September 22, 2009

Classy SMB Wireless hotspots

I recently got a request for an advice about building a wireless hotspot for a luxury cafeteria. The Pisano law in Italy enforces a set of rules on public shops providing free internet access, as customer identification (through ID) and access logging. Like it or not, this poses some challenges to the standard "Open WiFi" configuration you usually see around the world in such places.

In an enterprise environment, the solution would be to implement a proper Wi-Fi access infrastructure with a partial self-service procedure to enroll, get the certificate and thus create usernames and access logging. However, such a procedure is not really viable in a single shop. A luxury place, however, requires any solution to be easy to use for the customers and somehow classy: no on-demand generation of keys, no ugly panels and so on.

I googled around, and found some commercial solutions to the issue, each one proposing some sort of Captive Portal and monitoring solution. While I've not performed any comparative analysis of the commercial solutions, there was really nothing which make me "go wow", or that is really missing from the opensource solutions I will describe in a moment.

Why OS solutions for any high-level environment, you might ask. For once, customization.
There's only so much you can do with closed-source, commercial software, without great economical efforts. However, since we are sensible administrators and managers, we want something we don't have to tweak, something which "just works". And it seems there are a lot of free, working alternatives in the market.


ZeroShell is the first to come to mind, perfectly capable of doing everything we need. My friend Luca Carettoni performed some auditing on the platform some time ago, discovering some bugs which were promptly patched: this is not a life insurance, but it means that the level of security is at least able to pass a "free audit", which is more than most commercial solutions can guarantee.
Chillispot is another well known player of this market sector: it is able to run on any standard server, providing integration with a RADIUS server - however, the project is now dead and its most likely successor is Coova. Coova's aim is to create a firmware (based on OpenWRT) for a number of devices, which includes a web based panel and a powerful captive portal. Documentation is not as complete as it could be, but the project has an active community and can be tested in few minutes.

In the end, my pick was: start from either ZeroShell or Coova, and customize the captive portal interface and user management panel. Enrollment is "manual", since customers have to present their ID. Once their used has been created, it can be reactivated logging in the captive portal on future dates. In the end, the entire project would cost less than 200 EUR in hardware and a couple of days to configure and setup.
The results? A stable, completely custom - and most likely secure - hotspot.


Update: I've just come across Sputnik and the project seems to be vastly superior compared to the competitors!