Ask Slashdot: Setting Up a Wireless Catch-and-Release 332
First time accepted submitter SSG Booraem writes "I'm on the IT committee at my church. We've recently added wireless access points to our Family Life Center, but the committee chair isn't comfortable with allowing unrestricted access to our network. We host a lot of guests during the week for Upwards basketball practices and on Saturdays for games, so we want to restrict internet access to the Sunday school classes held in that building. Unfortunately, neither he, nor I, know anything about setting up a wireless catch-and-release like in hotels. If anyone could point me at good documentation, I would be very grateful."
Open-mesh (Score:5, Informative)
Honestly, just use something like open-mesh, it has all the software available to do just that without too much hassle. Additionally they're more easily spaced throughout the building with less interference than you would normally get.
Re: (Score:3)
charge 'em (Score:4, Insightful)
Use enterprise WPA2 with keys. Give each client device a key. Charge $5 to provide a key. Church members who are donating will probably reduce their donation by $5 that month in order to pay for the key.
You can revoke keys individually.
Disclaimer: I don't know what I'm talking about, you might need expensive hotspots to do that, but for large building with more than one hotspot, you probably want special hotspots with decent handover as folk move from one hotspot to another.
Re:charge 'em (Score:5, Informative)
Another option is to use a Captive Portal built into a routing device.
If you can throw together a machine with two NIC or some wireless cards, the software side can be handled with ZeroShell [zeroshell.net], or if you prefer a paid support contract, the previously open source Untangle [untangle.com]
Captive Portal requires registration with a username/password to use the wifi, and can perform metering for if you wish to charge or just limit time. You can also setup different sets of web filters or firewall rules that change on a set schedule.
The Web Filtering modules will likely make your committee chair happy, as you can easily block most categories like pornography, gambling, hacking, etc.
It isn't impossible to get around of course, but should be enough for due diligence.
Good luck!
Re:charge 'em (Score:4, Informative)
Re:charge 'em (Score:5, Informative)
Untangle (http://www.untangle.com/Lite-Package the lite package which i think is still free) is what I implemented at my work guest network and implementing at my Church's guest network. Initially we deployed this with the captive portal at my work, we have some policy requirements that require logon and captive portal checks that compliance checkbox.
For Church we will only be using the transparent proxy features to blacklist or whitelist websites. It keeps it simple, which translates that I don't have to manage it all the time (which i am sure having time to do this is a problem for you as well).
For the comittee that is concerned about the internet access, give them access to the Untangle webpage so they can see the reports of what sites are being blocked and what is getting the most usage. This should help them be more comfortable that this is being used for good.
I would also recommend using access points that support multiple VLANs and SSIDs. This avoids placing extra WAP's just for guest and allows you to keep your guest SSID separated away from the church's systems (you will have to configure your firewall, we place the guest VLAN in a simple DMZ) that may have financial information or member on them.
Re: (Score:3)
Be aware that the combination of an unsecured wifi connection with a captive portal while conviniant for users is fundamentally insecure. The actual data traffic is unencrypted (unless the particular application/website uses application level encryption) and anyone can gain access by spoofing the IP/MAC of an existing client.
Admin (Score:2, Insightful)
Use enterprise WPA2 with keys. Give each client device a key. Charge $5 to provide a key. Church members who are donating will probably reduce their donation by $5 that month in order to pay for the key.
You can revoke keys individually.
Disclaimer: I don't know what I'm talking about, you might need expensive hotspots to do that, but for large building with more than one hotspot, you probably want special hotspots with decent handover as folk move from one hotspot to another.
That sounds like a great quick-get-the-job-done solution but here's the 'but': adminstration.
Most churches have an admin - one business admin. I don't know how to put it kindley so here's a prediction of what will happen based upon what I've observed with other things that these adminstrators do:
You will be constantly dealing with folks who's key doesn't work. Keys that still work when they shouldn't and a constant searching for keys.
It will be one cluster fuck.
