Restrict network access until user authenticated against remote database.


I want to set up a wireless network which will allow users to access only one internet website where they can buy surfing time.  Once they have an account, I want the firewall at the access point to allow them to surf the internet freely.

I think this will require rewriting the firewall in the access point restricting access based on MAC address, but how do I go about doing this.  Setting up the central database is no trouble, but how do I get the firewall to talk to it?

Many thanks,

Who is Participating?

Improve company productivity with a Business Account.Sign Up

What90Connect With a Mentor Commented:
Why not just set up a proxy server account for each user once they have joined and paided?
They enter a username and password (on the proxy server of your choice) once they connect to the default web page.

That way the proxy server authenicates the user and allows them access to the Internet.
You can place any further rules on the proxy server.

Most of the hot spot zones ISP's use a similar method.

Saves all this MAC madness ;-)

Pete LongTechnical ConsultantCommented:
Hi benlinton,
Im unsure to be honest but if your using cisco firewall you can certainly get it to authenticate to an RSA Radius server on your network, you just nees to work out how to assign the RSA access licences to the clients?

benlintonAuthor Commented:
I was wanting to reprogramme a netgear wireless router such as:

but don't know if this is possible.  

Basically, this machine gives you a web based controlpanel where you can add MAC addresses to a trusted list.  I want to allow all MAC address access to my billing website, but then only allow full internet access to MAC addresses I have in my database as having paid.

Is that clearer?!!

Many thanks,

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Have you looked at something like this D-Link gateway

Tim HolmanCommented:
You could use one generic SSID that allow users access only to your payment server network - eg

Then, another SSID could be used (with authentication) to provide the global Internet access that they require (running on another network, eg
benlintonAuthor Commented:
And is it easy to get the proxy server to talk to a central database?  Sounds promising...!
The database I've seen it work with is Active Directory and ISA 2000. Works very nicely. I'm sure there are bespoke apps that fit the picture if you don't want to use the Ms route.
Are you still working on this? Do you need more information?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.