I have just implemented a system like that, it is not a big deal, just made of cgi scripts.
Just for hotels. Let's say the guest call the help desk and ask for permission, and from a web page they can give or deny access to any registered room.user. It provides billing, automatic expiration process, email reporting -- to another location for billing -- as well as reporting. Once you can deal with a little bit of perl, cgi and iptables, it is just a matter of designing the correct bussiness rules to fit your need. You can also use squid for better performance and control. I have addressed this issue either with iptables or squid. Daniel Robles Cyborg Computadoras Dominican Republic ----- Original Message ----- From: "Doug Monroe" <[EMAIL PROTECTED]> To: "Graham Toal" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Thursday, March 28, 2002 2:37 PM Subject: Re: ...(Hotel-like system) > Graham Toal wrote: > > We have an internal network in a public area that anyone can walk up to, > > and plug in a PC. > > I want someone hooking up to the network to have NO access to the outside, > > *until*... > > > > the first time they use a web browser to access any outside page, it > > is redirected to a browser on the firewall host. That browser puts up > > a page requesting a username and password which it checks in some > > database it has access to. > > > > Once the user has been validated, the ip chains are modified to allow > > that host full routed access to the net. (For a specific length of time - > > a timer will kick off and when that time expires, another script will be > > run to remove the rules which permitted that IP access) > > > > This is basically the same system as some hotels run for internet access > > from your room, except that they ask for a credit card whereas we ask for > > a valid student username and password. (This is for a university environment) > > > > Has anyone done this before? If so please point me at it! > > I posed the same kind of question to this list in Aug 2001: > http://msgs.securepoint.com/cgi-bin/get/netfilter-0108/200.html > > That particular project never got traction, but what I learned may be of help. > I'd very much like to keep this discussion going, in list preferably, since > this issue of public-access networking is timely, interesting and applicable > to netfilter community. > > There are commercial products that do these functions but at high cost > ($10-15K), notably: > Cisco's BBSM (broadband Building Service Manager) and > SolutionInc (http://www.solutioninc.com/products/hospitality.html) > > Being primarily for MxU markets, these solutions all have a billing component > to hook into (for example) the Hotel PMS system. They also support other auth > models like username/password input, not just credit card models. For example, > when someone is renting a conference room and needs to allow all participants > to connect, a pre-assigned username/password model is used. > > I believe the commercial offerings use proxy arp to force requests to an > authentication/billing service running locally. Whether they use dynamic fw > rules I can't say but it would seem likely that they do. > > What you may/maynot also want is a way to segregate LAN segments and/or > individual users from one another. In the case VLAN/802.1q can be used in > conjunction with switched network which supports VLAN tagging. Recent linux > kernels > 2.4.15 support VLAN/802.1q - > http://scry.wanfear.com/~greear/vlan.html > and some notes on how I got VLAN working with IPtables and DHCP: > http://www.planetconnect.com/vlan/ > > some tangentially related links included FWIW: > NetReg: An Automated DHCP Registration System > http://www.usenix.org/event/lisa99/full_papers/valian/valian_html/index.html > > Dealing with Public Ethernet Jacks - Switches, Gateways, and Authentication > http://www.usenix.org/event/lisa99/full_papers/beck/beck_html/index.html > > Again...This is a great start but I'd like to keep this discussion going so if > anyone has other ideas/info/insight to add, please chime in! > -- > Doug Monroe >
