Q: I'm helping a local Catholic women's college set up a wireless network. We want the network to have authentication login, much like when travelling at airports. Anyone with a wireless device can get a connection, but all access to the network would be closed until they were authenticated. Our thought is that certain NIC addresses would be stored in a database. According to this database, they could be allowed immediate access or no access. If not allowed, they would need to open a browser window and sign up for access. Once the form is filled, they would be given access.

It is important to be able to suspend certain machines from having access (it could be done manually, but it would be nice if there were rules that detected viruses and could block the laptops). What software is used in airports and other public places to do automated login/sign-up?
- Steven S.

The Wizards gaze deeply into their crystal ball and respond:

Seth Goldhammer, Roving Planet
You could do this using the MAC address of the NIC, but that leaves you susceptible to MAC spoofing. We've been working with airports for a number of years delivering software for security and management. From my experience, a better alternative is to have a database of usernames and passwords. There are a handful of products, both commercial and open source, that provide gateway functionality, blocking users with a captive portal where they can provide login credentials to get further access. Open source projects worth looking at are Squid and NoCatAuth.

User accounts can be stored in a local database, but for growth you should look at directory type products such as the different LDAP services or Microsoft's Active Directory. If you ever believe you may move beyond Web authentication for stronger authentication types, such as 802.1x, you could also store accounts in a RADIUS server.

It sounds like you also want to look for a captive portal that allows users to self-register. This simply lets new users create an account and lets you collect pertinent information about that user. On the portal, look for products that let you automatically set a secure token that is transparent to the user, so users can skip this process the next time they return to the site.

Dan Simone, Trapeze Networks
Airports and public places generally use Web-based authentication that asks for a username and password. Once a username and password is validated through a browser to an AAA (authentication, authorisation and accounting) server, the MAC address of the device is then allowed onto the network. This approach is considered insecure, though, and subject to MAC address spoofing. Remember that the systems used in airports and public places are aimed at billing and revenue generation, and not security. If security, and suspending undesirable machines from having access is important, a secure authentication and encryption approach, such as 802.1x and TKIP or AES encryption is recommended.

If that level of security is acceptable to you, look for terms like "subscriber gateway" or "public access gateway" in combination with wireless LANs or Wi-Fi.

Michael Montemurro, Chantry Networks
There may be vendors that support all these features in one product; however you will likely have to build your network by combining different products.

The browser-based login that you mention does not have a standard name in the industry. A common name for this feature is “Captive Portal.” There are a number of vendors who offer products in this area; there is also open-source software that you can use to build a Web redirection solution.

It is possible to restrict access to the network based on MAC address. Most access points offer the ability to configure a “white list” to restrict network access to MAC addresses that you configure. Alternatively, there are products that let you use a RADIUS server to authorise network access for a device by its MAC address when it connects to the network.

The Captive Portal application needs to be integrated with a firewall to address your solution requirements. There are Intrusion Detection Systems (IDS) (some integrated with the firewall features) that let you scan for virus protection and block network access for a device without virus protection.

Rohit Mehra, Bluesocket
What you need for authenticating users is a wireless infrastructure device (e.g. controller, gateway) that sits on the trust boundary between the secure, wired network and your WLAN. Most of these devices support the universal access method (UAM), which is an SSL Web-based login page, and many have additional features such as MAC filtering, user blocking and bandwidth controls. Some of these systems even provide for virus/worm protection without requiring any kind of client software. The advantage is that you will be able to support all the existing authentication databases typically seen in a college or university environment, including RADIUS, LDAP, Active Directory, Kerberos, Cosign, CAS, and Pubcookie.