dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2276
TBBroadband
join:2012-10-26
Fremont, OH

TBBroadband

Member

[Other] Authenticate via Ethernet

I'm working on building a network but want to authenticate the users/clients before they're able to access the network/Internet. Anyone have any advise? I've looked at using PPPoE via Radius but I'm not sure if I want to do that.

shdesigns
Powered By Infinite Improbabilty Drive
Premium Member
join:2000-12-01
Stone Mountain, GA

2 recommendations

shdesigns

Premium Member

I've seen it integrated in a managed switch. Look at how a managed switch supports 802.1X via an attached radius server.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

1 recommendation

Brano to TBBroadband

MVM

to TBBroadband
Two different things.

1) Authenticating access to LAN is possible, but quite complex and costly. As already mentioned look into 802.1x and Radius.

2) Access control to internet is relatively simple. All you need is a gateway box (internet router) with captive portal or authentication capability. Any open-wrt / dd-wrt / tomato can do this for you or for example ZyXel USG series routers (any many other brands too). This is the same approach as in Starbucks or similar shops.
For bigger user base you may need to combine this with Radius or LDAP or AD for easier management.
Alternatively you can allow access by source IP or network.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

1 recommendation

Anav to TBBroadband

Premium Member

to TBBroadband
What is the requirement in terms of

a. how people are connecting to the network (wired, wireless??)
b. how many people
c. is it just at one site
d. do the people remain constant or is it new people everyday - what is the breakdown
e. do all people have the same rights and privilges on this network.
f. do people have to share printers or be able to transfer files between one another.
g. do they pay to connect, monthly biill?????

the more info provided the better responses ye shall get.
TBBroadband
join:2012-10-26
Fremont, OH

TBBroadband

Member

a- about 35 offices total. a mix of both wireless and wired
b- between 35 and 100 at any time
c- one site at this time, but will expand into other sites as well.
d- both - a complete mix.
e- no. the public wireless for "guest access" will not have full rights and access as the offices.
f- yes they will need to- printers.
g- yes some will pay and others will be free- guest access with limited use/rights.
HELLFIRE
MVM
join:2009-11-25

1 recommendation

HELLFIRE to TBBroadband

MVM

to TBBroadband
2nd Anav, the more information, the better suggestions we can make.

Two other questions, what's your budget? And what's the level of technical expertise you have available
to support this? Put another way, you're supporting this with your brain and google? Or are you willing
to pay someone to do so?

Regards
TBBroadband
join:2012-10-26
Fremont, OH

TBBroadband

Member

Budget is on the low end-- under $500.. And I will be supporting it myself.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

1 recommendation

Anav

Premium Member

Wow, okay, sounds like you need to go cheap on routers and use ddwrt or perhaps a pc based pfsense solution that includes radius server....
I personally would not take on such responsibility with such a low starting budget.
TBBroadband
join:2012-10-26
Fremont, OH

TBBroadband

Member

The network is going to be small starting out though. So it can be upgraded and budget expanded. Most of the office building isn't rented/leased yet. And I don't want to spend a ton of money on something that isn't going to be fully used for many years.

I'm debating about using a simple radius server and RouterBoard hardware and going that way. I can have it set up to captive portal/PPPoE the wired side, and also do the wireless.

old_tech
Premium Member
join:2013-03-31
Springfield, IL

old_tech to TBBroadband

Premium Member

to TBBroadband
At $500 is not going to do anything for what you are wanting to do. If this is a small business LAN environment, the last thing you want is a Captive portal setup.

What you are talking, is managed switches, VPN betweent offices, domains for each office, etc.

Not something again that can be done on a $500 budget.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

Well I would certainly look at more than one device, one of which would be a main router, a main switch, potentially a hotel scale internet access device (with built in users and add on users) and enough wifi devices spread out for decent coverage.
TBBroadband
join:2012-10-26
Fremont, OH

TBBroadband to old_tech

Member

to old_tech
This is NOT a typical office enviorment. The building owners lease out EACH office to small businesses. So meaning- if you pay for the Internet, you get it, Don't pay - don't get it.