Volunteer IT person?
They turnover fast: they
Not sure I understand the point here (Score:5, Interesting)
You're trying to set up one of those hotel style "Welcome to our network give us all your money to see the internet" pages to let only your sunday school students reach the internet? Or are you trying to block the guests off your network complete? Since this is tagged as wireless why not just use WPA2 and set up your students, classes, or whatever with access?
Not sure what the point of one of those hotel pages is here.
Re: (Score:2, Insightful)
You could still try to point him in the right direction, if someone asks for the way to the airport it isn't that important if you understand why he wants to leave town!
Re:Not sure I understand the point here (Score:5, Informative)
You're trying to set up one of those hotel style "Welcome to our network give us all your money to see the internet" pages to let only your sunday school students reach the internet?
Most hotels I've been to in the last years in the Nordic countries have had WiFi included in the room charge, but they've all required a login all the same. I assume it's a) so that "everyone else" in nearby buildings can't connect and b) maybe related to some kind of billing between the hotel chain and the wifi provider. It's all a matter of how much management you need, because surely at least one of the patrons is there both for sunday school and for basketball practice and will leak a fixed key to everyone and their dog. Personal accounts means lots of management overhead. I assume he's looking for a simple way to give ad hoc access to the people attending the sunday school, something like a ticketing machine that'll give you a login valid for X hours. Like, you must be in the physical areas for sunday school to get a wifi login or a simple printout the teacher can bring to class that's good for the class(es) that day.
Re: (Score:2)
It may also stop employees from (ab)using the hotel's internet connection during work house.
Re: (Score:2)
Most hotels I've been to in the last years in the Nordic countries have had WiFi included in the room charge, but they've all required a login all the same. I assume it's a) so that "everyone else" in nearby buildings can't connect and b) maybe related to some kind of billing between the hotel chain and the wifi provider.
It's so they can make you agree to their Acceptable Use Policy first, thus waiving all responsibility for their users should one of them do something illegal.
Re:Not sure I understand the point here (Score:4, Informative)
Not all hotels charge. They just force you to agree to a EULA so they don't get into legal hassles.
Re: (Score:2)
Small budget with time on your hands? (Score:3, Informative)
Try to flash a Linksys:
http://www.polarcloud.com/tomato
http://www.dd-wrt.com/site/index
http://coova.org/
Just turn it off (Score:5, Insightful)
Re:Just turn it off (Score:5, Informative)
If you don't want to turn off then setup the access point to NOT broadcast the SSID (network name).
Don't.
http://www.zdnet.com/blog/ou/the-six-dumbest-ways-to-secure-a-wireless-lan/43 [zdnet.com] "SSID hiding: There is no such thing as "SSID hiding". You're only hiding SSID beaconing on the Access Point. There are 4 other mechanisms that also broadcast the SSID over the 2.4 or 5 GHz spectrum. The 4 mechanisms are; probe requests, probe responses, association requests, and re-association requests. Essentially, youre talking about hiding 1 of 5 SSID broadcast mechanisms. Nothing is hidden and all youve achieved is cause problems for Wi-Fi roaming when a client jumps from AP to AP. "
Re:Just turn it off (Score:4, Funny)
They're trying to discourage casual freeloaders, not secure their network against tech savvy dorks like you. Turning off SSID broadcast does that very effectively.
Re: (Score:2)
A lot of the 'casual freeloaders' are tech savvy dorks. the non-tech-savvy-people are watching the basketball game.
Re: (Score:2)
Re:Just turn it off (Score:5, Insightful)
One of my networks in a somewhat public place where the users have a high motivation to get online. Knowing that there is wireless is inherently insecure, i.e. tools are available for harvesting passwords and MAC addresses, turning off the SSID is simply another tool I use. To me it is a no brainer because it does not cause me any significant problems and many casual users don't know how to connect to a 'hidden' network even if they have the name. That is what 'turning off' the SSID does. It does not make the network invisible, it prevents computers from automatically connecting. It says that this is a closed network and we would appreciate it if you did not join in.
