IAS/RADIUS Implementation in a Coffee Shop?

noyler asks: "I've been asked to decide on the best way for metering a 'free' wireless network at a local coffee shop. Here's the scenario: currently, local college students come to the coffee shop, grab a cup of coffee, and then spread out like it's a study hall for 6 to 10 hours at a time and use the free internet. The coffee shop loves this, but it's getting really crowded for the other customers that just come in for some coffee and have nowhere to sit. The management wants to implement a system that, upon buying a drink, grants a time-limited connection for that customer of 3 or 4 hours. If the customer wants more access, another drink will need to be purchased. The store network is a simple cable modem with wireless access point attached right now. After implementation, customers should be prompted for a username/password (which can come from his or her receipt) and then have access to the 'net. One limitation is that the customers should not have to install any third-party software to use it--no window for software corruption liability that way. The customer base is mostly Windows with an ever-growing number of Mac users as well. What are some good ideas for doing this? I've considered RADIUS, or some kind of portal software, but don't see any clear answers. Any suggestions for software to use?? The coffee shop is very low budget, so cheap hardware and free software would be best!"

Re:Simple Answer...

[innosent]

Here's the solution: do what some hotels do to get you to agree to terms of service, only taken a bit further. Allow any device to connect (no WEP, just an open AP, keep it simple). Allow only DNS queries from anyone. Set up either a proxy or use a packet rewriting algorithm (like the "forward" command in FreeBSD's ipfw firewall) to redirect all outbound web traffic from source IPs/MACs (remember not to use NAT on the AP, you need the unique addresses, or use MAC addresses [better] if the firewall/proxy is the AP) that are not in a valid table or list (like one table for each hour, half hour, etc, I'm using table because that would follow with a FreeBSD ipfw2 firewall). Drop packets for any ports other than 80 (and 53, of course) for any host not in the valid list. Redirect them to a server that serves up the same single page for any requested page (they could have specified a path other than "/"). This single page should redirect them to your authentication server (this will most likely all be on the firewall, just an aliased IP that answers anything for the first page).

The authentication server gets some sort of confirmation number from the user. (printed on the reciept, insert your own clever algorithm for unique, difficult-to-guess numbers here [even better if the time can be determined by the number, or if the numbers are saved to a database somewhere]). Using the (valid) confirmation number from the receipt, the firewall/proxy adds the source IP or MAC to the valid source address table, and if you want to be really nice, you could have passed the original requested url through from the initial page that redirected them to the authentication site, and now redirect them to that page.

Set up a cron script to clean out the tables for tickets that have expired (this is why it would be easier to have your tables named for the time they expire), and you're done. Once a source IP or MAC is removed from the table, all further traffic will send them back to your authentication page, which can inform them that purchases are required for access, and the cycle can repeat. It would be best to use the firewall as the access point (put in a wireless card that is capable of being an AP), so that you can use MAC addresses to filter, and avoid the possibility that someone could leave while they have time left and have another person get the same IP, but as a minimum, you should do the DHCP from the firewall, and must do NAT from the firewall for outbound (validated) connections.

randomiz(ed) guess

[iamcadaver]

Print out a randomized WEP key on the receipt, and somehow automate it to be good for only 3 hours.

Re:randomiz(ed) guess

[KevinKnSC]

The WEP key is the same for the whole wireless network, though, which means that if you change it 3 hours after one person's purchase, it might only be 5 minutes since someone else's purchase.

Re:Give me a breakj

[LordNimon]

Does the coffee shop have a problem with people buying one drink and staying there for more than 4 hours?!?!?!!? I doubt it.

Ugh, I just noticed the part about students sitting there for 6-10 hours. Sorry about that.

Wouldn't it be easier just to kick the students out after 3-4 hours if they don't buy another drink? Whether they use the network or not, I think the coffee shop needs to do that. A lot of restaurants already have that policy. Just have the wait staff keep track of these tables.

Re:Give me a breakj

[NevermindPhreak]

coffee shops are much different than resturants in that you want more of a social atmosphere. i think they want to keep their coffee shop as full as possible, while keeping returning customers, and still have room for new people as they come in.

No interest? Don't comment.

[Futurepower(R)]

Please don't comment on stories in which you have no interest.

Re:Give me a breakj

[Oliver Wendell Jones]

You forgot to add:

In the event that you ignore our advice to not do $something, a simple Google search turned up rand(10000) responses that should answer your question.

Re:Give me a breakj

[Marxist Hacker 42]

McDonald's does this- in select locations, free two hours of net access with purchase of extra value meal. I think they're using a custom version of NoCatAuth- anway, all I have to do is enter the username/password from my cupon into the intital web page, and I've got access.