Other companies doing this is: www.regus.com

But thanks
TBBroadband

TBBroadband to Anav

Member

to Anav
Thanks

Do you know of any good hotel scale devices for this, that don't make you use their company for complete service?

old_tech
Premium Member
join:2013-03-31
Springfield, IL

old_tech to TBBroadband

Premium Member

to TBBroadband
The big problem is, depending on the business's needs, or that they are needing a secured connection, your idea only works in theory. Also if you have never experienced a connection being saturated by users that are uploading pdf's and other data to other sites, this will only again work in a situation, that the office users are only pulling email with no attachments, and not needing to pull large files for multiple users.

I personally have seen a 100meg connection turn into a 56k connection after having 20 office users saturate it so much with multiple downloads at the same time.
TBBroadband
join:2012-10-26
Fremont, OH

TBBroadband

Member

My idea is the idea is what the building owners proposed to me. And actually what they want as no telecom company has rights to enter the building. There is no cable, nor telephone company wiring in the building and is not subject. All leases state that as well.

mackey
Premium Member
join:2007-08-20

mackey to TBBroadband

Premium Member

to TBBroadband
Since it's a per office thing, instead of 802.1x or a captive portal, would going to the equipment room and plugging/unplugging cables be good enough?

I would use a "smart" switch (don't need a full blown L3 managed switch) to put the offices on different VLANs and a Linux box acting as a firewall/router/RADIUS server/captive portal for the wireless clients. Personally I'm a fan of the D-Link DGS-1210 line of switches as they do VLANs pretty good and support 802.1x, and the 24 port version can be had for $150-$200 new. On the captive portal side, I've used CoovaChilli before with great success. With the RADIUS server behind CoovaChilli pulling its info from a MySQL database device management is pretty easy, plus you have a RADIUS server ready to go should you decide to use 802.1x on the switch. For the WiFi, you're going to need something which supports multiple SSIDs and VLANs. The last time I built something like this I used the (now discontinued) D-Link DWL-3200AP as it supports that out of the box, but anything that will run OpenWRT should work (just make sure the WiFi chip supports multiple SSIDs!).

So yes, you can do this for $500, but it's gonna be a whole bunch of "roll your own."

/M

imanon
@comcast.net

imanon to TBBroadband

Anon

to TBBroadband
You could use a captive portal like DNS Redirector for this, which is 100% non-dependent on outside/cloud service(s) to work.

The catch is it would only secure things by name... So getting to the Internet, no problem, all users would have to pass through the captive portal (with a common login, or a unique login, or after they pay) The potential shortcoming I see is it only "secures" things where name resolution is needed to work, meaning if you have IP printers on the network, and if someone knew the IP of the printer directly, they could set up the drive on their machine and print to it regardless of passing through the captive portal or not.

You'd have the option to make everyone pass through the captive portal once per day, or longer. You could create your own HTML pages that would allow "Company A" to click here for access, or "Company B" click here, and each have a unique password - or you could offer "Company C" which is not on a Internet access plan to click here and pay for a 1 day-pass, etc. You would have to design these pages and/or database in PHP or ASP of just HTML yourself, DNS Redirector doesn't do any of that for you as far as I'm aware.

This captive portal approach also has the advantage of directing clients to an "Intranet" kind of page after login, where you could list all the printers in the building, if any are down/out of service, or a form on how to contact support, where the coffee machine is, how to get an extra patch cable (link to your help-desk/ticket system) etc.

billaustin
they call me Mr. Bill
MVM
join:2001-10-13
North Las Vegas, NV

billaustin to TBBroadband

MVM

to TBBroadband
I've done work in quite a few locations like this. None of the sites I've been in use authentication for wired users. What I usually see is a cable modem connected to a router that feeds a bank of basic 24-port switches. Each office has three feeds from the network closet, one for telephone, one for internet, and one occasionally used for FAX or as a connection to another office.

