AAA for Small Home Network

[d4dreamer]

Dear Experts,

My apologies for a long post

I share my internet (payment monthly) with different houses in the neighbourhood using APs and LAN switches. Currently the setup is quite simple and users are given shared keys and they connect to the network.

The issue is as most of the time the users share the internet furthermore without me getting paid. Also I cannot identify the devices as which house owns them and which AP they using. Another issue is as if one house doesn't pay for the internet, I need to change the password of the AP and every user connected to that AP has to join the SSID again. Bandwidth misuse is cherry on the top.

After a lot of sleepless nights, I understood as I need to have a Radius server and some sort of network monitoring software to control my network. I tried setting up FreeRadius on Raspberry that I failed because of outdated tutorials. I Read about Zambix but still not sure if it will support my situation. I don't need a payment service etc. only my network control and monitoring.

I turned to commercial solution to my problem and bought a Cisco Meraki MX64 but learned as its just a paperweight without licensing.

Can experts please help me with my situation. I am willing to buy a commercial box (without reoccurring charges) that has a RADIUS, LAN security and Network monitoring. Currently I am using Asus RT-AC88U, Asus RT-AC3200 and couple of TPLink routers.

I am fairly knowledgeable with networking however can follow instructions.

Many thanks in advance

 

[itpp20]

Maybe these type of devices will get you in a direction more manageable, google "access point for hotels"

 

[d4dreamer]

Maybe these type of devices will get you in a direction more manageable, google "access point for hotels"

Many thanks for the inputs. So are u suggesting me to change the APs? I am still unable to understand as what device I can use at the back end to manage and motion the network without any reoccuring license charges.

Sorry about my ignorance, but my understanding is as there would be a device that has tools builtin that I can manage locally without hitting my wallet.

 

[Tech Junky]

FreeRADIUS

The world's leading RADIUS server. The project includes a GPL AAA server, BSD licensed client and PAM and Apache modules. Full support is available from NetworkRADIUS.

freeradius.org

Cheapest option would be using a Linux based system to setup Radius aka AAA

The other option coming to mind is to only allow MAC's of the AP's that are paying for service. Might be done from the main router or you could set it up in conjunction with Radius w/ a whitelist option.

Another option is 802.1x - https://networkengineering.stackexc...n-radius-and-802-1x-port-based-authentication

 

[d4dreamer]

FreeRADIUS

The world's leading RADIUS server. The project includes a GPL AAA server, BSD licensed client and PAM and Apache modules. Full support is available from NetworkRADIUS.

freeradius.org

Cheapest option would be using a Linux based system to setup Radius aka AAA

The other option coming to mind is to only allow MAC's of the AP's that are paying for service. Might be done from the main router or you could set it up in conjunction with Radius w/ a whitelist option.

Another option is 802.1x - https://networkengineering.stackexc...n-radius-and-802-1x-port-based-authentication

Thx for the insight.

I tried setting up FreeRadius with Raspberry Pi 3B+ without success.

Can you suggest any commercially available box that has suggested tools available. It will be easy to manage with less need of troubleshooting.

 

[Tech Junky]

7 Best Low-Cost RADIUS Servers of 2023

You don’t have to break the bank for a good RADIUS server. Here are the best free or low-cost RADIUS servers for your AAA needs.

www.serverwatch.com

I don't typically deal with this on a personal level but, in the enterprise environment we use Cisco / juniper / Infoblox setups. These all come with licensing commitments.

Another thing to consider would be rate limiting per MAC which can be done pretty easily with IPTables in Linux / Pi.

Rate limiting traffic between specific hosts (based on their MAC) using iptables

I have setup a simple isolated network consist of following Linux based machines (simplified example): Node1<---->Router<---->Node2 Router's eth0 is connected with Node1's eth0. Router's eth1...

superuser.com

Since you have a limited amount of clients getting to supply their MAC shouldn't be that big of a task. If a neighbor isn't on the list then they don't get free internet. If they piggyback off the neighbor paying for it then they split the BW with the neighbor they're connected to. This is more transparent to the neighbors as they won't be prompted for PW's or a login page to get access.

I would just make a spreadsheet with Google Drive and have them enter the info. Not only do you have a record of the MAC / who it belongs too but, if something goes sideways in the PI it's easy to figure out who is causing the issue.

This is assuming also that this is setup as a hub and spoke scenario but, it does sound like you might have some people connecting to spokes or are they connecting to you directly with a shared PW?

 

[L&LD]

@d4dreamer, how are you protected (i.e. legally) from any online mischief caused by these non-paying users?

Is the ISP in your name?

Again, the tools to do this are possible. I'm asking why you'd risk this (if indeed, you are risking anything).

 

[d4dreamer]

7 Best Low-Cost RADIUS Servers of 2023

You don’t have to break the bank for a good RADIUS server. Here are the best free or low-cost RADIUS servers for your AAA needs.

www.serverwatch.com

I don't typically deal with this on a personal level but, in the enterprise environment we use Cisco / juniper / Infoblox setups. These all come with licensing commitments.

