gilley001
asked on
Hotel wifi web filter and access portal suggestions
Does anyone have a suggestion for a hardware-based web filter and access portal for a medium sized hotel? Device would need to do content filtering as well as application filtering (especially bittorrent), provide an acceptable use policy splash page, and have the option to provide a loggable local user/password authentication to the wireless network. Currently have a Cisco ASA5505 and Cisco Catalyst 2960 switch with separate VLAN's for guest and staff wireless via Cisco Aironet 1142 WAP's. Was looking at Zyxel USG200 paired with a Zyxel UAG4100 (with optional ticket printer). Also looking at Sonicwall NSA220. Thinking of putting one of these between the ASA and the Cisco switch. I am primarily concerned with filtering only the guest wireless SSID and VLAN and logging of user access and requests.
Thanks in advance for your suggestions.
Thanks in advance for your suggestions.
Do you need it to validate that people connecting really are guests? I've seen hotel wifi ask for room number and last name. You'll need to see if your front desk software can support that kind of thing. If there is another hotel across the street this might be a really good idea.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No. Would just need to be able to program a user/password (room#/somepass for each of 50 rooms) to hand out to guests. This would provide at least some level of tracking the user's usage. The Zyxel UAG4100 has an optional ticket printer that can generate this as a timed account. Without the printer I think users can be statically added.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Diverseit, currently have 12 Cisco 1142 A/P's and would not need to add any additional A/P's at this time. No wired connection in rooms, just the WiFi. It sounds like you have experience with the NSA220. Do you know if it does a captive portal where a AUP page can be splashed to the user. Also, does it have the ability to allow user authentication for the guest WiFi? Do you know if this would fit seamlessly in between the existing ASA and the Catalyst switch? I guess I'm not positive of how it would fit in. Need to keep the ASA in place as it is doing all of the routing and dhcp for the hotel.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Can the Guest Wireless Services be used without having the SonicPoints and with the existing Aironet's?
ASKER
It is an ASA 5505 running v 8.3.2.
Yes, all the setup is done on the NSA or for that matter the SonicWALL security appliance.
ASKER
Regarding replacing the ASA: We do have a site-to-site vpn running from the ASA out to another site with another ASA. Not sure if the Sonicwall could provide the vpn to the other ASA?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Here is a great migration tool: https://migratetool.global.sonicwall.com/
You can click on Demo Mode to see how it works with test data.
You can click on Demo Mode to see how it works with test data.
ASKER
Tried the migration tool demo but don't see any way to assign my two trunks coming from the switch (1 trunk with guest wireless VLAN, the other with 3 other office VLANS. Looks more like a one-to-one assignment of VLAN to port on the NSA.
Does the NSA allow for a trunked port with several VLAN's assigned to it? I would need (from ASA config):
interface Ethernet0/1 (this is the office VLANS)
switchport trunk allowed vlan 1,40,50
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/2 (this is the guestwireless VLANS)
switchport access vlan 3
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
Does the NSA allow for a trunked port with several VLAN's assigned to it? I would need (from ASA config):
interface Ethernet0/1 (this is the office VLANS)
switchport trunk allowed vlan 1,40,50
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/2 (this is the guestwireless VLANS)
switchport access vlan 3
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
Yes, definitely through Zones and sub-Interfaces!
ASKER
I would rather keep the ASA in place right now, especially since doing a cutover at a 24-hour hotel and not being able to schedule any down time for same. Can I place the Sonicwall between the switch and the ASA and have it filter just the guestwireless traffic?
Sorry for the delay - been out of town.
A SonicWALL or any firewall for that matter is not intended to be used in this manner unless you have a sophisticated internal WAN. I wouldn't advise it.
A SonicWALL or any firewall for that matter is not intended to be used in this manner unless you have a sophisticated internal WAN. I wouldn't advise it.
ASKER
I obtained an NSA 220 and have been experimenting with it. I am unable to get it to work between the switch and the ASA 5505 (yes @diverseit you did avdise not to) but the internal wan is sophisticated with 4 different vlans, port forwarding, VPN, etc. I have been playing around with the Sonicwall in layer 2 bridge mode, trying to put the Sonicwall between the switch and ASA, and simply bridge one VLAN to the ASA but with no success. It is this one VLAN used for a guest wireless that requires filtering on (Application filter for torrents and P2P) and would like to implement the Acceptable Use splash page as well as user/password authentication to obtain internet. Is there any way to implement this in the L2 bridge mode?
Is the requirement for permissions (acceptable Use splash page as well as user/password authentication to obtain internet) for employees or WGS (Wireless Guest Services for guest users only)?
ASKER
Just for the one VLAN, VLAN3 which carries the wireless guest VLAN from the Cisco 1142 Access Points, so I guess that would be WGS.
Last week I stayed in a hotel with a cheap wifi router in every room with the password on a sticker. Every room's AP was named after the room number. I had to switch rooms and noticed the passwords were different. That seemed to be the easiest way to do it. The least expensive router on Newegg is $14.99 but I bet you can shave a few $ off if buying a couple hundred units wholesale for a hotel.
Been traveling a ton. Sorry.
Having, "4 different vlans, port forwarding, VPN, etc." is not what I meant by "sophisticated" that would be considered "standard". So where are you with this?
If you run the NSA 220 in place of the Cisco you can accomplish all of this with SonicPoints (if necessary to expand the WLAN).
Let me know. I'm in town the rest of the week.
Having, "4 different vlans, port forwarding, VPN, etc." is not what I meant by "sophisticated" that would be considered "standard". So where are you with this?
If you run the NSA 220 in place of the Cisco you can accomplish all of this with SonicPoints (if necessary to expand the WLAN).
Let me know. I'm in town the rest of the week.