Many of the suites have their own router connected to the internet feed. Others have their own cable modem or DSL connection that their internet feed connects to instead of the shared switches.

Wireless, when installed, is shared for those that want to use it. One of the more common uses is for smartphones. Some change the password once a month, others never do. Most of the ones I've been in do not have Guest internet access.

You can make this as easy, or as hard, as you want. Many places offer free internet with rental, with no type of service or security guarantee. The renters that rely on internet usually order their own connection.
billaustin

billaustin to TBBroadband

MVM

to TBBroadband
said by TBBroadband:

My idea is the idea is what the building owners proposed to me. And actually what they want as no telecom company has rights to enter the building. There is no cable, nor telephone company wiring in the building and is not subject. All leases state that as well.

Do the building owners want to be the ISP and the Telco for all the renters? If no Telecom companies have rights to enter the building, where will you get your service from? Not being able to get various services from the provider of their choice, will turn away many possible renters.

It may be different in Ohio. Here, the buildings are wired when built, or remodeled, and the wiring is put in by the owner/renter/lessee and becomes part of the structure. The Telecom providers bring a feed in from the street to the main phone room. Their services are distributed from there, as needed, over the existing wiring in the building. The providers don't claim ownership to anything beyond their equipment in the phone room, and rarely is a provider barred from a facility.

old_tech
Premium Member
join:2013-03-31
Springfield, IL

old_tech to TBBroadband

Premium Member

to TBBroadband
said by TBBroadband:

My idea is the idea is what the building owners proposed to me. And actually what they want as no telecom company has rights to enter the building. There is no cable, nor telephone company wiring in the building and is not subject. All leases state that as well.

That is going to be hard to do, in not allowing utilities into the building, such as catv, telephone, ISP's. You really should consult with an attorney on this matter, due to once a utility, ISP, etc. has equipment or connections inside the building, and when they need to enter the premise to maintain the structure, make connections or changes, for Internet, telephone, catv, even electric, and the building owner does not allow entrance to the structure, then it gives the provider of the service the right to disconnect the premise from their plant, or summon the building or tenant to court to have a judge intervene to state that the utility has the right to enter upon notice, or in case of an emergency, no notice is needed.

You really start opening up a huge can of worms, when you start telling providers of services & utilities that they cannot enter the structure, which ends up with them usually showing up with a police escort at that point, with warrant of entrance in hand.
switchman
join:1999-11-06
ARRIS SB6183
(Software) OPNsense

switchman to TBBroadband

Member

to TBBroadband
Each customer needs their on VLAN to stay separate from the other users in the office. That says you need a smart switch. You could then use a L3 router at the gateway to do the routing for each vlan to the service provider. You will need to traffic shape the data prior to handing off to the ISP. Make sure you keep logs.

clarknova
join:2010-02-23
Grande Prairie, AB

clarknova

Member

said by switchman:

Each customer needs their on VLAN to stay separate from the other users in the office.

Not if he goes with PPPoE, I think.

To the OP: Anything automated is probably going to blow through your budget. If you're willing to babysit a little bit to save money then you could just get a smart switch and manually disable ports for non-paying customers. Most wireless APs are able to blacklist MACs, but this is easily spoofed.

PPPoE is a way to filter clients. Client databases are usually provided by RADIUS or a directory service, but some routers like pfsense can also use an internal database. I believe Ubiquiti's EdgeRouters do as well.

A third option is captive portal. Again, pfsense includes this, as do some wireless systems such as Ubiquiti's Unifi.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav to TBBroadband

Premium Member

to TBBroadband
One device that may be helpful to service the various groups is the zyxel VSG1200v2. Not sure if is what your looking for but it can take bandwidth and distribute it so that it provides rate limiting and BWM management. It contains an internal database and you can also point to a radius server as well. Designed for hotel internet access primarily.