I have seen articles like this where somehow 'hiding' the SSID causes problems for roaming. From where I have seen these articles, I suspect this is an OS specific problem as I have never had this problem. All my equipment connects automatically to my networks unless there is a higher power open competing network. I believe this is a case where certain people do not know how to implement the solution, so they say the solution is bad.
To the matter at hand, closing the network may be part of the solution. Time based access control, in which user accounts that require on the fly credential, is another solution. This is where the user provides an email address, and logs onto the network by clicking on an email link agreeing to the terms and conditions. I would also back it up with sa white list that will prevent all proxy access and make the pipe much less valuable for casual users to crack.
Re:Just turn it off (Score:4, Informative)
Turning off Broadcast SSID is like locking the screen door. It does nothing to prevent unauthorized folks from entering, and it hinders many authorized folks.
Re:Just turn it off (Score:5, Insightful)
Re: (Score:3)
Aye it is theatre, but I take objection to this "Don't" bullshit as if that's somehow insightful or helpful to the conversation. It's classic /. "I disagree with the premise so I assassinate the paradigm" bullshit which has driven away many a professional reader, myself included.
Re: (Score:2)
So, let me see if I have this straight. Don't hide because it's pointless? Stand in the middle of the street because you'll get hit by a bus anyway?
No.
Since you can't be bothered to look at the article I linked, which explains it in detail, the short version is that it's just as effective as an ostrich sticking its head in the sand. You think you're hiding, but anyone hunting you can see you plain as day. You're only fooling yourself.
If you think this is effective security, you probably hide your doorkey under the mat.
Re: (Score:2)
If you don't want to turn off then setup the access point to NOT broadcast the SSID (network name). Then you don't then have to power off the access point / router and people won't be able to see the network name. Only people that know the network name, username and password can login.
What's the purpose of that? Either they're regular users and they already know the SSID (so they can connect to the hidden network) or they aren't and then the password is enough to deter them.
Simples (Score:3, Informative)
try Easy Hotspot - http://easyhotspot.inov.asia/ obviously depending on exactly what you want to do... (we run the authentication system as a VM but it'll work nicley on a cheap PC) also we're using DDWRT on our access points so only using the easyhotspot system as an authentication system.
Here's an idea (Score:5, Informative)
Try a google search for "Captive WiFi Portal".
That's the term you want. Get yourself a DD-WRT compatible router and install one of these packages: http://www.dd-wrt.com/wiki/index.php/Captive_Portal [dd-wrt.com]
Re: (Score:3, Informative)
Absolutely. I will throw my (considerable, following Christmas excesses,) weight behind pfSense (pfsense.org) as a captive portal (CP) solution.
An old PC with a (couple of) extra $5 NIC(s) will provide a great, free, robust, easy to setup CP.
Comment removed (Score:4, Informative)
Re:Here's an idea (Score:5, Informative)
Dont use DD-WRT, that project is dead. Last BETA release was 2 years ago. Use OpwnWRT that has many packages for this and is still actively maintained.
No matter what he IS going to have to spend at least 2 weeks learning this stuff, or buy a commercial setup maintained by a It professional.
Re: (Score:3)
May I suggest using two APs; one has a strong key WPA 2 PSK and WPS disabled. It serves as the main access point for biz apps. The second one simply connects to the first one, uses a different non-interfering channel, and is the public version of the private one (WPS disabled, 802.11g only to catch the widest denominator of potential user). Route the second AP to the gateway.
And like a good IT admin, make sure that all of the machines on your biz network are fully secured, updated, and turned OFF when not i
Captive Portal (Score:4, Informative)
It's called a captive portal, and it's not the solution you're looking for. Depending on AP it'll be easier to setup time of day access or only give the WPA2 passpoem to churchgoers.
