AP selection for captive portal

[piafolla]

Hey y'all

Thx for reading my question, I'm trying to find an AP that will allow me to create a captive portal and limit wifi sessions to something like 2 hours per day.

I live in an apartment building that provides free wifi in the gym. The building is using a Linksys router up in the plenum to provide access, security is just a WPA passphrase given to the residents. The router is not doing any NAT or routing, simply acting as an AP.

They'd like to change that to a wifi hotspot and limit wifi session length to a daily time limit, like a maximum of 2 hours per day for example. They're concerned that people who's units are in range can just use it as their dedicated internet.

I've looked at a few models from Engenius (I've used some of their outdoor AP's) or Ubiquity, but that daily time restriction doesn't seem to be a popular/common function from what I'm seeing. I'm sure restaurants must use something like that.

I'd appreciate any suggestions for what brand or model AP I can use in this role.

I think I can do it with a ubiquity AP, but it needs a persistent connection to the controller for the captive portal function. I don't have any other Ubiquity devices and don't want to spend money on a hosted controller or a CloudKey. I could put the controller on a raspberry PI, but I'd like to find just a one device solution.

As an aside, I've already setup a DD-WRT/Hotspotsystem captive portal in the lobby, but the ability to restrict wifi sessions to a daily limit is a monthly paid feature with HotSpotSystem. However, since no residences are near enough to the lobby to abuse it, building management is OK with me limiting the wifi sessions to 15 mins or 2 GB download and users can re-connect as often as they want.

That you can do for free, but that type of security won't work in the gym.

Thank you

 

[Trip]

The primary challenge is that this level of access control will require host-based access tracking, database referencing and a decent amount of CPU to do it -- as opposed to just a basic availability schedule applied to a PSK, SSID, VLAN, etc. The former is a tough nut to crack in a standalone product. You're likely going to need some kind of controller and/or RADIUS server; ie. a local box like a CloudKey or something hosted, such as IronWifi ($10/AP/month).

If you had Beta access (and if Ubiquiti had stock), the $299 Dream Machine includes the controller and wifi all in a single box:

But then again, at $299, you might as well just buy a UniFi AP and a CloudKey...

I think you might be able to pull it off with MikroTik RouterOS using its User Manager/Limiting features, but RouterOS can be a technical odyssey, to say the least.

If I find something else I'll post back again.

 

[coxhaus]

The Cisco small business APs include captive portal and time limits. You need to check them out to see if this fits your needs. Captive portal is pretty extensive on the different ways it can be setup.

 

[Trip]

The Cisco small business APs include captive portal and time limits. You need to check them out to see if this fits your needs. Captive portal is pretty extensive on the different ways it can be setup.

The OP's feature request can't be addressed via simple session or idle timeouts, nor any kind of static scheduling. This is all you'll find if you check out a WAP581 emulator, v. 1.0.1.3, or any model below on the latest production firmware, as far as I'm aware. Unfortunately an external auth/access solution would still be needed for this use-case.

 

[coxhaus]

With Radius and captive portal you could probably work it out but I don't know for sure. Check it out. The floating 2 hour window is tough.

PS
The more I think about this, the more I think Trip is right.

 

[piafolla]

The former is a tough nut to crack in a standalone product. You're likely going to need some kind of controller and/or RADIUS server; ie. a local box like a CloudKey or something hosted, such as IronWifi ($10/AP/month).

If you had Beta access (and if Ubiquiti had stock), the $299 Dream Machine includes the controller and wifi all in a single box:
But then again, at $299, you might as well just buy a UniFi AP and a CloudKey...

Thx for your reply, sorry for the delay in getting back to you.

The Dream Machine would certainly be an attractive solution for me, but as you noted availability is an issue. Also, I'm canadian, 299$ US would be a little on the high side. I may be able to get a slightly less powerful AP and a Cloudkey for a bit less. However, If I'm going to go the Ubiquity/cloudkey route, I would put the controller a 30$ raspberry pi.

I've looked at hosted servers also, such as Ironwifi. Hotspotsystem allows the very function I want for 5$ a month, but I'm doing this as a one time thing to help out the building and don't want to get into any recurring fees.