Caffeine-powered Internet access

[mopslik]

Hook up each computer to a bicycle-powered generator. After 3 or 4 hours, they'll need to buy another coffee just to keep them awake.

Easy peasy.

Sounds complicated

[MarkGriz]

Why not just hire the Annoying Coffee Shop Guy from MTV's Boiling Point.

What about your feet?

[_LORAX_]

Simply have the manager remind the students that the free networking is supported by thier continued purchasing. Simply changing the mindset is a whole lot better than trying to screw with a psudeo-login-tracking system. It also allows the managers to target just those that are a problem rather than inconviencing everyone.

Re:What about your feet?

[chris_mahan]

You're talking about students here. They do not care about your little business problems.

What you need to do is have 'connectivity problems' when the place gets very crowded. When a geek complains, say: 'dude, we would upgrade the system, but we have no money allocated because people just come here to sit all day and suck our bandwidth witout buying drinks'.

That, or or put a little sign on a tabletent: two hours per drink maximum. Most of them will get the point and leave. Those that don't, you turn upp t

Re:What about your feet?

[fm6]

I'm sure they've thought of that. Students monopolizing table space was an issue for coffee shops long before there were wireless access points. Having store employees play table proctor is not a good way to build a reputation as a student-friendly zone.

Re:What about your feet?

[tverbeek]

Bob (who spends to much time in the local coffee shop)

Reading The Wall Street Journal, by any chance?

This isn't the "social engineering" boogeyman that fiscal conservatives like to scare Econ students with. It's a business owner looking for a way to run his own business in a way that's consistent with his own values. For example, maybe he puts some value on treating all people equally (i.e. people who come in later should have the same access to seats as the squatters). Maybe he doesn't like the idea

Re:What about your feet?

[yuri benjamin]

Well said.

Re:What about your feet?

[morzel]

Does the store owner really care that it's crowded? No! That's great business!

Not if the "consumers" are only paying for one drink and then staying for hours on end, leeching from your internet connection and (even worse) hogging table space.

While I agree that you shouldn't be rushing anybody out, I can understand that after a reasonable amount of time after your last consumption your welcome officially "runs out".
Most everyday people do this by themselves (either they consume something or they leave),

How to Build a Simple Wireless Authenticated Gatew

[jsimon12]

This would certainly be a cheap solution:
http://www.hackinthebox.org/article.php?sid=15607 [hackinthebox.org]

I'm pretty sure

[SLot]

NoCatNet will do what you need it to.

NoCat [nocat.net]

ZyXEL ZyAIR B-4000

[nuxx]

I suggest looking at the ZyXEL ZyAIR B-4000 [zyxel.com]. It's an access point / receipt printer that is commonly used for selling access. The user gets a receipt, logs into a website, and is granted access for X period of time. You could make it so that when someone buys coffee, they get a receipt good for four hours. Or for $X they can get all day access... It's all up to you. Either way, it's trivial to use. The clerk just presses one of three preconfigured buttons on the receipt printer, the receipt with the access code is created, and everything else happens automagically.

Re:ZyXEL ZyAIR B-4000

[EvilMagnus]

Wow. I was thinking about a system like this a few weeks ago, and it looks like the ZyAIR does exactly what I'd want it to do. And for around $500, which is a pretty good investment for a coffee shop.

(no, I don't work for ZyAIR. :) I'm just interested in captive portals )

Re:ZyXEL ZyAIR B-4000

[nuxx]

Yeah, I agree... And ZyXEL makes really good products. Sure, it's only .b, but who cares? They are likely sharing a DSL or cable connection anyway. And with the lack of need for training of clerks minimal infrastructure, it's a great idea.

Personally I'd just throw some signs up around the store saying "Ask For Four Hours Free Internet Access with Purchase" (since four hours is more than anyone can really argue with) and then have some print that says that 24 hours of access is available for... Say... $5.

I

Re:ZyXEL ZyAIR B-4000

[NevermindPhreak]

i think this is exactly what the poster needed. i was going to suggest some sort of homebrew system like this, but it would probably take way too much time/difficulty to set up. nice.

Here's one...

[mogrify]

Replace all your electrical outlets with blank faceplates. Once the battery's out, the user's got to go somewhere else. Should be about 3-4 hours or so....

No power outlets...

[aquarian]

I've been to a few places that do this already. One doesn't actually block the (plentiful) plugs, but their official policy is battery only. Signs are posted saying so. It's OK to plug in to save and shutdown if your battery runs out. The other places simply have no plugs available.

