Check out the Cisco SSG/SESM solution. You route all the traffic through one (or many) SSG's. The SSG will determine whether or not the session is authenticated based on IP address. If not, it will redirect the user to the SESM page, where they will login. The SESM will send the username/password to RADIUS and then communicate back to the SSG whether or not it was successful and certain reply attributes that define the profile they have access to. Then the user will be redirected back to the page they originally created.
We use it here for our Wifi APs around the city. The downfall of it, is that the sessions are based on IP, so NAT will break it. If you have your APs setup to NAT/PAT the connections behind it, then only one user will have to authenticate and all will be authenticated. You get around that by making the APs a simple bridge and assign IPs to the PCs connected to it via DHCP. If you decide to use the SSG/SESM, I can send you informatoin on how to configure Freeradius for it as I am doing this now. The other nice thing about it, is that it will support multiple profiles that can be stored in RADIUS. So, you could have the user login to different services, or different ISPs, etc.. Based on something, such as a realm, the RADIUS server will return which profile the user now has access to. The SSG will then allow access to the services defined in that profile. You can also define the ACLs, next hop, etc.. in the RADIUS server for that profile and the SSGs can simply query RADIUS for that information. That helps so you don't have to configure multiple profiles on each SSG, its all in RADIUS. You can also do walled gardens within it, so unauthenticated users can still have access to local content (such as company info, portal pages, dns, other local websites, etc...). -Dusty Doris On Mon, 11 Jul 2005, Michael Fisher wrote: > Unfortunatly this solution must be able to scale up. We have already > assesed other technologies but they are not to our liking. Since there > will be many APs in a certain area so they must be abble to grab account > info from a central server. > [EMAIL PROTECTED] wrote: > > >On Sun, Jul 10, 2005 at 08:40:46PM +0100, Jason Clifford wrote: > > > > > > > >>How about simply firewalling unauthenticated connections and routing all > >>access requests to a secured website running a registration script. > >> > >>This may not scale to a large deployment without a fair bit of work but > >>for a small to medium sized network it should be fairly easy. > >> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
