method of hacker detection should be adequate.
Your specific question of:
can be handled crudely by just dropping a cookie in the clients web cache with a corresponding entry in the SQL database. When the user returns and hits the initial splash screen, the web server grabs the cookie, compares the contents with the SQL database, and bypasses the login and password authorization ordeal if they match. That's not terribly secure because the cookie can be sniffed and cloned, but methinks good enough for a coffee shop environment.
Also, make sure you have some form of "client isolation" or what Linksys misnamed "AP isolation" to keep clients from seeing each others traffic or attacking each other. That will save you considerable grief in a coffee shop environment. Also, bandwidth managment is a good idea.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.