AAA Billing Solution for Hotel

Posted on 2006-05-30
Last Modified: 2013-11-30
Hi All,
We have a client that is leasing out Internet access (inclusive of VPN etc, not just browsing) along with office space etc... similar to what a hotel might do.
Do you know of a (Cisco compatible) AAA solution for this kind of scenario? Bear in mind that ppl can bring their own lappys etc so there is NO option to manually gather machine specific data, or to install any software on the client machines.

I can provide a heap more details, but thought I'd leave it simple for now... I expect I will be using Auth-Proxy on the Routers & IAS as a RADIUS server, but I am open to any suggestions.

Many thanks
Question by:jasef
    LVL 3

    Author Comment

    PS. Have another 750ish points to give if someone is desperate for em :) (Obviously I will need to open a new question, but I expect that will be easy considering that amount of work I expect will be required to get this up & running)
    LVL 16

    Expert Comment

    (takes off PE hat)

    Wow - that's a big project.

    My first thoughts are that you are going to have to implement a way for client machines to get connected regardless of their IP configuration - this means if they want DHCP, you hand it out.  The harder part is if they are statically configured - you have to answer affirmatively for all ARPs, and be able to route traffic no matter what default gateway IP they have configured.  In other words, I don't think hanging up a sign that says "You must use DHCP" is going to cut it.

    I'm pretty sure if you use linux (or other unixs) that there already exist tools for doing this - not so sure about PIX or windows.

    The above step is necessary before clients can begin to think about talking to the authentication server.

    Second, you would likely need to configure a transparent proxy on ports 80 and 443 that directs all non-authenticated users to your authentication page - I assume this is that to which you are referring when you mention "Auth-Proxy on the Routers".  Once again, I'm uncertain if the PIX can do transparent proxying, but my guess would be yes.  I know the unix group can (squid comes to mind).

    Finally, you have to resign yourself to the fact that some statically configured clients will always have problems - a possible scenario that comes to mind is a client laptop that wants to connect to the remote office via a VPN, but the client already has a statically configured IP on the internal remote network on its ethernet interface.

    I guess you might need to hang a sign that says "If you don't use DHCP, don't call us about problems" ;-)

    LVL 3

    Author Comment

    Hi Jon,
    Plan is to provide a policy that explains how we expect them to interoperate... Which will be via DHCP... Anyone that can't accomodate DHCP get charged for creation of a VLAN or whatever (there is an exception of client owned machines that are loaned to customers, but I have this one covered easily via MACs... It's the unknowns that are causing me probs).

    There is no PIXie involved here, 2x 1800 routers runing HSRP and a bunch of other stuff, and 3x 2960 switches running more bunches of stuff :P Auth-Proxy is indeed a form of transparent proxy... though not exactly. It is a mechanism for prompting users to authenticate via AAA when they are using a browser, however it doesn't actually cache any data (AAA can do some accounting that records the goodies I need though).. It simply downloads a user based ACL that punches holes in an otherwise restrictive config (simple and not exactly realistic concept is for eg: deny tcp any any eq 80, auth-proxy detects attempt, authenticates user and then a downloadable ACL pops in before standard ACL and says permit 'authenticated user bob' any any eq 80)

    So far easy enough... The real probby is getting a billing platform that will analyze said gathered data, and hence my question. I've done a fair web search for this kinda thing, and had a few red herrings, so hopefully someone has done this before and will give me something I can have confidence will do what it says it will :D

    Thanks for your assistance so far,

    PS - Re: PE Hat I wasn't meaning to jib the system, I was trying to say more or less the same as your conclusion.
    LVL 10

    Accepted Solution


    I would look into the BBSM from cisco (broad band service manager) .  Cisco has another older product called URt (user registration tool) that can be configured with MAC addresses, to identify clients and force them into a vlan on a cisco switch based on the mac without client software.  The URT can be configured to dump unknowns into a certain vlan as well, catching those floating machines that come in and out.

    Hope that helps.
    LVL 2

    Expert Comment

    Hopefully this will help, though i'm not an expert on the subject.

    Look for a captive portal - they authenticate useds based on MAC address and a dynamic firewall. An interesting open-source and free one is NoCatAuth and runs on Linux and offers many different authentication methods.
    LVL 3

    Author Comment

    Hi All,
    Thanks for your assistance. Scott, the Cisco products looked great, but the client wasn't willing to shell out the bucks :(

    We ended up using two products - Netmaster from XComSoft which has tasty reporting Unfortunately it could not work for unidentified PC's; only those on a dedicated VLAN or with known MAC addresses etc.

    The product we used for casual access was an Antlabs Ezxcess Gateway (  I wasn't heaps thrilled with this one as the support wasn't too hot, it reduced the networks redundancy, the reports suck badly and it has two damn power switches to turn on (which took me 30 minutes to figure out as I thought the other one was a reset switch lol).  Anyway it is working, but I really would have preferred a cost effective AAA solution, so I'm still open to ideas.

    If nothing is forth coming, and the moderators are keen to close the case, is it possible to award all points to Scott with an A grade, but also have this comment marked as part of the solution for other readers?

    LVL 2

    Assisted Solution

    I just remembered that Cisco bought out a company that did this sort of thing. They call it Cisco Clean Access now, Scott gets the credit for this as he reminded me of it in his post. Cisco Clean Access is not only a auth tool, but a powerful tool that manages what clients of what kind of configuration are allowed online.

    In its most basic form, it works with Catalyst switches to assign alien users to a different vlan. On that vlan, the gateway presents a login page. You can probably get by with just this. Users log in, and then the switch will switch your vlan to the secure vlan, and bam you have internet access! As soon as you release\renew the IP or disconnect the cable, you are shoved back to the unsecure vlan and asked to authenticate again.

    You can also force the users to download a client, which will check to make sure that only approved software is allowed before the machine is allowed on the network. This is designed for schools and corperate networks, where Antivirus and Windows Updates are a must to keep a clean network. We use it to great success at our univeristy here. Virus outbreaks are unheard of now, as clients that fail Antivirus or Windows Update are immedeatly kicked off the network.

    Best of luck!
    LVL 3

    Author Comment

    Thanks AtomicFire,
    I had forgotten about Cisco Clean Access and your implementation is creating, novel and pleasing sounding!  

    Jon, I didn't try allocating points as I was hoping for (and received!!) more responses. I decided putting on hats is more fun then allocating points, so I will let you do both!!  If Scott has no objections, a split between with Atomic seems fair to me.

    Thanks Jon for all yr hats & help :)


    Featured Post

    Free camera licenses with purchase of My Cloud NAS

    Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

    Join & Write a Comment

    Article by: IanTh
    Hi Guys After a whole weekend getting wake on lan over the internet working, I thought I would share the experience. Your firewall has to have a port forward for port 9 udp to your local broadcast x.x.x.255 but if that doesnt work, do it to a …
    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now