Requiring authentication for Internet access on an open network

Question

If I have an open mesh wireless network (or, really, any open access network) and I want to keep the network open access: that is, anyone with the right hardware should be able to connect and talk to other computers on the network, but I want to require authentication for Internet access, what should I use?

PPP seems like the right tool for the job. I thought at first PPPoE, but I've been informed that probably cannot work over wireless. So then I have to tunnel using PPTP? I'm trying to minimize overhead, which is why I initially shied away from PPTP/OpenVPN solutions.

If IPSec can be run in tunnel mode without encryption that may also achieve this, I think.

Are there other good solutions that I'm not thinking of?

Note that I do not consider using an HTTP proxy server or the other sorts of weird hacks you often see at hotel wifi acceptable solutions.

If possible I would like to make it so that people who authenticate are able to have a public IP, and not just sit behind a NAT.

If I may, why is a proxy undesirable? They're designed to fill the precise need that you have, IMO. — pboin, Oct 29 '10 at 19:18
I want to gateway access to the whole Internet. So I guess I could use an authenticated SOCKS proxy. — singpolyma, Oct 29 '10 at 19:20
BTW - using a SOCKS proxy will only help with SOCKS-aware applications. — EEAA, Oct 29 '10 at 19:29

score 1 · Answer 1 · answered Oct 29 '10 at 19:17

1

While some sort of VPN may work for this, it's probably overkill. Sounds like you just need a captive portal page with some sort of authentication back-end, possibly radius. I frequently use pfSense for NAT/firewall/routing on my networks, and it includes a very easy-to-configure captive portal system. Chillispot is another open-source option.

answered Oct 29 '10 at 19:17

EEAA

108,414
18
172
242

1

Captive portal page? Doesn't that require that the user log in using a web browser? That would also require that they have a web browser on their device, and probably means they could circumvent the whole thing using DNS or ICMP tunnels? Just like hotel WiFi? – singpolyma Oct 29 '10 at 19:20
I'd guess that pretty much any device that would want to connect would include a capable web browser. If you use VPN, the user would have to have a compatible VPN client on their device, which is less likely to happen than a simple web browser. Additionally, if you configure your DNS and firewall appropriately, users won't be able to circumvent the captive portal. – EEAA Oct 29 '10 at 19:24
Can these portal pages work when the users need to be able to use the full local network unfettered except for getting on the Internet? – singpolyma Oct 29 '10 at 19:33
Yes, for sure. That is how I have mine configured. – EEAA Oct 29 '10 at 19:33

score 1 · Answer 2 · answered Oct 30 '10 at 00:13

1

Another option which is used in larger networks is 802.1x. You can use it with radius based on either linux freeradius or windows. You can then integrate with ldap or aduc depending on your environment.

answered Oct 30 '10 at 00:13

gdurham

879
6
10

Requiring authentication for Internet access on an open network

2 Answers2