I have an AD network, I have 6 remote locations cross the USA

Each location has a Linksys (WAP54G) AP that points back to Coporate for an IP

we use WPA

I need to find a product that can keep track of who is using the AP

Maybe also log how long they where on and when they logged off

Most raduis servers want to use a cert and password, and most of the users that use the AP's at these sites are guest and are not part of our network

I need to secure the AP so not any one can use it and also have it so a guest can use it with the simplest type of support

Any Ideas?

There is a way to do this and it will require some reconfiguration and you'd have to replace those Linksys AP's with something a little more robust and capable of VLAN's (i.e. Cisco, 3Com, Proxim). You would also need a hotspot gateway at the central location for guest access.

If I understand the current configuration, each remote site has a router configured to tunnel back to a central location to a DHCP server that's also doing NAT and guest are also using this same path for Internet access?

The ideal and most secure setup would be an access point with two VLAN's or SSID's. The first VLAN would be private and should be confiured with
802.1x with your radius server. If you didn't want to use 802.1x, you could stay with WPA.

The second VLAN or SSID would be public and would require a second tunnel or VLAN configured on the routers (edge and central). This second tunnel would point to the hotspot gateway (i.e. Zyxel, Nomadix) which would provide DHCP and NAT over the tunnel in addition to a splash web page requiring a username and password for access to the Internet.

This of course is assuming your routers are capable of creating multiple tunnels/subnets along with ACL rules to ensure the guest can't access the private network.

As for reporting, if the hotspot gateway and private users are configured to use the radius server for user authentication, you could pull text log files from the server which would show you login/logout times and the amount of data downloaded however, this is raw data. If you know a little programming, you could write a script to extrapolate that data into charts, tables, or whatever.

Greg

That makes total sense , and it can be done Great Idea!

one ssid points to my Network, the other right thru public IP !

Now can one unit hold more then one IP

What I am asking is , one ssid will ask for a WPA password and point to my network IP and the other ssid will point to a public IP that we can give it , our provider provides serveral public IP'S for our Routers and we are only using 1 on each router and the other ssid for the guest will also be a dchp for them?

if that can be done I am sure there must be some kind on logging built in to the unit ,


So do I need two AP or one AP at each site , I am confused on you mention Cisco then said use a gateway Zyxel?

the splash page for user logon I have no clue where to even start looking to set this up .

the solution that you have metion is a solution , I think I need to know what hardware I need to purchase

The IP information for the VLANs is not through the AP, it's assigned or trunked through your network router/switch. The SSID(s) configured on the AP's are assigned to VLANs. Each SSID can have separate security settings.

Before you get too deep into this, it might be a good idea to consult with a network specialist in your area. I think the current design has some security issues and any change should be planned out properly with the right equipment and configurations.

Greg

What is your perimeter device at each of the remote locations? I personally would not have the guest traffic tunnel back to the main office. If a split tunnel is possible with the perimeter device, I would use that and point the guest traffic out to the Internet at each remote location.

I also would agree with Greg and get a better AP for the network user and then use the existing one for the guests.

As to monitoring that again is dependent on what you are using for the perimeter device and how granular you want to get with the logs.

Well after talking with my WAN guy , the ciscos routers we have are VLAN routers AND switches, So it can be done, can you point me to some artices on how to create a splash screen for guests , on how it is done ETC .

Where looking at ag2100 - Wireless Gateway, what do you think ?

Cisco is good and if your WAN person knows how to config it, that's even better and I know of a company that does the exact same thing with a central device for guest access.

You won't find an article for creating the login page because it's really a custom type of setup and every device is a bit different.

That Nomadix unit is a excellent choice however, configuring for the first time will be a challenge as it doesn't use a typical web gui and it expects that you know what you're doing. You would also have to upgrade the users it supports from the base 50.

A Zyxel VSG-1200 is good as well and easier to configure. You can find the users guide at ftp.zyxel.com. The users guide is excellent and is about as close to an article on creating a login page that you'll find for this particular device.

Both units can generate the login page from within the device or from an external web server. The Zyxel unit can generate any number of usernames and passwords for access or can be configured to work with a RADIUS/SQL server. It also has some very good reporting options/choices (see the users guide).

The Nomadix unit is really designed to work with an external web and RADIUS server. You can setup a single username and password within the device for all users but if you want more, you'd need a RADIUS/SQL server. You get the users guide when you order the product and again, don't expect detailed instructions. They assume you really know what you're doing.

Greg

Forgot to mention that both units have tunneling capabilities built in. The Nomadix is GRE and the Zyxel is PPTP...

Greg