Re:Here's one...

[Stinking Pig]

Score funny? What for? Looks pretty insightful to me.

Gateway Product

[Doug Dante]

Pretty simple really. The store management generates a set of userid / password cards good for the time period that they want (1 hour, 2 hours, etc).

When you buy a cup of coffee, you can get a free card. If the worker sees your laptop, he or she can give it to you automatically, or you can ask.

Then customers who connect wirelessly can use the the username / password combination to get online. When their time is up, they will be disconnected and will need to get a new username and password combination.

How about a bit different approach?

[Masa]

Set up few bar tables for laptop users, so they have to stand up while using the wireless access. Just state clearly that chairs are reserved only for customers with beverages.

Re:How about a bit different approach?

[fm6]

That says, "We don't want you using our shop as a study hall, period." If they were going to do that, they might as well not provide any network access. They're obviously trying to be more student-friendly than that.

A contraction and two words: Don't do it!

[ZosX]

This idea is so asinine and restrictive that I can almost guarantee that it will fail miserably as well as probably upset a great deal of the existing customer base. Case in point: I frequent a coffee shop here in Pittsburgh constantly. The Beehive offers free wireless access as well as has around 8-9 computers with all sorts of multiplayer games installed, as well as DVD drives (you can watch movies), and believe it or not, cable access. A number of the computers have tuner cards built in. The money they get from the PCs more than covers the costs of their relatively low upkeep, upgrades, and of course the DSL, which seems to be basic SDSL at maybe.....1.5mps? They are the only coffee shop in the area to offer free internet, and of course people come and congregate based on this fact. The most comparable coffee shop that offers internet would be the Quiet Storm, and it costs roughly $20/month to $10 for a few hours or something (maybe the day). Of course, Starbucks has T-Mobile hotspots that are completely locked down, but I won't get into THAT. Don't charge by the hour. By imposing a fixed cost for a fixed period of time (1 coffee = 3 hours or whatever) people will feel like they are being charged for internet usage. No coffee, no internet. If your crowd is a mostly college crowd, it is understandable that many of them are rather poor and cannot afford $10 in coffee a day. I'm sure that a sizable percentage of your customers comes by just to hang out and sees a coffee or two as the cost of admission. This is the appeal of coffee shops, right? The more friends people have with them, the more paying customers you have. If you have a problem with a large group that does not buy enough to use up your entire space, they need to be kindly, and politely I might add, informed about the simple economics of running a coffee shop. I'm sure the owner pays rent or a mortgage, taxes and obviously, employees. Also, you should look at supplementing the costs of the free net with some rental computers or something that people can use out of convenience, like a CD burner and a printer. Sometimes it is incredibly convenient to be working on a project and have such things available without having to go to kinkos, especially in a college environment. Just think about this differently at least. Anything so restrictive is sure to raise complaints and decrease the overall satisfaction of your customers. $100/month is totally worth it to spend, especially when your customers are buying freaking $2-3 coffees. If you implement a system like this, it is going to take time and money to deploy and test, depending on your setup, which I'm guessing isn't probably all that sophisticated. The problem is really the people that are just using the space. Those are customers you can certainly afford to lose and the best way is ultimately to politely ask them to leave if they are finished with their drinks so that paying customers can use their space. Every bar and coffee shop (the successful ones at least) I've been to will certainly follow some similar policy. I drive a taxi and I clearly wouldn't let someone ride around without giving me some cash. I expect any other sensible businessman to do the same.

Re:A contraction and two words: Don't do it!

[itwerx]

Those would all be good and valid points if they actually related to the problem posted.
From the article: it's getting really crowded for the other customers that just come in for some coffee and have nowhere to sit
I'm sure the shop would love to do things exactly the way you describe if they only had room to!

(Nice post though, even if was completely off-topic - you should be in sales! :)

Re:A contraction and two words: Don't do it!

[CXI]

This idea is so asinine and restrictive that I can almost guarantee that it will fail miserably as well as probably upset a great deal of the existing customer base.

Are you kidding me? Perhaps if we didn't have people that assumed they had some kind of right or privilege to take up a chair all day using someone else's bandwidth and are rude enough that they can't fork out $3 every FOUR HOURS then there wouldn't be a problem to begin with? That's cheap compared to normal hourly rates some places charge! No

Public IP / Zone CD

[therubberduckie]

By far the greatest setup for this is http://www.publicip.net/ [publicip.net]. It will actually allow users to login and you can set how long each user is allowed to use the wifi. The developer is very active in the forums and personally answers almost all questions. Here is a list of the features. Check it out, I have used it in the past and been nothing but impressed!

