IAS/RADIUS Implementation in a Coffee Shop?

← Back to Stories (view on slashdot.org)

IAS/RADIUS Implementation in a Coffee Shop?

Posted by Cliff on Wednesday March 16, 2005 @03:50AM from the non-free-loitering dept.

noyler asks: "I've been asked to decide on the best way for metering a 'free' wireless network at a local coffee shop. Here's the scenario: currently, local college students come to the coffee shop, grab a cup of coffee, and then spread out like it's a study hall for 6 to 10 hours at a time and use the free internet. The coffee shop loves this, but it's getting really crowded for the other customers that just come in for some coffee and have nowhere to sit. The management wants to implement a system that, upon buying a drink, grants a time-limited connection for that customer of 3 or 4 hours. If the customer wants more access, another drink will need to be purchased. The store network is a simple cable modem with wireless access point attached right now. After implementation, customers should be prompted for a username/password (which can come from his or her receipt) and then have access to the 'net. One limitation is that the customers should not have to install any third-party software to use it--no window for software corruption liability that way. The customer base is mostly Windows with an ever-growing number of Mac users as well. What are some good ideas for doing this? I've considered RADIUS, or some kind of portal software, but don't see any clear answers. Any suggestions for software to use?? The coffee shop is very low budget, so cheap hardware and free software would be best!"

63 comments

Simple Answer... by Anonymous Coward · 2005-03-16 03:55 · Score: 0

You could ask the patrons to make another purchase when the food or drink runs out/gets cold...
1. Re:Simple Answer... by innosent · 2005-03-16 17:57 · Score: 3, Interesting
  
  Here's the solution: do what some hotels do to get you to agree to terms of service, only taken a bit further. Allow any device to connect (no WEP, just an open AP, keep it simple). Allow only DNS queries from anyone. Set up either a proxy or use a packet rewriting algorithm (like the "forward" command in FreeBSD's ipfw firewall) to redirect all outbound web traffic from source IPs/MACs (remember not to use NAT on the AP, you need the unique addresses, or use MAC addresses [better] if the firewall/proxy is the AP) that are not in a valid table or list (like one table for each hour, half hour, etc, I'm using table because that would follow with a FreeBSD ipfw2 firewall). Drop packets for any ports other than 80 (and 53, of course) for any host not in the valid list. Redirect them to a server that serves up the same single page for any requested page (they could have specified a path other than "/"). This single page should redirect them to your authentication server (this will most likely all be on the firewall, just an aliased IP that answers anything for the first page).
  
  The authentication server gets some sort of confirmation number from the user. (printed on the reciept, insert your own clever algorithm for unique, difficult-to-guess numbers here [even better if the time can be determined by the number, or if the numbers are saved to a database somewhere]). Using the (valid) confirmation number from the receipt, the firewall/proxy adds the source IP or MAC to the valid source address table, and if you want to be really nice, you could have passed the original requested url through from the initial page that redirected them to the authentication site, and now redirect them to that page.
  
  Set up a cron script to clean out the tables for tickets that have expired (this is why it would be easier to have your tables named for the time they expire), and you're done. Once a source IP or MAC is removed from the table, all further traffic will send them back to your authentication page, which can inform them that purchases are required for access, and the cycle can repeat. It would be best to use the firewall as the access point (put in a wireless card that is capable of being an AP), so that you can use MAC addresses to filter, and avoid the possibility that someone could leave while they have time left and have another person get the same IP, but as a minimum, you should do the DHCP from the firewall, and must do NAT from the firewall for outbound (validated) connections.
  
  --
  --That's the point of being root, you can do anything you want, even if it's stupid.
randomiz(ed) guess by iamcadaver · 2005-03-16 03:56 · Score: 0

Print out a randomized WEP key on the receipt, and somehow automate it to be good for only 3 hours.