Another thing to consider would be rate limiting per MAC which can be done pretty easily with IPTables in Linux / Pi.

Rate limiting traffic between specific hosts (based on their MAC) using iptables

I have setup a simple isolated network consist of following Linux based machines (simplified example): Node1<---->Router<---->Node2 Router's eth0 is connected with Node1's eth0. Router's eth1...

superuser.com

Since you have a limited amount of clients getting to supply their MAC shouldn't be that big of a task. If a neighbor isn't on the list then they don't get free internet. If they piggyback off the neighbor paying for it then they split the BW with the neighbor they're connected to. This is more transparent to the neighbors as they won't be prompted for PW's or a login page to get access.

I would just make a spreadsheet with Google Drive and have them enter the info. Not only do you have a record of the MAC / who it belongs too but, if something goes sideways in the PI it's easy to figure out who is causing the issue.

This is assuming also that this is setup as a hub and spoke scenario but, it does sound like you might have some people connecting to spokes or are they connecting to you directly with a shared PW?

Thanks for the inputs.

I forgot to mention as the tanents keep on changing every 2 months at most that makes the collection of MAC IDs a hassle. Also I am working full time and don't find time to manually manage things.

 

[d4dreamer]

@d4dreamer, how are you protected (i.e. legally) from any online mischief caused by these non-paying users?

Is the ISP in your name?

Again, the tools to do this are possible. I'm asking why you'd risk this (if indeed, you are risking anything).

The ISP is under my name however the sharing is happening within the same apartment that is legally allowed in my country.

 

[L&LD]

It may be legally allowed. But who is responsible for bad online actors within your network? I would assume it is you.

 

[coxhaus]

Captive portal comes to mind but if your neighbors share passwords you are going to have problems. Trying by MAC address is going to be unmanageable.

 

[Tech9]

I share my internet with different houses in the neighbourhood

the sharing is happening within the same apartment

The same apartment or different houses in the neighborhood?

I don't think your "business" is legal. And you are responsible for all the online activity. If someone does something illegal online, the authorities come to your door for explanation. It doesn't matter what country you live in. A threat to public figure online from your account and you may end up in jail.

 

[itpp20]

All the more reason to go for a hotel or holiday park solution as each connection is logged and traceable to devices which are linked to actual users.

 

[coxhaus]

All the more reason to go for a hotel or holiday park solution as each connection is logged and traceable to devices which are linked to actual users.

Are you planning on changing passwords every 24 hours like hotels? It will make for a lot of support. And in neighborhood situation they do know each other and may share passwords. You are not really going to know when you find a MAC address on whom it really belongs to. They could have bought another PC or have friends or family members over. You don't have a workable solution. It is not like hotels as they are short term leases that come and go.

 

[d4dreamer]

Hi guys,

Sorry about the late reply and I appreciate your concern related to the legal issues. Let me clarify as its one big compound with several houses inside. So technically its a closed neighborhood of like six households. Moreover the costs of internet in my country are quite high and sharing internet is an acceptable norm.

Now coming back to the original question, what box or switch is useful for my situation without reoccurring license costs. I have checked SonicWall, NetGuard and several other firewall solutions however I am not sure if they will help me with my situation. Also if they have any additional license costs. I want to be sure before I pick up any costs this time that's the reason I am asking you all who has the required experience and expertise. Thanks~

 

[d4dreamer]

Are you planning on changing passwords every 24 hours like hotels? It will make for a lot of support. And in neighborhood situation they do know each other and may share passwords. You are not really going to know when you find a MAC address on whom it really belongs to. They could have bought another PC or have friends or family members over. You don't have a workable solution. It is not like hotels as they are short term leases that come and go.

I only want a solution to control my bandwidth and user base. The password will be changed every month. Also, not sure if its possible, but some solution that can allow one MAC to be allowed connection from only one AP.

 

[coxhaus]

Also, not sure if its possible, but some solution that can allow one MAC to be allowed connection from only one AP.

This is going to show very unfriendly if you have a person walk over to another person's house on campus and he can't connect to the internet with his phone or iPad.

I think you would be better off assigning a VLAN to each house and limit the VLAN. That way house1 can walk anywhere on campus and connect but he will connect to his VLAN. You could use dynamic VLANs. Cisco has support for this. Dynamic VLANs will work with wireless and wired connections. Otherwise you are going to have to manage all the wired ports.

 

[Tech9]

Moreover the costs of internet in my country are quite high and sharing internet is an acceptable norm.

Sharing Internet with someone to reduce the cost is a different thing. If you all were sharing one account, just divide the total cost of subscription and equipment on six equal amounts. It's easy. Selling your Internet account to others is what you do, totally different thing. You have to invest in different equipment in order to do achieve your intentions. What you may achieve shortly after is totally pissed off by restrictions "customers".