AAA Billing Solution for Hotel

Posted on 2006-05-30
Medium Priority
Last Modified: 2013-11-30
Hi All,
We have a client that is leasing out Internet access (inclusive of VPN etc, not just browsing) along with office space etc... similar to what a hotel might do.
Do you know of a (Cisco compatible) AAA solution for this kind of scenario? Bear in mind that ppl can bring their own lappys etc so there is NO option to manually gather machine specific data, or to install any software on the client machines.

I can provide a heap more details, but thought I'd leave it simple for now... I expect I will be using Auth-Proxy on the Routers & IAS as a RADIUS server, but I am open to any suggestions.

Many thanks
Question by:jasef

Author Comment

ID: 16795806
PS. Have another 750ish points to give if someone is desperate for em :) (Obviously I will need to open a new question, but I expect that will be easy considering that amount of work I expect will be required to get this up & running)
LVL 16

Expert Comment

ID: 16796279
(takes off PE hat)

Wow - that's a big project.

My first thoughts are that you are going to have to implement a way for client machines to get connected regardless of their IP configuration - this means if they want DHCP, you hand it out.  The harder part is if they are statically configured - you have to answer affirmatively for all ARPs, and be able to route traffic no matter what default gateway IP they have configured.  In other words, I don't think hanging up a sign that says "You must use DHCP" is going to cut it.

I'm pretty sure if you use linux (or other unixs) that there already exist tools for doing this - not so sure about PIX or windows.

The above step is necessary before clients can begin to think about talking to the authentication server.

Second, you would likely need to configure a transparent proxy on ports 80 and 443 that directs all non-authenticated users to your authentication page - I assume this is that to which you are referring when you mention "Auth-Proxy on the Routers".  Once again, I'm uncertain if the PIX can do transparent proxying, but my guess would be yes.  I know the unix group can (squid comes to mind).

Finally, you have to resign yourself to the fact that some statically configured clients will always have problems - a possible scenario that comes to mind is a client laptop that wants to connect to the remote office via a VPN, but the client already has a statically configured IP on the internal remote network on its ethernet interface.

I guess you might need to hang a sign that says "If you don't use DHCP, don't call us about problems" ;-)


Author Comment

ID: 16798915
Hi Jon,
Plan is to provide a policy that explains how we expect them to interoperate... Which will be via DHCP... Anyone that can't accomodate DHCP get charged for creation of a VLAN or whatever (there is an exception of client owned machines that are loaned to customers, but I have this one covered easily via MACs... It's the unknowns that are causing me probs).

There is no PIXie involved here, 2x 1800 routers runing HSRP and a bunch of other stuff, and 3x 2960 switches running more bunches of stuff :P Auth-Proxy is indeed a form of transparent proxy... though not exactly. It is a mechanism for prompting users to authenticate via AAA when they are using a browser, however it doesn't actually cache any data (AAA can do some accounting that records the goodies I need though).. It simply downloads a user based ACL that punches holes in an otherwise restrictive config (simple and not exactly realistic concept is for eg: deny tcp any any eq 80, auth-proxy detects attempt, authenticates user and then a downloadable ACL pops in before standard ACL and says permit 'authenticated user bob' any any eq 80)

So far easy enough... The real probby is getting a billing platform that will analyze said gathered data, and hence my question. I've done a fair web search for this kinda thing, and had a few red herrings, so hopefully someone has done this before and will give me something I can have confidence will do what it says it will :D

Thanks for your assistance so far,

PS - Re: PE Hat I wasn't meaning to jib the system, I was trying to say more or less the same as your conclusion.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

LVL 10

Accepted Solution

Sorenson earned 1000 total points
ID: 16799394

I would look into the BBSM from cisco (broad band service manager) http://www.cisco.com/go/bbsm .  Cisco has another older product called URt (user registration tool) that can be configured with MAC addresses, to identify clients and force them into a vlan on a cisco switch based on the mac without client software.  The URT can be configured to dump unknowns into a certain vlan as well, catching those floating machines that come in and out.

Hope that helps.

Expert Comment

ID: 16803396
Hopefully this will help, though i'm not an expert on the subject.

Look for a captive portal - they authenticate useds based on MAC address and a dynamic firewall. An interesting open-source and free one is NoCatAuth and runs on Linux and offers many different authentication methods.

Author Comment

ID: 17229305
Hi All,
Thanks for your assistance. Scott, the Cisco products looked great, but the client wasn't willing to shell out the bucks :(

We ended up using two products - Netmaster from XComSoft which has tasty reporting http://www.xcomsoft.com/netmaster.html. Unfortunately it could not work for unidentified PC's; only those on a dedicated VLAN or with known MAC addresses etc.

The product we used for casual access was an Antlabs Ezxcess Gateway (http://www.antlabs.com/).  I wasn't heaps thrilled with this one as the support wasn't too hot, it reduced the networks redundancy, the reports suck badly and it has two damn power switches to turn on (which took me 30 minutes to figure out as I thought the other one was a reset switch lol).  Anyway it is working, but I really would have preferred a cost effective AAA solution, so I'm still open to ideas.

If nothing is forth coming, and the moderators are keen to close the case, is it possible to award all points to Scott with an A grade, but also have this comment marked as part of the solution for other readers?


Assisted Solution

atomicfire001 earned 1000 total points
ID: 17229486
I just remembered that Cisco bought out a company that did this sort of thing. They call it Cisco Clean Access now, Scott gets the credit for this as he reminded me of it in his post. Cisco Clean Access is not only a auth tool, but a powerful tool that manages what clients of what kind of configuration are allowed online.

In its most basic form, it works with Catalyst switches to assign alien users to a different vlan. On that vlan, the gateway presents a login page. You can probably get by with just this. Users log in, and then the switch will switch your vlan to the secure vlan, and bam you have internet access! As soon as you release\renew the IP or disconnect the cable, you are shoved back to the unsecure vlan and asked to authenticate again.

You can also force the users to download a client, which will check to make sure that only approved software is allowed before the machine is allowed on the network. This is designed for schools and corperate networks, where Antivirus and Windows Updates are a must to keep a clean network. We use it to great success at our univeristy here. Virus outbreaks are unheard of now, as clients that fail Antivirus or Windows Update are immedeatly kicked off the network.

Best of luck!

Author Comment

ID: 17233439
Thanks AtomicFire,
I had forgotten about Cisco Clean Access and your implementation is creating, novel and pleasing sounding!  

Jon, I didn't try allocating points as I was hoping for (and received!!) more responses. I decided putting on hats is more fun then allocating points, so I will let you do both!!  If Scott has no objections, a split between with Atomic seems fair to me.

Thanks Jon for all yr hats & help :)


Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question