0
I am interested in captive portal architecture. Initially my understanding was that places such as airports and internet cafes would have all the RADIUS and AAA infrastructure on the local side of the firewall. After looking at WISP (wireless internet service provider) models, my initial ideas seemed wrong. Even if a company offers several different public wifi hotspots, would they still potentially keep the AAA server, captive portal web server and RADIUS internals on the local side of the firewall?
If they kept the RADIUS and AAA servers centralised, would they connect to this via a VPN from the firewall and have a non-VPN out onto the internet for after the users have been authenticated?
I am just trying to understand a general architecture for public wifi.
Hi, thanks for that! Just one small question, your last statement: "User traffic would be unaffected by a VPN used for RADIUS", are you saying that once a user starts to use the internet this would also go through the VPN, to the provider's server and THEN onto the internet? I guess this would allow easier monitoring and billing, rather than access the internet from the firewall but have to constantly send RADIUS packets from the user to the provider (so that the provider can bill accordingly)? – Shalom – 2011-12-30T14:15:39.890
@Shalom: No, I'm saying the opposite of that. Only traffic addressed to the AAA server would be routed into the VPN tunnel. – RedGrittyBrick – 2011-12-30T14:20:36.303
so in order to keep track of the internet usage it would be normal (and acceptable) for the AP to transmit RADIUS protocol messages back through the VPN to the AAA server? – Shalom – 2011-12-30T14:39:39.070