--
Before I part with'em: two pennies weigh ~4.996+/-0.014g, have a zinc core, and the face of Lincoln. You can keep 'em.
1. Re:randomiz(ed) guess by KevinKnSC · 2005-03-16 06:52 · Score: 2, Insightful
  
  The WEP key is the same for the whole wireless network, though, which means that if you change it 3 hours after one person's purchase, it might only be 5 minutes since someone else's purchase.
Give me a breakj by LordNimon · 2005-03-16 03:56 · Score: 0, Flamebait

The management wants to implement a system that, upon buying a drink, grants a time-limited connection for that customer of 3 or 4 hours. If the customer wants more access, another drink will need to be purchased.
Looks to me like the management is a bunch of assholes. No other coffee shop does this, so why do you think customers will tolerate it?
Does the coffee shop have a problem with people buying one drink and staying there for more than 4 hours?!?!?!!? I doubt it. The extra complications and customer confusion aren't worth the one or two people who leech of the network.
A local coffee shop recently implemented a policy where wireless access is turned off from 11:30am to 1:30pm. They already get tons of business during lunch hours, so they don't need to attract any more.

--
And the men who hold high places must be the ones who start
To mold a new reality... closer to the heart
1. Re:Give me a breakj by LordNimon · 2005-03-16 03:59 · Score: 2, Insightful
  
  Does the coffee shop have a problem with people buying one drink and staying there for more than 4 hours?!?!?!!? I doubt it.
  Ugh, I just noticed the part about students sitting there for 6-10 hours. Sorry about that.
  Wouldn't it be easier just to kick the students out after 3-4 hours if they don't buy another drink? Whether they use the network or not, I think the coffee shop needs to do that. A lot of restaurants already have that policy. Just have the wait staff keep track of these tables.
  
  --
  And the men who hold high places must be the ones who start
  To mold a new reality... closer to the heart
2. Re:Give me a breakj by Oliver+Wendell+Jones · 2005-03-16 06:26 · Score: 1
  
  You forgot to add:
  
  In the event that you ignore our advice to not do $something, a simple Google search turned up rand(10000) responses that should answer your question.
  
  --
  A computer once beat me at chess, but it was no match for me at kick boxing -- Emo Phillips
3. Re:Give me a breakj by Marxist+Hacker+42 · 2005-03-16 12:19 · Score: 1
  
  McDonald's does this- in select locations, free two hours of net access with purchase of extra value meal. I think they're using a custom version of NoCatAuth- anway, all I have to do is enter the username/password from my cupon into the intital web page, and I've got access.
  
  --
  SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
4. Re:Give me a breakj by NevermindPhreak · 2005-03-16 22:07 · Score: 2, Interesting
  
  coffee shops are much different than resturants in that you want more of a social atmosphere. i think they want to keep their coffee shop as full as possible, while keeping returning customers, and still have room for new people as they come in.
Caffeine-powered Internet access by mopslik · 2005-03-16 03:56 · Score: 2, Funny

Hook up each computer to a bicycle-powered generator. After 3 or 4 hours, they'll need to buy another coffee just to keep them awake.

Easy peasy.
1. Re:Caffeine-powered Internet access by bertybassett · 2005-03-17 01:16 · Score: 0
  
  But what if theybrought their hamster with them? Those little suckers can crank like mad...
  
  --
  Wibble-Wobble, Wibble-Wobble, jelly on a plate
Sounds complicated by MarkGriz · 2005-03-16 03:57 · Score: 1

Why not just hire the Annoying Coffee Shop Guy from MTV's Boiling Point.

--
Beauty is in the eye of the beerholder.
What about your feet? by _LORAX_ · 2005-03-16 03:57 · Score: 5, Insightful

Simply have the manager remind the students that the free networking is supported by thier continued purchasing. Simply changing the mindset is a whole lot better than trying to screw with a psudeo-login-tracking system. It also allows the managers to target just those that are a problem rather than inconviencing everyone.
1. Re:What about your feet? by chris_mahan · 2005-03-16 05:33 · Score: 1
  
  You're talking about students here. They do not care about your little business problems.
  
  What you need to do is have 'connectivity problems' when the place gets very crowded. When a geek complains, say: 'dude, we would upgrade the system, but we have no money allocated because people just come here to sit all day and suck our bandwidth witout buying drinks'.
  
  That, or or put a little sign on a tabletent: two hours per drink maximum. Most of them will get the point and leave. Those that don't, you turn upp the music, dim the lights, sweep the floor a lot around them, ask them to move, have the obnoxious waitress from hell (the one with the bright orange apron that says: "May I be of service?") go ask them how long they've been there and how much longer they plan on taking up room.
  
