Is RADIUS the same as Hotspot?

[PacketRider]

What is the relationship between a RADIUS server and running a Hotspot? Doesn't a hotspot package solution have a RADIUS server at its heart? In other words, if I decide to use an Edimax CAP1200 as the controller for a bunch of APs that support RADIUS for authentication, even APs from other vendors, then is that all I need to run a hotspot like at a coffee shop or do I need additional software? A hotspot obviously needs a captive portal where the customers would see a landing webpage where they would enter their respective username and password. This captive portal method is different than what is explained in the SNB article in a sense that with a captive portal, the users do not need to pre-configure their computers to authenticate against this RADIUS server. Moreover, how about Mac computers? Can MacOSX be used with this Edimax RADIUS server? A Hotspot system does not differentiate between Macs and PCs. The authentication step at the landing page is the same for both platforms.

Basically, I like to setup a Hotspot for a coffee shop that is entirely in-house as opposed to use a subscription service where the controller is on the cloud. From a business standpoint, sometimes it's hard to convince a mom-and-pop coffee shop to pay a subscription to run a hotspot. At the moment, I have only setup pseudo-hotspot that uses a guest-network that has its own VLAN which in itself a pretty good system in terms of security, but I would like to expand on this to include RADIUS technology to have each customer logging in with his own unique credentials for tracking purposes and monetization for the coffee shop owners so they actually bump up the throughput for certain patrons who use the hotspot more. At the moment, I simply throttle the data throughput to a certain low number. If the Internet speed can be made higher for some patrons who is willing to pay for the premium speeds, then the shop owner can use that to help paying for his ISP higher cost.

 

[sfx2000]

Good news is that RADIUS is pretty well defined as a standard and specification...

Windows Server can use ActiveDirectory to bind RADIUS, and define policies for connection profiles, so that's all good - for a FOSS approach, FreeRadius is scalable and high performance, and it can use either local directory, or bind to an OpenLDAP service as needed.

Note - Connection Profiles, depending on the controller, can have attributes that can limit bandwidth and session times, so there's a decent element of control there as well.

 

[thiggins]

Two different animals. RADIUS is an authentication protocol for user-based network access authentication.

Hotspots may or may not use RADIUS. Some are simple captive portals that just make you view / agree a T&C page. Other hotspots that charge for access obviously use authentication. They may or may not be RADIUS based. It's more likely they are not, since RADIUS requires configuration/support on the wireless client.

I think DD-WRT integrates a few hotspot third-party services. Chilispot is one.

 

[PacketRider]

Two different animals. RADIUS is an authentication protocol for user-based network access authentication.

Hotspots may or may not use RADIUS. Some are simple captive portals that just make you view / agree a T&C page. Other hotspots that charge for access obviously use authentication. They may or may not be RADIUS based. It's more likely they are not, since RADIUS requires configuration/support on the wireless client.

I think DD-WRT integrates a few hotspot third-party services. Chilispot is one.

Network authentication against a RADIUS server is more secured because the authentication is in the form of a username AND password both of which are unique. Therefore, it's akin to 2-factor authentication that is offered by the likes of Gmail.com and Outlook.com. One thing I am confused about the RADIUS service is why is there a need to pre-configure on the client's end?

I assume the benefit of this pre-configuration on the individual end devices is so the RADIUS server can validate that these devices are authorized to use this network's resources. In short, RADIUS is both user-based and device-based authentication. This is why there is a pre-share-key on both the RADIUS server and the client machine. This PSK authenticates the device while the username and password authenticate the user. This the enhancement of security that RADIUS is used for. What happens when the machine that has cached the PSK is gone missing? There is no way to revoke the access for this machine because there is only one PSK for the RADIUS server unless the PSK itself is changed which would then effect all other machines.