UserGuide: »ftp://ftp2.zyxel.com/VSG-1200_ ··· _ed1.pdf

data sheet: »ftp://ftp2.zyxel.com/VSG-1200_ ··· V2_6.pdf
TBBroadband
join:2012-10-26
Fremont, OH

TBBroadband to mackey

Member

to mackey
Thanks. But as for the Wireless- the public and the tenants would be on the system system- The only difference is the way you login- free for X amount per day or you pay to have it unlocked. By using the same system for both wireless and wired for the offices would be great.

I am looking at using Cloudessa for the Radius server since its hosted and I can use it for both wireless and wired networks and only maintain one database.

And I have no problems rolling my own.
TBBroadband

TBBroadband to billaustin

Member

to billaustin
I have been given rights to become the Telco/ISP in this building. and it is NOT wired for anything except the former company that was there- wired network) and that's to the telco room. Phone was a hosted PBX/VoIP System.

And as far as various providers- in many managed buildings such as this- its very common- again there are many providers that do such as thing- the major owner/operator in the world does just this: www.regus.com And it works as each renter does not have to sign contracts, pay deposits, nor anything else for Internet. It's ready to go when they are. not when X ISP is able to provide it.
TBBroadband

TBBroadband to old_tech

Member

to old_tech
Again; this is legal to do so on rented property and happens all the time. Please visit the above link that I have provided where other companies have done this. It's 100% Legal and any property owner can keep X provider out if wiring is not installed/permitted in the building. And currently no cable nor phone company has wiring in this building. Never had from the start of the building being built. Nothing needs to be disconnected nor such as you would claim if the building owner refuses access since there is NOTHING in the building they would need access to. Electric and gas are fed to the building already just fine and are maintained by the property owner.

And again; the utility companies that are required and permitted are already in the building. And you do realize how long a warrant takes to obtain right? It's just not a rubber stamp allow and as far as a phone company getting one to install service- not going to happy easily. Let alone they can be removed for trespassing in the building if they're not invited to be there, and it is legal for property owners to secure deals with private companies for services. Happens all the time.

old_tech
Premium Member
join:2013-03-31
Springfield, IL

old_tech

Premium Member

Actually it is quicker than you think for a warrant to be issued by a judge. Yes, if the utility is not in the building, then there is no need for that utility to enter the premise, but for Power, Gas, telephone, catv, Fiber, for Internet or phone, the utility or service provider that has lines entering the premise, or equipment on site, will inform the building owner that they need to enter.

If it is an emergency situation, you cannot bar any utility or service provider entrance in the structure. May want to read up on the laws for your state & local municipality.

Also they cannot be removed for trespassing in the building, if they are there to perform work in the duties of their job, or in the case of CATV, if there is a Egress or Ingress issue, they will again inform the property owner that they need to enter, same goes for telephone companies. If the owner bars them entrance, then the connection will be removed at the pole or in the ground, and the owner will be notified that until entrance is granted, service will not be restored.

The next step if the building owner continues to violate the agreement with the utility or service provider, then expect a summons to appear in court.
old_tech

old_tech

Premium Member

BTW, the link you posted is for a service that creates virtual offices, not something that really is more than an advertisement for a company that has secured millions of dollars in venture capital that has equipment in NOC's, and as for on premise, you may want to read the info in that link you posted.

There is a difference what Regus does, than what you are wanting to do.
TBBroadband
join:2012-10-26
Fremont, OH

TBBroadband to old_tech

Member

to old_tech
Again- THERE IS NO EQUIPMENT NOR LINES FOR CATV NOR TELEPHONE IN THE BUILDING!
TBBroadband

TBBroadband to old_tech

Member

to old_tech
Actually there is no difference between the way Regus works and the way my network would work. They operate the Internet the same way. And actually they do not have their own NOC. They have simple T1s in the buildings and run their own PBX system over that data T1. You would know that by talking to them and their local offices.

But thanks for not helping and only claiming that the building has services from other providers when in fact it doesn't.