Firstspot central management question

[anoa]

I have a different setup than most. We are looking at the centrally managed option.

We have 17 sites, 50 access point maximum users each. Our customer does not need to bill anyone, but they would like the users to click through a user agreement, and have a time limit for each users of 60 mins at which point they would be kicked off and have to login again.

We would definitely NOT want to put computers at all these sites so that's why centrally managed.

Is this possible? We are going to give they users 60 min DHCP leases, and have an AP rule to limit 50 max associations. However, most of the hotspot software I've run across cannot track via IP addressing and either need MAC or something else.

If tracking by IP is too hard, we would not mind username and passwords. However, if we do that, it would have to be dynamically generated and we would need an automated way for the users themselves to generate their own temporary accounts since these sites may be unattended. Again, most software requires and admin that hands out papers..we definitely cannot do that. If users can do it on their own, great.

Again, this is for fairness of access, not for billing and credit cards, etc. The ideal would be IP address tracking with a click through and timer and that's it. If that's not possible, we could go with dynamic temporary accounts but only if the users themselves can go generate them on their own. And static accounts won't do unless the static accounts can keep booting off by 60 min timer and would allow them to get back on the same day after a short wait (like 1-2 mins). Again, as with dynamic, the software would have to be able to accommodate the users themselves being able to get their own accounts without admin involvement.

[anoa]

I forgot to post that we are very experienced with routing and switching, and are going to be using policy based routing via subnet from the AP to get to the hotspot device.

Also, if DHCP relay is necessary to make this work, does your hotspot server support this?

This might be the answer to the problem.

[alan]

Couple of comments:

1) Yes, FirstSpot can track by client IP. You just need to enable IP-based Session Handling in Configuration Manager (available in Advanced Edition only)

2) If you permit "open access", you can use Anonymous Option (under Authentication Server) with Maximum time limit per session. Basically, the client will need to accept a user agreement, say every 60 minutes. The advantage for this setup is that you don't need to manage username/password.

3) As for deployment, if you have control on the edge routers, you can use our Scenerio 3 at http://patronsoft.com/firstspot/topologies.html . Note that you only need to setup VPN tunnel if you cannot force the traffic to the centralized FirstSpot site. Also, in Scenerio 3, FirstSpot DHCP server support routers with DHCP relay, so you can let FirstSpot DHCP server handles all IP delivery.
_________________
~ Patronsoft Limited ~

[anoa]

Good, it sounds like the software meets most of our needs.

I had a few more questions on answer 2):

I noticed that the self sign up mode had some good restrictions like how quickly one could sign in again.

What is self sign up and what authentication mode supports it? Is self sign up usable in anonymous mode? Or is self sign when you login to get yourself a username and password.

Ideally, we would like users to use anonymous, with 60 mins from initial use on a timer and not dependent on whether or not they logoff (not accumulated, but time from first login). Is this possible with anonymous? Also is the timer options selected from the authentication screen or the plan screen? Are plans allowed in anonymous?

Sounds from your response that anonymous is still good, but I didn't know which screens configure what.

I like the 60 min timer, but don't know if plan or auth screen takes care of that
don't know if the timer is time from first login, or accumulated time. (first login is preferable)

I like the time between login setting, but don't know if that's in auth or plan (this value would be set to like 5 mins)

[alan]

Self sign-up is for username/password mode.

From your description, it looks like Anonymous Option with Maximum time limit per session (e.g. set to 60 minutes) should fit your needs better. And yes, Anonymous will count from the first login. After the user clicks the button, he will see the login screen again in say 60 minues (no matter what he does). The user cannot really logout himself under Anonymous Option.

Note that the Plan concepts only apply to the username/password mode.
_________________
~ Patronsoft Limited ~

[anoa]

For self sign up, can they make their own username/password (self account registration with no admin intervention?) and could it work the same with the 60mins and make them wait a little before going again?

Again, no need to charge, just keep track of time for fair access. Also, does the built in database have an account max? We wouldn't be using sql, or radius, or anything external.

Another question:
Is there any number of user limit per subnet limit that can be imposed. I didn't think so (I didn't see it, I'm running the trial in a virtualbox VM), but this would also be of interest. We are limiting user per AP by the AP properties, but it would be great if the software gave a message and had it do it instead.