  Also, you could make sure the power outlets in the room are on a different circuit and turn it off when busy. Just tell them the cappuccino machine is drawing a lot of juice :)
  
  --
  "Piter, too, is dead."
2. Re:What about your feet? by fm6 · 2005-03-16 05:51 · Score: 4, Insightful
  
  I'm sure they've thought of that. Students monopolizing table space was an issue for coffee shops long before there were wireless access points. Having store employees play table proctor is not a good way to build a reputation as a student-friendly zone.
3. Re:What about your feet? by mcelrath · 2005-03-16 10:58 · Score: 0, Redundant
  
  Corporations should not attempt "social engineering". Don't tell me where to sit, how long to stay, that I have to buy a drink before reserving a table, or that I have to jump through your hoops to access your internet. Don't nickel and dime your customers either. Such practices only alienate customers. Small friendly retail joints generally cannot afford to alienate customers.
  What is left is simple economics. Does the store owner really care that it's crowded? No! That's great business! If he can't pay the bills, raise the prices on drinks. The free internet is a loss-leader to sell drinks. Offering internet to paying customers, with a small coffee stand on the side is a different business model (and very likely...less popular).
  Basically, any business which has any kind of "list of rules" is missing the point. It's a business. They sell things. And selling things is all that the business owner really has control over.
  -- Bob (who spends to much time in the local coffee shop)
  
  --
  1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
4. Re:What about your feet? by tverbeek · 2005-03-16 13:41 · Score: 1
  
  Bob (who spends to much time in the local coffee shop)
  Reading The Wall Street Journal, by any chance?
  This isn't the "social engineering" boogeyman that fiscal conservatives like to scare Econ students with. It's a business owner looking for a way to run his own business in a way that's consistent with his own values. For example, maybe he puts some value on treating all people equally (i.e. people who come in later should have the same access to seats as the squatters). Maybe he doesn't like the idea (fundamental to your directive) that only people who can afford higher overall prices deserve to be his customers. Regardless, he has his own goals, and you're out of line barking that he should instead follow yours. Not everyone chooses to run their lives according to supply/demand curves to maximise profit. So spare us the sermon from the Church of the Market.
  
  --
  http://alternatives.rzero.com/
5. Re:What about your feet? by yuri+benjamin · 2005-03-16 17:05 · Score: 1
  
  Well said.
  
  --
  You make the mistake of thinking you can educate the fundamental stupidity out of people. You can't.
6. Re:What about your feet? by morzel · 2005-03-16 20:18 · Score: 1
  
  Does the store owner really care that it's crowded? No! That's great business!
  Not if the "consumers" are only paying for one drink and then staying for hours on end, leeching from your internet connection and (even worse) hogging table space.
  While I agree that you shouldn't be rushing anybody out, I can understand that after a reasonable amount of time after your last consumption your welcome officially "runs out".
  Most everyday people do this by themselves (either they consume something or they leave), but there are categories of people (e.g.: cash-strapped students) that want to have their cake and eat it too.
  Mind you that the owner of the bar is not chasing anybody away: students are still free to stay while reading a book; he just wants to put a reasonable limit on the free internet access. Students that don't have too much cash and need free internet can always go to the library without having to consume anything at all.
  IMHO 1 hour of free internet access after every consumption would be a perfectly reasonable solution.
  
  --
  Okay... I'll do the stupid things first, then you shy people follow.
  [Zappa]
How to Build a Simple Wireless Authenticated Gatew by jsimon12 · 2005-03-16 03:59 · Score: 4, Informative

This would certainly be a cheap solution:
http://www.hackinthebox.org/article.php?sid=15607
I'm pretty sure by SLot · 2005-03-16 04:02 · Score: 5, Informative

NoCatNet will do what you need it to.

NoCat
ZyXEL ZyAIR B-4000 by nuxx · 2005-03-16 04:12 · Score: 5, Informative

I suggest looking at the ZyXEL ZyAIR B-4000. It's an access point / receipt printer that is commonly used for selling access. The user gets a receipt, logs into a website, and is granted access for X period of time. You could make it so that when someone buys coffee, they get a receipt good for four hours. Or for $X they can get all day access... It's all up to you. Either way, it's trivial to use. The clerk just presses one of three preconfigured buttons on the receipt printer, the receipt with the access code is created, and everything else happens automagically.
1. Re:ZyXEL ZyAIR B-4000 by EvilMagnus · 2005-03-16 04:42 · Score: 3, Insightful
  
  Wow. I was thinking about a system like this a few weeks ago, and it looks like the ZyAIR does exactly what I'd want it to do. And for around $500, which is a pretty good investment for a coffee shop.
  