• Customize ZoneCD login pages
• Choose to use a branded template
• Create multiple zones from same login
• Zones can be Public, Shared or Private
• Separate permissions for your Zone logins.
• Configure web registration
• User authentication and management
• Homepage redirection
• Daily time limits per user
• Daily download limits
• Zone open and close times
• Block by mac address
• Configure user permissions(Classes)
• Customize firewall rules for each Class
• Content Filtering (block porn, downloads, etc.)
• Daily Log Mailer program
• Block traffic to *wired* network
• Branded "Terms of Use" template or use your own
• Usage statistics
• Multilingual login pages
• End-User reporting

m0n0wall or NoCat

[derinax]

I successfully implemented a RADIUS-based captive portal on m0n0wall recently. It's a very solid (and free) solution, made more robust by having a separate machine for RADIUS and isc-dhcpd. FreeRADIUS is quite easy to manage, we just used a flat-file for auth. You can also use an SQL server if you need it.

http://www.m0n0.ch/wall

I stuck it on a Dell SFF. Incredibly robust. No downtime in a week (the entire project duration) for over 500 users.

M0n0wall is very easy to use and manage, NoCat had me wiped out trying to configure it. The main stumbler was that active development is only progressing on NoCatSplash, which AFAIK still doesn't do authentication, and NoCat doesn't intuitively run on BSD, tied as it is to Linux' firewall.

And as a BSD user, I was more drawn to m0n0wall anyhow.

Re:m0n0wall or NoCat

[FreeLinux]

Briefly looking over the M0n0wall website, it appears to be just a firewall rather than a wireless hotspot solution. Did I miss a feature or did you fail to post all of the configuration modifications that you had to make in order to turn M0n0wall and FreeRADIUS into a captive portal?

I'm not trying to be offensive but, how is M0n0wall better than the likes of ZoneCD [publicip.net] or NoCat Auth [nocat.net]? I understand that 'you' found NoCat complicated as compared to M0n0wall but, is that an accurate assessment or is it simply you

Re:m0n0wall or NoCat

[kayen_telva]

m0n0wall has a captive portal built in AND can interface with radius. but I dont believe it is the solution for the Ask Slashdot

Re:m0n0wall or NoCat

[derinax]

m0n0wall has a built-in captive portal, which you can easily see by glancing at the feature list or perusing the screenshots on their website.

1. ZoneCD requires an external management site-- you need to either require your users to register themselves, or you must submit usernames and passwords to a third party. You can run your own management site if you are willing to tolerate the requirements to do so. This was unacceptable to us, we wanted to manage the database ourselves using RADIUS.

2. NoCat Aut

BlueSocket

[AllMightyPaul]

While it might be a bit expensive, BlueSocket is what is used at Virginia Tech for its wireless network. Students log in with their student ID and password and it records the MAC address. After 15 minutes of inactivity, the MAC address is dropped from the usage table and the use has to log back in again. I'm sure it could be modified to do other things, too.

Re:BlueSocket

[thegrassyknowl]

You could go one further than BlueSocket (Which requires client-side software installs and the OP didn't want to do that). I think BlueSocket is poo. They use it at my uni as well. IT farked up my Windows install and didn't work real well (read: at all) with Linux.

Just set up a PPTP server (VPN) and have username/passwords randomly added to the chap-secrets list with a timestamp in a comment for each one. Just configure a cron job every 10 minutes or so to remove old timestamped entries and kick off th

These are neat, but not exactly cheap...

[JofCoRe]

These "Vantage Service Gateway" appliances that Zyxel sells are pretty neat, but not exactly cheap: vsg-1200 @ buy.com [buy.com].

They have some quirks, as we're still playing around w/the one we have.. Like they seem to break VPN for example. They do a weird rewrite of DNS that screws up people trying to check their email via outlook over a VPN... But if you don't need VPN from behind then, they seem to do the job.

Transparently controls access to the internet, no configuration on the user's machine is needed. It intercepts any web traffic and makes the user login, as you were mentioning. You can set up user accounts locally on the VSG, or use a RADIUS server. You can control access time and bandwidth limits based on users and billing profiles that you set up on the box. The web interface seems a little "clunky" to me... think it was written in a different country and translated based on the wording of some of the error messages :)

Go Low-Tech

[JonoPlop]

I agree with others: A verbal reminder is the best. If it's a technological solution, us-types (Slashdotters, that is) will naturally try to get around it - we treat it as a challenge. The first thing that came to my mind was just picking up a discarded receipt from one of the 98% of customers who don't use wireless.

