Hello,

My Situation: We have a small hotel and i'am using a Speedport 701v and two Speedports 100xr (in a row as repeater) to allow our guest a free wlan connection. They have to get a wep key from me. So far so good, works fine.

problems:
1. I am conserned because I can only use WEP in repeater mode.
2. I have no possibility to prove that I am innocent if a guest for example downloads an movie illegal, because I cant see whos online at what time and how much bandwidththey did use.

Solutions
1. Setup a Liunx Server with a Hotspot Software (I probably could do it but a pc needs quite a lot of power if running 24/7)
2. my idea where I need help: use an OPENWRT Hotspot with Login: (I played around with a wrt54ap and managed to get OPENWRT up once so I should be able to come into the subject quickly I hope)

2.1 does the basic setup work?? INET-->WRT54G-->(probably inbetween 701v?)-->Speedport100xr-->Speedport100xr-->User
2.2 is a hotspotsoftware secure enough to disable WEP (its hacked to easy anyway)
2.3 Can OpenWrt monitor the time and bandwidth usage of my guests
2.4 if those three points are answerd with yes: Which ono oft he 1000wrt54g's is the on I want and do i want white russian or kamikaze? Important for me of course is to have a running system which works stable when setted up probably.

Thanks a lot

Seballa

Hi and welcome

I think I will give you only partial answers but better that nothing.

why ? Is it because of hardware limitation of your Acess Points ?

I guess this topic depends on the country you live in. I fear that no matter what you do, the owner of the Internet subscription is always legally responsible of what's going on.

You are right WEP originally stands for Wire Equivalent Privacy but  should be  renamed to Weak Encryption Protocol Hotspots that don't use any encryption are of course even "worse".  I won't go into details but basically the dangers are
- For a legitimate client :  its traffic goes through the air without any encryption so an attacker can steal his data easily. There is just no Confidentiality Integrity Authenticity of data
- For the AP's owner (you) : it is "easy" to steal a legitimate client's session and access the net. On a hotspot (or captive portal) a client's session is tracked by its IP or MAC address or both. In any case it is possible for an attacker to steal the session without being noticed.

There are different possibilities and I will give you the one I've just tried and which is simple and works. I used CoovaChilli (formally Chillispot) : http://coova.org/wiki/index.php/CoovaChilli

Check this thread: http://forum.openwrt.org/viewtopic.php?id=16196

What I like is that you can use a simple local file to store your users/passwords so you don't need to setup a Radius server which is often needed to by captive portals to authenticate and track the client's session (bandwitdh, connection time ...)

If you create an account on Covva's AAA page you will have an radius account. In theory, you can administrate your users there BUT (!!) the creation of users is kind of chaotic. I dont really undersand how they did it but it looks like you can give access to your network only to users which already have an account there. This means that only a owner of an access point can access your AP ... kind of wierd.

Nevertheless, what is great is that you can combine both possibilities: Have a local file on your openwrt with your users and track their connections data (accounting) on the coova radius server via the web admin !!
You can check my post on Covva's forum : http://coova.org/phpBB3/viewtopic.php?f=7&t=817

Last but not least you can of course install a radius server (freeradius) on your openwrt. You will gain some advantages but it will be more complex to set up.

All I said above, I've tried it on a single openwrt but I don't know whether or not it is possible to set up in such a configuration.

I also know the Coova provides a firmware for captive portals : CoovaAP.  http://coova.org/wiki/index.php/CoovaAP I've never tried though.

Another solution would be to use WPA2 Enterprise instead of using a captive portal.  This is by far the more secure solution and not necessarily difficult to set up. Here again I have not (yet) experience with this I wanted to try but there seems to be a (now fixed) bug for Atheros devices:
http://forum.openwrt.org/viewtopic.php?id=13298

Btw you ask if you should use White Russian or Kamikaze. I would definitely go for kamikaze but I think it also depends on your hardware compatibility. A lot of people (me included) use a built version from the Kamikaze SVN which is more stable.

There also is a new official release planned for August

Cheers,
Tex.