  (no, I don't work for ZyAIR. :) I'm just interested in captive portals )
  
  --
  -EvilMagnus
2. Re:ZyXEL ZyAIR B-4000 by nuxx · 2005-03-16 06:52 · Score: 1
  
  Yeah, I agree... And ZyXEL makes really good products. Sure, it's only .b, but who cares? They are likely sharing a DSL or cable connection anyway. And with the lack of need for training of clerks minimal infrastructure, it's a great idea.
  
  Personally I'd just throw some signs up around the store saying "Ask For Four Hours Free Internet Access with Purchase" (since four hours is more than anyone can really argue with) and then have some print that says that 24 hours of access is available for... Say... $5.
  
  I can't see how any customer would argue with those amounts, and the clerk just needs to press the button for Four Hours or 24 Hours. Also, I believe the default (non-authenticated user) web page can direct them how to gain access. It's been about a year since I read the manual about it, though...
3. Re:ZyXEL ZyAIR B-4000 by NevermindPhreak · 2005-03-16 22:16 · Score: 1
  
  i think this is exactly what the poster needed. i was going to suggest some sort of homebrew system like this, but it would probably take way too much time/difficulty to set up. nice.
Here's one... by mogrify · 2005-03-16 04:19 · Score: 4, Funny

Replace all your electrical outlets with blank faceplates. Once the battery's out, the user's got to go somewhere else. Should be about 3-4 hours or so....

--
perl -e 'foreach(values %SIG){$_="IGNORE";}while(){}'
1. Re:Here's one... by Stinking+Pig · 2005-03-16 19:03 · Score: 1
  
  Score funny? What for? Looks pretty insightful to me.
  
  --
  "Nothing was broken, and it's been fixed." -- Jon Carroll
Gateway Product by Doug+Dante · 2005-03-16 04:22 · Score: 1

Pretty simple really. The store management generates a set of userid / password cards good for the time period that they want (1 hour, 2 hours, etc).

When you buy a cup of coffee, you can get a free card. If the worker sees your laptop, he or she can give it to you automatically, or you can ask.

Then customers who connect wirelessly can use the the username / password combination to get online. When their time is up, they will be disconnected and will need to get a new username and password combination.

Tut Systems ExpressWay is one example of a product that does this. (DISCLAIMER: I have a business relationship with Tut Systems).

--
The world will not get better through technology. We must seek to be better people.
MOD PARENT UP by Anonymous Coward · 2005-03-16 04:25 · Score: 0

Easy Fix! or charge for the good seats by the outlets!
How about a bit different approach? by Masa · 2005-03-16 04:25 · Score: 3, Insightful

Set up few bar tables for laptop users, so they have to stand up while using the wireless access. Just state clearly that chairs are reserved only for customers with beverages.
1. Re:How about a bit different approach? by fm6 · 2005-03-16 05:55 · Score: 2, Insightful
  
  That says, "We don't want you using our shop as a study hall, period." If they were going to do that, they might as well not provide any network access. They're obviously trying to be more student-friendly than that.
A contraction and two words: Don't do it! by ZosX · 2005-03-16 04:26 · Score: 4, Interesting

