Creating a Login for Internet Usage

mandiescool

Honorable
Dec 15, 2012
5
0
10,510
Hey,

I was asked to take on a small project, and have realized that I don't really know what I'm doing. I'm hoping that I can find some help through this forum, so I will try to explain what exactly I'm trying to do.

So someone has asked me to set up a wireless router for them, and create multiple guest accounts in which each person would be able to log in to their own network, and so that they could monitor what websites were being gone to. It became apparent to me that I can't do that with just a simple wireless router (or can I?). The wireless router they have is the Linksys N600 E2500.

I've decided that the solution to this problem would probably be to create a webpage that pops up when opening any web browser that will make each user log in before they can access the internet.

My problem is that I know nothing about how to do this. Will this be an easy solution, or is there a better way to go about doing it? If there is, please tell me what I need to do. I'm not sure if I've given enough information for the question to be answered, so if you have any questions, please let me know.

I do major in computer science, so I do have some basic knowledge about these kinds of things. I have just never done anything like this before. Any help is greatly appreciated.

Thank you,

Mandy
 

john-b691

Honorable
Sep 29, 2012
703
1
11,160
Option 1 is to run in enterprise mode and use a radius server to control the userid and passwords. This is supported by many routers.

Option 2 is to use a router you can load DD-WRT on. You can either create lots of SSID with unique pershared keys or it does have the ability to run a intercept web thing like you propose. Neither is real secure since preshared keys are a pain to change and the WEB thing is base on the assumption users do not share IP addresses.

What sites they go to is much harder problem. Few routers have enough memory to log stuff like this. Normally you need a device inserted in the data stream to collect this data and store it on a hard drive. This would be a true firewall or maybe a proxy server. DD-WRT does support a protocol called netflow that will log traffic flows to a server but it takes quite a bit of customization to get the reports you want.
 

mandiescool

Honorable
Dec 15, 2012
5
0
10,510
Hey John,

I don't know anything about radius servers, but I think that might be the route I'm going to take. Do you think you could give me a little bit more information on that? I did google "radius servers", and found this: http://technet.microsoft.com/en-us/library/cc731853.aspx . Then, I googled what a "network policy server" was, but I think it just confused me even more. I guess I should mention that I've never done anything with servers at all.

By the way, thanks for responding so quickly, and I'm sorry I haven't been able to respond until now.

Thanks,

Mandy

 

john-b691

Honorable
Sep 29, 2012
703
1
11,160
If you have a microsoft server already radius is pretty much just a extension of the AD server. In most cases it is easier to use all the tools used to administer users and then let radius use the same.

If you do not have a server you are better off with a unix based machine also since its free.

The tricky part with radius is getting the certificates correct but there are a couple of guides on how to setup it up. I just don't can't find my favorite at the moment to link it here.
 

mandiescool

Honorable
Dec 15, 2012
5
0
10,510
I think I've decided not to use a RADIUS server for this. I've tried to figure it out, but I think I've messed everything up. Do you think that DD-WRT would be an easier way to do it?

Mandy
 

john-b691

Honorable
Sep 29, 2012
703
1
11,160
Well in a way. DD-WRT has support for a web intercept option. I forget right now what the feature is called. It let you forward the first web page to a machine that will grant authority. I have not set this particular one up but have used similar function in commerical firewalls from fortinet. You will still need a server and although it may be easier than radius it must provide a similar function.
 

mandiescool

Honorable
Dec 15, 2012
5
0
10,510
Okay, so I'm probably going to stick with the radius server. I think I'm going to have to create like a landing page, similar to what they do at hotels for internet, so that people can login to that. My question is how do I get the landing page to connect to the radius server? I don't really know how any of this stuff works. I finally got the radius server running, but now I don't know where to go from there.
 

john-b691

Honorable
Sep 29, 2012
703
1
11,160
You have a combination of both solutions. You don't really need a radius server. The landing page application is basically a web server that intercepts and does authentication. You can if you wish use radius but you could just use a local userid file on the web server.

The radius server is mostly used for the router itself to do the authentication. This is technically 802.1x. It is part of the WPA2 enterprise mode. What happens is when the users try to establish a connection to the router it will prompt them for a userid and password.

This is a link for windows XP on how to set the client up. It is for a college but it has nice pictures of all the screens.

http://umt.edu/it/docs/wireless/pdf%20files/ConfigMSWindows_%20XP.pdf

The key here is it is set to ignore all the certificate stuff and use MSCHAP. This is technically not as secure as certificate based configurations but is much simpler to install.