Wireless AAA for a small, bandwidth-limited hotel.
- by Anthony Hiscox
We (the tech I work with and myself) live in a remote northern town where Internet access is somewhat of a luxury, and bandwidth is quite limited. Here, overage charges ranging from few hundreds, to few thousands of dollars a month, is not uncommon. I myself incur regular monthly charges just through my regular Internet usage at home (I am allowed 10G for $60CAD!)
As part of my work, I have found myself involved with several hotels that are feeling this. I know that I can come up with something to solve this problem, but I am relatively new to system administration and I don't want my dreams to overcome reality.
So, I pass these ideas on to you, those with much more experience than I, in hopes you will share some of your thoughts and concerns.
This system must be cost effective, yes the charges are high here, but the trust in technology is the lowest I've ever seen.
Must be capable of helping client reduce their usage (squid)
Allow a limited (throughput and total usage) amount of free Internet, as this is often
franchise policy.
Allow a user to track their bandwidth usage
Allow (optional) higher speed and/or usage for an additional charge.
This fee can be obtained at the front desk on checkout and should not require the
use of PayPal or Credit Card.
Unfortunately some franchises have ridiculous policies that require the use of a
third party remote service to authenticate guests to your network. This means WPA is
out, and it also means that I do not auth before Internet usage, that will be their
job. However, I do require the ABILITY to perform authentication for Internet access if
a hotel does not have this policy. I will still have to track bandwidth (under a guest
account by default) and provide the same limiting, however the guest often will require
a complete 'unlimited' access, in terms of existence, not throughput.
Provide firewalling capabilities for hotels that have nothing, Office, and Guest
network segregation (some of these guys are running their office on the guest network,
with no encryption, and a simple TOS to get on!)
Prevent guests from connecting to other guests, however provide a means to allow this
to happen. IE. Each guest connects to a page and allows the other guest, this writes a
iptables rule (with python-netfilter) and allows two rooms to play a game, for instance.
My thoughts on how to implement this. One decent box (we'll call it a router now) with a lot of ram, and 3 NIC's:
Internet
Office
Guests (AP's + In Room Ethernet)
Router Firewall Rules
Guest can talk to router only, through which they are routed to where they need to go,
including Internet services.
Office can be used to bridge Office to Internet if an existing solution is not in place,
otherwise, it simply works for a network accessible web (webmin+python-webmin?)
interface.
Router Software:
OpenVZ provides virtualization for a few services I don't really trust. Squid,
FreeRADIUS and Apache. The only service directly accessible to guests is Apache.
Apache has mod_wsgi and django, because I can write quickly using django and my needs
are low. It also potentially has the FreeRADIUS mod, but there seems to be some caveats
with this.
Firewall rules are handled on the router with iptables.
Webmin (or a custom django app maybe) provides abstracted control over any features
that the staff may need to access.
Python, if you haven't guessed it's the language I feel most comfortable in, and I use
it for almost everything.
And finally, has this been done, is it a overly massive project not worth taking on for one guy, and/or is there some tools I'm missing that could be making my life easier?
For the record, I am fairly good with Python, but not very familiar with many other languages (I can struggle through PHP, it's a cosmetic issue there). I am also an avid linux user, and comfortable with config files and command line.
Thank you for your time, I look forward to reading your responses.
Edit: My apologies if this is not a Q&A in the sense that some were expecting, I'm just looking for ideas and to make sure I'm not trying to do something that's been done. I'm looking at pfSense now as a possible start for what I need.