This idea is so asinine and restrictive that I can almost guarantee that it will fail miserably as well as probably upset a great deal of the existing customer base. Case in point: I frequent a coffee shop here in Pittsburgh constantly. The Beehive offers free wireless access as well as has around 8-9 computers with all sorts of multiplayer games installed, as well as DVD drives (you can watch movies), and believe it or not, cable access. A number of the computers have tuner cards built in. The money they get from the PCs more than covers the costs of their relatively low upkeep, upgrades, and of course the DSL, which seems to be basic SDSL at maybe.....1.5mps? They are the only coffee shop in the area to offer free internet, and of course people come and congregate based on this fact. The most comparable coffee shop that offers internet would be the Quiet Storm, and it costs roughly $20/month to $10 for a few hours or something (maybe the day). Of course, Starbucks has T-Mobile hotspots that are completely locked down, but I won't get into THAT. Don't charge by the hour. By imposing a fixed cost for a fixed period of time (1 coffee = 3 hours or whatever) people will feel like they are being charged for internet usage. No coffee, no internet. If your crowd is a mostly college crowd, it is understandable that many of them are rather poor and cannot afford $10 in coffee a day. I'm sure that a sizable percentage of your customers comes by just to hang out and sees a coffee or two as the cost of admission. This is the appeal of coffee shops, right? The more friends people have with them, the more paying customers you have. If you have a problem with a large group that does not buy enough to use up your entire space, they need to be kindly, and politely I might add, informed about the simple economics of running a coffee shop. I'm sure the owner pays rent or a mortgage, taxes and obviously, employees. Also, you should look at supplementing the costs of the free net with some rental computers or something that people can use out of convenience, like a CD burner and a printer. Sometimes it is incredibly convenient to be working on a project and have such things available without having to go to kinkos, especially in a college environment. Just think about this differently at least. Anything so restrictive is sure to raise complaints and decrease the overall satisfaction of your customers. $100/month is totally worth it to spend, especially when your customers are buying freaking $2-3 coffees. If you implement a system like this, it is going to take time and money to deploy and test, depending on your setup, which I'm guessing isn't probably all that sophisticated. The problem is really the people that are just using the space. Those are customers you can certainly afford to lose and the best way is ultimately to politely ask them to leave if they are finished with their drinks so that paying customers can use their space. Every bar and coffee shop (the successful ones at least) I've been to will certainly follow some similar policy. I drive a taxi and I clearly wouldn't let someone ride around without giving me some cash. I expect any other sensible businessman to do the same.

--
zosxavius photography
1. Re:A contraction and two words: Don't do it! by ZosX · 2005-03-16 04:53 · Score: 0
  
  Sorry about the formatting...forgot that HTML formatted was selected.
  
  --
  zosxavius photography
2. Re:A contraction and two words: Don't do it! by norkakn · 2005-03-16 06:02 · Score: 0, Offtopic
  
  -random-
  The Beehive rocks!
  -/random-
3. Re:A contraction and two words: Don't do it! by itwerx · 2005-03-16 07:11 · Score: 2, Funny
  
  Those would all be good and valid points if they actually related to the problem posted.
  From the article: it's getting really crowded for the other customers that just come in for some coffee and have nowhere to sit
  I'm sure the shop would love to do things exactly the way you describe if they only had room to!
  
  (Nice post though, even if was completely off-topic - you should be in sales! :)
4. Re:A contraction and two words: Don't do it! by CXI · 2005-03-16 07:23 · Score: 2, Interesting
  
  This idea is so asinine and restrictive that I can almost guarantee that it will fail miserably as well as probably upset a great deal of the existing customer base.
  
  Are you kidding me? Perhaps if we didn't have people that assumed they had some kind of right or privilege to take up a chair all day using someone else's bandwidth and are rude enough that they can't fork out $3 every FOUR HOURS then there wouldn't be a problem to begin with? That's cheap compared to normal hourly rates some places charge! Not only that, but it's much more fair to treat everyone on the same level than to go around picking and choosing who you want to throw out.
  
  I drive a taxi and I clearly wouldn't let someone ride around without giving me some cash. I expect any other sensible businessman to do the same.
  
  This makes no sense with the rest of your argument, unless you are willing to let random people get in your taxi possibly taking up all the seats, ride around for a while as you pick up and drop off paying customers (if there is room, if not keep driving until someone gets out), and then get out at some point without paying you. That's the analogy which matches what you are trying to get the coffee shop to do, mainly submit to freeloaders.
  
  I can't believe your comment was rated as insightful.
Public IP / Zone CD by therubberduckie · 2005-03-16 04:32 · Score: 5, Informative
By far the greatest setup for this is http://www.publicip.net/. It will actually allow users to login and you can set how long each user is allowed to use the wifi. The developer is very active in the forums and personally answers almost all questions. Here is a list of the features. Check it out, I have used it in the past and been nothing but impressed!
- Customize ZoneCD login pages
- Choose to use a branded template
- Create multiple zones from same login
- Zones can be Public, Shared or Private
- Separate permissions for your Zone logins.
- Configure web registration
- User authentication and management
- Homepage redirection
- Daily time limits per user
- Daily download limits
- Zone open and close times
- Block by mac address
- Configure user permissions(Classes)
- Customize firewall rules for each Class
- Content Filtering (block porn, downloads, etc.)
- Daily Log Mailer program
- Block traffic to *wired* network
- Branded "Terms of Use" template or use your own
- Usage statistics
- Multilingual login pages
- End-User reporting
No interest? Don't comment. by Futurepower(R) · 2005-03-16 04:34 · Score: 3, Insightful