Re:Captive Portal (Score:4, Informative)
From past experience (probably obsolete) - ChilliSpot [wikipedia.org] was a very straightforward captive portal to setup (simplest setup is a beige box with two network cards, plus two configuration scripts).
ChiliSpot appears to be a defunct project, but CoovaChilli [coova.org] has risen from its ashes.
Re: (Score:2)
*Waves hand over submitter's eyes* These are not the solutions you are looking for...
Re: (Score:2)
set a password and change it regularly (Score:4, Insightful)
Re:set a password and change it regularly (Score:5, Funny)
Don't post the password, post a clue to it like "Judges 5:16 word 10". Anyone who doesn't know the answer doesn't deserve access!
Re:set a password and change it regularly (Score:5, Funny)
If it's from the old testament, there's a 90% chance that the word will always be "begat"
Re:set a password and change it regularly (Score:4, Funny)
Not true, not true. You have to remember that before the "begat" there's all the raunchy bits, where some patriarch "knew" his wife, or his wife's maid, or his second wife, or in a couple of cases his daughters.
Seriously, if someone did an unexpurgated film version of the Bible, it would be rated NC-17. Especially the Song of Solomon.
Re: (Score:2)
Re: (Score:2)
Or 'sinner', depending on the type of church we have.
too short (Score:2)
Time-of-day restriction (Score:5, Insightful)
Re:Time-of-day restriction (Score:4, Insightful)
Re: (Score:2)
Just use Meraki (Score:2)
a simple policy for a simple situation... (Score:5, Interesting)
Re: (Score:2)
Home Brew Captive Portal With OpenBSD (Score:4, Interesting)
Have you ever used a public wireless network that has a splash screen such that you have to agree to certain terms before going to the Internet? The author of this article will show you step by step how to build one of those using OpenBSD’s Packet Filter (pf).
PEAPv0/EAP-MSCHAPv2 (Score:2)
Whilst the captive-portal system where you login via a HTML form seems to be popular (perceived ease of use?), you can also do per-user password authentication at the WiFi level.
All you need is a AP that supports EAP (or Enterprise) WPA (all good ones will), and to setup a RADIUS server (http://freeradius.org/ [freeradius.org]) to handle the actual authentication.
Personally this is much cleaner (AP isn't listed as unsecured, you don't have to wait for the redirection to the portal which is inevitable slow and doesn't work a
Analysis (Score:3)
What I think the OP wants is to give people Internet access without simultaneously giving them access to the organization's LAN. He also doesn't want to invest in new hardware, seeing as how they've just done that.
So: how to set up the WLAN APs to block IP packets directed to anything except the gateway (or the Internet) itself?
My router can already do this. (Score:3, Informative)
First things first (Score:3, Funny)
You want to get your hands on a patron saint of wifi [wikipedia.org] figurine to put on top of your router.
Biblical pass code (Score:4, Interesting)
Re: (Score:2)
Coova! (Score:3)
http://coova.org/ [coova.org]
Ubuntu Server + CoovaChilli + DD-WRT = an easy and free captive portal system
WARNING: this is not a drop-in solution, some customization and piecing-together required. Throw FreeRADIUS or CoovaRADIUS into the mix for easier user-level authentication.
Captive portal/Hot spot/walled garden hardware (Score:4, Informative)
It's a feature on most wireless access points now (Score:2)
Hire someone! (Score:4, Insightful)
Just because churches operate as tax exempt non-profits doesn't mean they can't afford to pay someone to do the work. If your church doesn't have a member that is in the IT business (and willing to do the work for free) then hire a local tech company to set it up for you. Support the local nerd economy!
MAC filter (Score:2)
It sounds like what you want is not catch-and-release, but just to allow certain specific machines in your Sunday school to access the net. In that case you can enable the MAC address filter in the router to limit access to only those machines. Everyone else will be blocked. This solution requires no extra hardware or software, it is built into the router.
http://compnetworking.about.com/cs/wirelessproducts/qt/macaddress.htm [about.com]
There are less complicated ways to achieve goal (Score:2)
Is your goal to provide internet access to church members or to charge them for internet access like a hotel?
