RE: Public Wireless access (ticket / token / schedule based)

["Stefan Fouant" <sfouant () shortestpathfirst net>]

> -----Original Message-----
> From: Robert E. Seastrom [mailto:rs () seastrom com]
> Sent: Monday, December 27, 2010 11:51 PM
> To: Bill Lewis
> Cc: nanog () nanog org
> Subject: Re: Public Wireless access (ticket / token / schedule based)
>
> Is there some reason you can't run it wide open without even so much
> as a captive-portal-check-the-box thing?  All of the commercial boxes
> I've seen for doing what you say you want to do have been Deeply
> Unsatisfactory in some way (Nomadix is at the top of the list here).
>
> If you lose the authentication altogether and just make sure that
> there is a bandwidth lid on per host overall usage plus more
> conservative limits for things like the usual torrent ports and of
> course blocking certain other ports entirely...  you've just
> eliminated the administrative overhead of issuing credentials to your
> visitors and streamlined your entire process.

As Robert mentioned, all the current solutions are deeply unsatisfactory and
full of holes.  Most of the authentication based solutions simply whitelist
the user based on their MAC address which is altogether easy to spoof
(simply clone the MAC of an authenticated user and you are clear for
takeoff)...  Why incur the overhead of managing credentials with something
that can so easily circumvented.

Leave things wide open on a sandboxed subnet with the usual protections
(rate limits, blocked ports), IMO is the easiest approach...

Stefan Fouant