Please don't comment on stories in which you have no interest.
m0n0wall or NoCat by derinax · 2005-03-16 04:50 · Score: 3, Informative

I successfully implemented a RADIUS-based captive portal on m0n0wall recently. It's a very solid (and free) solution, made more robust by having a separate machine for RADIUS and isc-dhcpd. FreeRADIUS is quite easy to manage, we just used a flat-file for auth. You can also use an SQL server if you need it.

http://www.m0n0.ch/wall

I stuck it on a Dell SFF. Incredibly robust. No downtime in a week (the entire project duration) for over 500 users.

M0n0wall is very easy to use and manage, NoCat had me wiped out trying to configure it. The main stumbler was that active development is only progressing on NoCatSplash, which AFAIK still doesn't do authentication, and NoCat doesn't intuitively run on BSD, tied as it is to Linux' firewall.

And as a BSD user, I was more drawn to m0n0wall anyhow.
1. Re:m0n0wall or NoCat by FreeLinux · 2005-03-16 05:37 · Score: 2, Insightful
  
  Briefly looking over the M0n0wall website, it appears to be just a firewall rather than a wireless hotspot solution. Did I miss a feature or did you fail to post all of the configuration modifications that you had to make in order to turn M0n0wall and FreeRADIUS into a captive portal?
  
  I'm not trying to be offensive but, how is M0n0wall better than the likes of ZoneCD or NoCat Auth? I understand that 'you' found NoCat complicated as compared to M0n0wall but, is that an accurate assessment or is it simply your situation because of your preference to BSD?
2. Re:m0n0wall or NoCat by kayen_telva · 2005-03-16 12:54 · Score: 1
  
  m0n0wall has a captive portal built in AND can interface with radius. but I dont believe it is the solution for the Ask Slashdot
3. Re:m0n0wall or NoCat by derinax · 2005-03-16 17:30 · Score: 1
  
  m0n0wall has a built-in captive portal, which you can easily see by glancing at the feature list or perusing the screenshots on their website.
  
  1. ZoneCD requires an external management site-- you need to either require your users to register themselves, or you must submit usernames and passwords to a third party. You can run your own management site if you are willing to tolerate the requirements to do so. This was unacceptable to us, we wanted to manage the database ourselves using RADIUS.
  
  2. NoCat Auth runs fine on Linux, but is an order of magnitude more difficult to set up than m0n0wall, which is an embedded solution that requires no other software to run: it boots, runs, and is configured entirely from a Live CD (notwithstanding an external RADIUS server).
  
  3. I haven't had a need to second-guess my decision. m0n0wall handled 500 concurrent users on a 12 megabit connection with no downtime over the course of seven days.
BlueSocket by AllMightyPaul · 2005-03-16 04:58 · Score: 1

While it might be a bit expensive, BlueSocket is what is used at Virginia Tech for its wireless network. Students log in with their student ID and password and it records the MAC address. After 15 minutes of inactivity, the MAC address is dropped from the usage table and the use has to log back in again. I'm sure it could be modified to do other things, too.
1. Re:BlueSocket by thegrassyknowl · 2005-03-16 09:31 · Score: 1
  
  You could go one further than BlueSocket (Which requires client-side software installs and the OP didn't want to do that). I think BlueSocket is poo. They use it at my uni as well. IT farked up my Windows install and didn't work real well (read: at all) with Linux.
  
  Just set up a PPTP server (VPN) and have username/passwords randomly added to the chap-secrets list with a timestamp in a comment for each one. Just configure a cron job every 10 minutes or so to remove old timestamped entries and kick off the usernames that it removed. Not exactly trivial, but it would work.
  
  Force all users to log onto the VPN using your firewall (ie they get an IP through DHCP then can't see anything except the PPTP port on the gateway) and bam. You need-not enable VPN encryption if you're worried about performance with a lot of clients. Just make sure you clearly state that data transmitted over wireless is easily accessible by others and security is their responsibility... yadda yadda yadda.
  