Re:Go Low-Tech

[CXI]

So, you only give out the passwords to those who request to use the service. Please show your receipt if you forgot to ask when you bought something.

Re:Go Low-Tech

[kwerle]

Please. All it takes is one person who forwards everyone's traffic through their machine, through your network, to foil the techno-solution.

Nomadix

[jsailor]

Nomadix is probably the leader in this space. Their products are good, fast, and relatively cheap considering the functionality and low maintenance requirements. For small sites there is the wireless gateway and for larger ones (up to 200 concurrent users) there is the HotSpot gateway. You can review the products and feature list here [nomadix.com]

Someone else mentioned ZoneCd [publicip.net] from publicip, which we looked into, but my client decided that a support contract was more in-line with their operational model. However

Could you make the WIFI more directional?

[pnice]

Couldn't you set up the access point so that it only allows access from a certain area of the coffee shop? Not sure how big this place is but if it is big enough to delegate only half or a fourth of the tables/seating to people wanting to use the internet this might work. You know, use foil or something to block the WIFI from going into the area of the shop you want to allow for people just there to drink some coffee so that people sitting there won't get a wireless signal at all. Then mark one area as t

Isn't centralized solution available for you?

[dimss]

I live in Riga, Latvia. Paid public WiFi access is available in many places such as "Double Coffee", "Coffee Nation", "Statoil", "Lido" etc. etc. Wireless service is provided by Lattelekom. Coffee shop customers can buy prepaid cards with username and password for Lattelkom Radius server. Alternatively, login/pass can be obtained by SMS. Coffee and Internet access can be purchased together or separately. When there are no more free seats waitress will ask WiFi-only customers to leave.

http://www.lattelekom.

Coffee shops

[QuantumG]

Friends of mine used to run a coffee shop. You were given 10 minutes to sit at a table without a drink. Then someone would come collect your cup and ask "would you like another?" You were, of course, permitted to say no. You were then given another 10 minutes, and someone would again come to the table and ask "can I get you anything?" Again, you're permitted to say no. 10 more minutes and the waiter would return to the table and state "I'm sorry, if I can't get you anything I'm going to have to ask you to leave." And that got rid of the lurkers.

Re:Coffee shops

[La Camiseta]

Yeah, that'll go over really well next to a college campus. I don't know about where you live, but there's something insane like at least 4 cafes along the street across from the university here, plus 3 ON the campus, including one in the library, where you get free wireless anyways, so the competition for customers gets pretty heated here. Not to mention that the majority of the management are college students, so they're pretty cool about stuff.

Signage

[kponto]

I agree that verbal warnings would be a bad solution. I've had exepriences at coffeeshops where the manager came out every hour to check the timestamp on everyone's receipts. If it was more than an hour old, you had to buy something or leave. Lets just say that this practice didn't bolster a sense of respect for the establisment.

I think some obvious, well placed signage reminding people that they should support the cafe appropriate to the time spent would be the best solution. That way, you don't have to b

Firewall rules and a webpage

[moorley]

**DISCLAIMER ON**
I've seen this question in different forms before. I know there has to be something out there indexed on freshmeat that will handle it, but I have yet to see it done the way I would do it. And the idea is only in my head, I haven't yet the chance to play with an actual implementation so I may be mispeaking Linuxes capabilities or how specifically to go about this.
**DISCLAIMER OFF**

The way I would look at doing it would be a simple cheap linux box with a WiFi card and a LAN Card. You can tu

ChilliSpot, FreeRADIUS, iptables and a script or 2

[ikekrull]

Do it for me.. I built a prepay wireless gateway that works on a simple system of assigning a unique number to authenticate a connection - extra work was required to properly meter only 'external' bandwidth, and some minor mods required to disconnect users when their paid-for time expired (though this feature is in chillispot now).

I ran this on an X-Box with a USB wireless adapter, and it would work quite happily on any IP based network setup.

No power outlets

[raider_red]

Just remove all of the publicly accessible power outlets. That'll limit them to the charge they have on their laptop batteries. Of course, it's still something only an asshole would do.

Turnkey hotspot

[kansei]

I read about ZyXEL devices some time ago. Go to www.zyxel.com and look for a ZyAIR G-4100.

This device comes with a printer and all you have to do is push a button to print authentication info for the users.

http://www.zyxel.com/product/model.php?indexcate=1 103876296&indexcate1=1085450343&indexFlagvalue=102 1876859