(Last edited by Tex-Twil on 7 Jul 2008, 20:56)

Hi,

thanks a lot for your reply! I was reading quite a lot about this today and decided, that i can do it although there is a lot to learn for me. I ordered a wrt54g (should be 3.1). We will see how far I get, but I think... no I know, I will need more help

Yes, there are only proprietary solutions for this problem as far as i know there is no standart which makes WDS and WPA possible, My accesspoint has no option of WPA in Repeater mode nor have my Repeaters.

I did't think about that. That means basically, that my wlan will remain unsecure

I will try that one. But does it means, that I am some how depending on their Radius, meaning if they stop the support or their server is down, i cant track my users? And is it a free service?? how is paying the server??

That is what I thought. I still might do this. The question is, how long will it take me and how difficult is setting up and the every day work, like adding users?

I never built anything so far probably the main reason is i never had to.  I am messing arround quite some time now with mulinux, knoppix, kanotix and once openwrt on a WPA54g (wich I bricked during playing arround ;-)). But I am still working with MS on my working Computers and I HATE VI(and VI hates me I think). But anyway I am very motivated to get this hotspot running, and I am learning all the time.

Thanks

Seballa

But it looks like it is possible with openwrt : http://wiki.openwrt.org/OpenWrtDocs/Con … f67546498e I have no experience with this.

If your hotspot doesn't use encryption ... yes it is completely insecure. Though it is possible to use WPA/WPA2 + a hotspot configuration. In this case you would have to provide the WPA passphrase (PSK) plus the login/password credential to your clients.

That is exactly what I had on mind. It's a online service so you depend on it. Furthermore, by default the login page of the captive portal is also "hosted" by Coova. It is possible to either customize it with a local stored html template or store it locally. Yes it is free.

Once again there are different possibilities more or less complex. The radius it self can use different methods or "modules" to store users: simple text files, your unix /etc/passwd file, database such as mysql or postgres. Note that if you use the file based method I'm not sure how does the "accounting" works. It is possible that in this case it is very limited.  To add/delete users you just edit the file (vi )

If you chose the database solution for the radius you get much more possibilities. Last weekend I tried to install freeradius and mysql  on my Linux PC and use this web interface to administrate the users : http://daloradius.wiki.sourceforge.net/  It looks great. I will try to install it on my openwrt and eventually write a small tutorial.

It is not difficult but it does take some time. Keep on mind that in this case you have to have LInux distrib to build openwrt on. You also have to build all the packages you will need by your self since the ones available via the official mirror will not be compatible with a system built from SVN. Ii is not difficult cos you just have to choose what you need via the "menuconfig". If you forget to build a package that you need later, you just build it and that's it.

The thing is that once you have everything build you have to set up your own repository for your packages where you will install them from. You can put it on a HTTP server where ever you want (local or remote) or, if you have a USB storage in your openwrt, store them on the USB. The latter is the option I use. Check the wiki for USB installation.

So as you can see there are different possibilities more or less complex. If you need a quick working solution, maybe it is a good idea to start with something simple: official kamikaze 7.09 + chillispot + file based authentication. At this point you have what you need. And after you can start playing around with radius. If you are scared to screw up something on your openwrt, you can experiment with freeradius on a Linux PC . I now use Linux Mint now which is a "more user friendly" Ubuntu/Kubuntu distribution. http://www.linuxmint.com/  When you are more familiar with it, give it a try on openwrt. Or just go ahead and install it directly on openwrt it is not a big deal. Btw you can you vim instead if vi it is "vi improved"

Regards,
Tex

(Last edited by Tex-Twil on 8 Jul 2008, 07:51)

Hi, again
I've just read this article about the legal conditions in Germany :
http://news.slashdot.org/news/08/07/11/0346233.shtml

Tex

Hi

thanks for the link.

In the meantime I started to get things done.

- I have a AsusWL500GP now
- I managed to flash my device with 7.09 precompiled
- I managed to config the network to have internet acess over my existing router by ssh
- I installed webif, cillispot and freeradius (I opened a new thread for that one because one packaged is missing in backports)

I will start to configure everything in the next couple of days. I am quite busy at the WE so I am not sure if can spend much time

Thanks
Seballa

ok.
I also have a 500gp (but with an Atheros wlan card).

Let me know if you are stuck somewhere, I'll help if I can.

Tex