[alan]

For self sign-up, yes the end-users can make their own username/password with no administrator intervention. And yes, the same "Maximum time limit per session" feature will work with username/password mode as well.

Charging is optional. Also, there is really no hard limit on the built-in database of the number of users, so you don't need external SQL or RADIUS.

There is no number of user limit of per subnet. The closest thing is to use a smaller subnet (e.g class c) which you will be limited to around 254 IPs available.
_________________
~ Patronsoft Limited ~

[anoa]

One more question regarding self sign up.

First question is about how it works:

So does it work like this:
A user goes to a screen, picks a username and password, and now can access it for 60 minutes at a time, with a minimum 5 min wait period in between? And this is his username and password from now on?

Next question is about how to configure it:

How is the self sign up screen configured from the menus? Is it using the username & password option authentication option? Then what other screens are involved? For example, is the self signup option set up also in the Plan screen?

Last question:
We can potentially have 900 users concurrent max. What is the recommended hardware for that? I currently have a Dell R210 server with 1 quad core Xeon 3Ghz processor, 4GB RAM, 160GB HD, four Ethernet ports, and Windows Server 2008 x64... do you think that will do?

Thank you. Sorry for all the questions but this will help determine the best possible compatibility for us to bid to our customer.

[alan]

The user will require to pick a username/password, and he can use for say 60 minutes. There is really no concept of "wait period", he just need to re-login every 60 minutes.

For self sign-up, yes you just use username/password mode. Also, set the "Initial access minutes for self sign-up users" to blank (i.e. unlimited) and set "Maximum time limit per session" to 60 minutes. For this case, you don't need to use Plan.

For sizing, you can use the machine config you suggested as a start. Note that currently FirstSpot supports 32 bit Windows only, so you need to use Windows 2008 SP2.
_________________
~ Patronsoft Limited ~

[anoa]

I forgot to ask, using IP tracking in the premium version:

Does the IP tracking have to be in a specific subnet, or any routable address? These sites will be coming from different subnets such as 10.10.1.0, 10.10.2.0, 10.10.3.0, etc. They may also be in a completely different class b such as 10.200.0.1.

Again, we can route from all these locations directly to the FirstSpot easily using policy based routing so the routing is not the problem - i was just worried that the different addresses might be.

[alan]

The client IP address can be any valid IP, there is really no limitation.

BTW, IP tracking (we assume you mean IP-based Session Handling) means that we recognize the client by IP (instead of MAC). Note that this feature is available in Advanced Edition only (not Premium Editon, see http://patronsoft.com/firstspot/editions.html)
_________________
~ Patronsoft Limited ~

[anoa]

Another question that came up:

Can firstspot manage multiple DHCP VLAN domains and scopes hanging off the Windows server? For example, if I have an interface facing a VLAN trunk containing two or more VLAN interfaces that give out for example:
VLAN 100: DHCP 10.10.10.0/24 on access point 1
VLAN 200: DHCP 10.10.20.0/24 on access point 2
VLAN 300: DHCP 10.10.30.0/24 on access point 3
etc..

Can it track all those clients using IP and MAC tracking?

[alan]

Whether FirstSpot can recognize the client by MAC or IP is determined by whether there is router between client and FirstSpot. Any router will hide the client MAC address, so you need to use IP-based Session Handling instead (i.e. Multiple Network Segments).

Note that FirstSpot does not aware of VLAN directly. If you enable VLAN, it should be transparent to FirstSpot.
_________________
~ Patronsoft Limited ~

[anoa]

No I mean having virtual interfaces on the actual server running firstspot that are passing out the IPs via DHCP. The routers will be between the firstspot and the APs, but I would use DHCP relay to pass MAC DHCP requests directly to the firstspot.

My main concern is having so many interfaces entering the server that firstspot could handle all the different AP side interfaces rather than handling one.

[alan]

More comment: if from FirstSpot point of view (Visitor Network Interface side), your VLAN is really one big network segment, you can use either IP or MAC tracking. From our experience, your VLAN is really an AP feature, and once the wireless client attach to the AP, it really looks like a normal client.
_________________
~ Patronsoft Limited ~