linux wifi hotspot right for me?
 

Hi

I am setting up an wireless network in a local library, the network is supposed to be "as open as possible", but I still want some sort of usercontrol. The main problen is that I wont be able to administer it, thus the system has to be as esy to use as possible..

I can imagine some sort of solution like this:
The wifi-user logs on the library-AP, nomatter what URL (s)he enters, a main page comes up that tells them to report to the librarian. The user will then receive som sort of pre-generated key the (s)he enters on the webpage and is allowed internet access for a period of time.

The setup will be something like this:

"Firewall"
three nic (Wan, Wireless, Wired)
"HotSpot"
two nics (In, Out), url-redirecting of some sort++
"AP"
Cisco AP1131

I know Cisco has some products, but I'd rather test opensource solutions first



Best regards

Henrik

What are you trying to control?
After hours use? Content? Bandwidth? Public use?

The methods differ widely..

Hi Peter

I already have content and bandwidth control, I just want the users to have to report to the librarian before they gain access to the network. Making a standard username/password wont work because it doesnt take long before _everyone_ knows it ;) Individual usernames/passwords are not ideal either because i have hundreds of people coming in that will probably use my network only once.. it has to be a _very_ easy system to administer i.e the librarian hands out a note with a pre-generated key or something like that..


Best regards
Henrik

I'm not exactly sure what you are trying to say here.

Then your wireless and wired clients will be on different subnets (recommended). You can do a transparent proxy a few ways:

1. Have one machine to do everything (NATing, Routing, proxying, authenticating, etc.)
2. Have a netfilter-based firewall and a separate proxy box

The benefit of the first is that there is a slight reduction of latency. But it has a few downsides:
It is a better security practice to have many small devices that do one thing and do that thing well rather than one device that does everything. Not only is it a bad security practice, it is harder to maintain/upgrade (especially if you -- the designer -- will not be able to administer it.

So I'll talk about the second way. You set up your firewall to manage two subnets (who shouldn't be able to directly talk to each other). All traffic from your wired LAN to the internet will be NATed by this firewall. All traffic from the wireless subnet will be forwarded to the proxy. This way, the firewall knows nothing about authentication (and it shouldn't need to).

On the proxy box you should probably set up squid, since it has a very flexible access control/authentication system (you might as well do some caching with it also). Assuming the proxy box also has basic netfilter capability, you can implement a keying system in which certain machine(s) on your LAN is able to generate and see keys. You'd probably need to write a CGI script or something to make this `user-friendly' for the librarian. Read the squid documentation to get an idea of the kinds of authentication schemes you can use.

P.S. What's the difference between HotSpot and AP?

Actually, now that I think about it, it is a bad idea to authenticate based on netfilter and trust alone. You might need to create some sort of password scheme.