How many people do you expect?
For example the Linksys E class routers have a built in 'guest network' feature that has a second SSID that is broadcast for Guests and allows up to 10 simultaneous users to connect. This gives them internet access only and doesn't allow them access to the actual network. Though it's limited to 10 people. This would be a simple solution but if you had more than ten p
just set a password and only list it in the areas (Score:2)
just set a password and only list it in the areas that you want people to have the wifi.
And that does not cost anything to put it.
Jut a little backwards (Score:2)
Why would you not solve the problem before doing that first bit?
WiFi services easier than you think (Score:2)
Catch and Release? I too have to question that naming, but from the summary, I get that they want to set up some sort of system where you first log in in some way and then you have access to the network.
Turns out, the type of system is a bit easier than you might think.
Let's start with the basics:
DHCPD. It's a process that we're all familiar with... at least in the sense that we all know what it's for. Turns out, you can specify MAC addresses for special treatment and assignment to specific pools. That'
Re:StackExchange (Score:5, Insightful)
Re: (Score:2)
I sure agree with you, it hurts to see how a good place to exchange information is slowly dying and becoming less and less worth our attention.
Re:StackExchange (Score:4, Insightful)
I sure agree with you, it hurts to see how a good place to exchange information is slowly dying and becoming less and less worth our attention.
Yes, that happened ever since "I'm too lazy to Google it and perform basic research" turned into the exact same thing as "I really need a community of experts to offer me advice".
... but you know what the REAL difference is? If you really need a community of experts to offer advice it's because you are doing something new and interesting and unique. If you're doing what every hotel and coffee-shop across the country already does on a daily basis ... then it's time to stop being lazy and research it yourself.
Not that Slashdot does anything but try to shut you up with a downmod for pointing it out
Re: (Score:2)
Re:StackExchange (Score:4, Insightful)
Re: (Score:2)
Re: (Score:3)
I wish you the best of luck in setting this up and administering the network.
Re: (Score:3)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
If only there were more upstanding citizens such as yourself around to keep us straight.
Re: (Score:2)
Re:StackExchange (Score:5, Informative)
Forwarding from superuser.com:
http://superuser.com/questions/183105/hotel-like-wifi-manager [superuser.com] (recommends AnchorFree, SputNik)
http://www.macinstruct.com/node/188 [macinstruct.com]
https://en.wikipedia.org/wiki/Captive_portal [wikipedia.org]
Re: (Score:3, Insightful)
Re: (Score:2)
http://coova.org/ [coova.org]
NOT the Dead DD-WRT project.
DD-WRT has not had a release even for their beta for over 2 years now.
Re: (Score:2)
NOT the Dead DD-WRT project.
DD-WRT has not had a release even for their beta for over 2 years now.
that is not true at all...
ftp://ftp.dd-wrt.com/others/eko/V24_TNG/ [dd-wrt.com]
ftp://ftp.dd-wrt.com/others/eko/V24-K26/ [dd-wrt.com]
ftp://ftp.dd-wrt.com/others/eko/BrainSlayer-V24-preSP2/2011/ [dd-wrt.com]
ftp://ftp.dd-wrt.com/others/eko/BrainSlayer-V24-preSP2/2010/ [dd-wrt.com]
release quality though... that is another matter... e.g. release 18000 causes bricking in tp-link wr1043nd routers... :(
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=148172 [dd-wrt.com]
Re: (Score:2)
And those are linked to the front page?
no you had to dig deep in the forums to get them.
Honestly V24 should have been released last year. BrainSlayer is more interested in his side project that is the "paid" releases that you haveto subscribe to.
Whereas OpenWRT has not chosen to take the leave it in beta with no real releases for 2 years model.