I'm definitely leaning in the UnifiAP/Controller direction though, thx again.

 

[piafolla]

With Radius and captive portal you could probably work it out but I don't know for sure. Check it out. The floating 2 hour window is tough.

PS
The more I think about this, the more I think Trip is right.

Thanks for your help. As you mentioned there are numerous way to administer hotspot access and I am finding that out for sure!

I'm obviously coming at this all wrong as I assumed the time limitation would be an easy option to choose or maybe configure under some kind of guest user profile. How do public hotspots prevent abuse? Well, I'm sure they're being installed by folks with a little more know how and infrastructure for one...

The hotspot I setup in the lobby will cut you off after 15mins/2GB, but you can reconnect an unlimited number of times. Is it more common to limit the amount of reconnects vs how long someone is connected?

Thanks!

 

[Trip]

Trying to do this with typical AP settings alone (timeouts or static resource scheduling) won't be enough; the user could reconnect at will, as you and others have mentioned.

This type of control requires some type of AAA accounting, to actually be able to track and limit access time with no work-arounds (or very hard ones, anyways). At the most basic level, one could apply this to each guest network host via MAC ID association, but better still still would be via user accounts, managed by a designated admin to add/remove/change per tenant population, or done via self-serve using some type of verification credential that is 1) unique to each user (example: SMS to their mobile number) and 2) uses a registration challenge question(s) that only tenants would know, to help limit undesired access by outsiders.

Not sure if anything you're looking at offers that, but those are the kinds of things that the better systems should allow for. The challenge now is to find a product that can do the above, but is self-contained and non subscription-based.

 

[piafolla]

I certainly appreciate all your assistance. I'm going to see what kind of pricing I can get for a Cloudkey/AP combo up here.

I got advice on the Ubiquity forums on how I may be able to accomplish my goal:

https://community.ui.com/questions/...triction/ff5fdcfd-76bb-44a5-9722-2e48b51b4ac2

You can acchieve something similar to that with Guest Portal and some configs on the Payment-Based authorization option ...

enable Guest Portal

Hotspot

Enable payment-based authorization

create your Free Package (mark it as free, watch for the Trial Lockout info)

do not create any other package, you'll not have any paid package actually

fill PayPal Website Payment fields with garbage (you'll not use it anyway, but UI requires you to fill them)

and you should be able to allow XX hours that can be only used again after YY hours. It's not exactly 'use again the next day' you want to, you'll have to tweak your hour settings. Ffor example, you very like do NOT want YY to be 24, that would avoid someone that used on the night that use again the next day on the morning.

Tweak the values to match your criteria, and you'll very like be able to acchieve that.

HUGE OBSERVATION: Guest Portal *REQUIRES* UniFi Controller to be online 24/7 to the AP, so you cannot keep your controller offline, for example. For something like this, i would recommend buying also a CloudKey, even the "outdated" CloudKey G1 may be more than enough to you.​

Hopefully I can convince the building on the extra cost of the CloudKey as it seems like the easiest/best solution.
There are no PC's (or any devices at all) on that network that I could host a controller on so I'll definitely need the key. The building super, security office PC's and the gym internet are all on independent internet connections from each other. If they're comfortable, I may just have to host the software controller on one of the security or the super's PC and setup port forwarding so the AP has access.

Thanks again, I'll update you with any progress...

 

[coxhaus]

I thought he wanted a floating 2 hours. Maybe 30 minutes here 30 minutes there and so on until the total was 2 hours per day.

 

[piafolla]

I thought he wanted a floating 2 hours. Maybe 30 minutes here 30 minutes there and so on until the total was 2 hours per day.

Sorry for any confusion. The 2 hour window is just an example The idea is to allow anyone in the gym plenty of time to workout without being cut off from wifi and to prevent a small handful of units from abusing it. I'm in the gym for about 90 minutes myself when I go. I didn't consider a user having a few smaller sessions that add up to 2 hours, or whatever we determine the maximum allowable time per day is.

Makes no difference to me whether a user uses 1 long session or several short ones, but I do see how that can add to the complexity.