Re: (Score:3)
actually, they are linked on the site but not on each particular model's page in the database (i think they gave up on updating the links)
1) on the front page click "router database"
2) then on the sub-menu that opens, above the line where you type the router model, click on "Other downloads" ( http://dd-wrt.com/site/support/other-downloads [dd-wrt.com] )
result: you're now viewing the ftp space, mapped on the website
e.g.
ftp://ftp.dd-wrt.com/others/eko/BrainSlayer-V24-preSP2/2011/ [dd-wrt.com]
is mapped on http at:
http://dd-wrt.com/sit [dd-wrt.com]
Re: (Score:2)
Re: (Score:2)
He's pretty sloppy with the ACKs though.
Re:It would be a miracle (Score:5, Insightful)
This thread makes me embarrassed to be an atheist...
Re:It would be a miracle (Score:5, Insightful)
Yup, the amount of atheist bigotry and unpleasantness here is incredible. Now in their defense, these people are probably Americans who endure a lot of religious bigotry in their daily lives. They are just trying to fight back, but this doesn't really help at all.
Re: (Score:3)
I'm always amused by some of the comments here as it shows a profound ignorance (not yours). Heck anyone who has seen Bill Maher's "religulous" will hear senior vatican officals saying something like "Its all hooey, people need their stories." Even senior officals in the anglican community say the same thing:
http://religion.blogs.cnn.com/2011/12/29/my-take-the-3-biggest-biblical-misconceptions/ [cnn.com]
The whole bible being taken literally is a recent phenominom. One should be taking the central message from the bi
Re:It would be a miracle (Score:5, Insightful)
Re:Catch-and-release? (Score:4, Funny)
What's that?>/a> [wikipedia.org]
I think it's something like Pray for a man and you save him once. Teach him to pray for himself and you save him for a lifetime.
Re: (Score:3, Funny)
Give a man a fire and he's warm for the day, but set fire to him and he's warm for the rest of his life.
Re: (Score:2, Insightful)
What's that?>/a> [wikipedia.org]
I think it's something like Pray for a man and you save him once. Teach him to pray for himself and you save him for a lifetime.
actually its more like 'pray for a man and he easily ignores you, brainwash a man and he will pray with you'
Re: (Score:3)
Re: (Score:2)
Wrighting? Apparently we need to start you off with a picture book.
Re:Really? (Score:5, Informative)
Posting up here, because it's quite a bit of scrolling before you see answers that don't have something to do with peoples anti-religion bigotry. I do not care what your beliefs are, nor do I think it's my place to comment on them when replying to a technical question.
Why don't you set up a guest wifi? Have the internal wifi that's for your private network, and a guest wifi where you publish the key for people to use, but set up a rule so it's only enabled on Sunday from 7am until 1pm? That should cover the Sunday school's hours, and it won't be there at all during the week, when you don't want people accessing the wifi. It will also segregate your internal network from the wifi you're providing for people to use, which will help secure your private files, or any fileserver you're running.
And if you're hosting some kind of event, like a Parish council meeting, where you want to give people access to the 'net, just turn the guest wifi on manually during the event.
It'll be cheaper, and easier than setting up a catch-and-release system, as a fair number of wireless routers have that ability these days, and if it doesn't, you could always install Tomato or DD-WRT to have access to it.
Re: (Score:3)
Re: (Score:3)
maybe I should have post about how atheists like Stalin and Mao killed many millions of people?
You like way too many other people just don't get it point so I will spell it out for you.
Guess what PEOPLE do really great things. Some PEOPLE do really crappy things. The people that do the worst things will use anything they can as an excuse for their acts. It doesn't matter if it is a member of the KKK, or a Bigot on Slashdot bashing someone for going to church. They will find some way that makes them feel lik
Re: (Score:2)
I agree, but they will have to get a PC or special hardware. If they are using regular 'home routers' they are out of luck.
Re: (Score:2)
Indeed, while not foolproof to those intent on getting in, the individuals you say you want to keep out should be kept out. Easy to add or remove Macs in most modern accesspoints & routers.