  THe advantage of PPTP is that it's already in Windows (and AFIK, Mac) so most of your userbase would be covered with minimal configuration. Linux/BSD has support but usually you need to install extra software. All you need to do is show them how to add a VPN connection to Windows...
  
  I run that way and have an open AP at my place. Friends can come by even when I'm not home and log onto my VPN and access my (soon to be upgraded to 12MBPS) Internet connection by sitting on the front lawn. Of course they have to ask for access and they're given a quota on account of I have a download quota... but it seems to work OK.
  
  --
  I drink to make other people interesting!
These are neat, but not exactly cheap... by JofCoRe · 2005-03-16 04:58 · Score: 2, Interesting

These "Vantage Service Gateway" appliances that Zyxel sells are pretty neat, but not exactly cheap: vsg-1200 @ buy.com.

They have some quirks, as we're still playing around w/the one we have.. Like they seem to break VPN for example. They do a weird rewrite of DNS that screws up people trying to check their email via outlook over a VPN... But if you don't need VPN from behind then, they seem to do the job.

Transparently controls access to the internet, no configuration on the user's machine is needed. It intercepts any web traffic and makes the user login, as you were mentioning. You can set up user accounts locally on the VSG, or use a RADIUS server. You can control access time and bandwidth limits based on users and billing profiles that you set up on the box. The web interface seems a little "clunky" to me... think it was written in a different country and translated based on the wording of some of the error messages :)

--

Place sig here.
Go Low-Tech by JonoPlop · 2005-03-16 05:41 · Score: 1

I agree with others: A verbal reminder is the best. If it's a technological solution, us-types (Slashdotters, that is) will naturally try to get around it - we treat it as a challenge. The first thing that came to my mind was just picking up a discarded receipt from one of the 98% of customers who don't use wireless.
1. Re:Go Low-Tech by CXI · 2005-03-16 07:02 · Score: 1
  
  So, you only give out the passwords to those who request to use the service. Please show your receipt if you forgot to ask when you bought something.
2. Re:Go Low-Tech by kwerle · 2005-03-17 10:23 · Score: 1
  
  Please. All it takes is one person who forwards everyone's traffic through their machine, through your network, to foil the techno-solution.
Nomadix by jsailor · 2005-03-16 06:57 · Score: 1

Nomadix is probably the leader in this space. Their products are good, fast, and relatively cheap considering the functionality and low maintenance requirements. For small sites there is the wireless gateway and for larger ones (up to 200 concurrent users) there is the HotSpot gateway. You can review the products and feature list here
Someone else mentioned ZoneCd from publicip, which we looked into, but my client decided that a support contract was more in-line with their operational model. However, if you're posting here, chances are you would be fine with ZoneCd. Either way, you can avoid the mess of RADIUS and MS.
Could you make the WIFI more directional? by pnice · 2005-03-16 07:00 · Score: 1

Couldn't you set up the access point so that it only allows access from a certain area of the coffee shop? Not sure how big this place is but if it is big enough to delegate only half or a fourth of the tables/seating to people wanting to use the internet this might work. You know, use foil or something to block the WIFI from going into the area of the shop you want to allow for people just there to drink some coffee so that people sitting there won't get a wireless signal at all. Then mark one area as the wireless internet access area.

Forgive me if blocking the WIFI signal is impossible... but I thought it was pretty easy to block the signal from spreading (like lining the inside of a cardboard box with foil leaving just one side open and putting the access point in there.

--
My Xbox Live Gamer Card
Isn't centralized solution available for you? by dimss · 2005-03-16 07:25 · Score: 1

I live in Riga, Latvia. Paid public WiFi access is available in many places such as "Double Coffee", "Coffee Nation", "Statoil", "Lido" etc. etc. Wireless service is provided by Lattelekom. Coffee shop customers can buy prepaid cards with username and password for Lattelkom Radius server. Alternatively, login/pass can be obtained by SMS. Coffee and Internet access can be purchased together or separately. When there are no more free seats waitress will ask WiFi-only customers to leave.

http://www.lattelekom.lv/ltk/content/?lng=en&cat =6 705

The idea is that any establishment can use Lattelekom service to grant paid WiFi access to their customers.
1. Re:Isn't centralized solution available for you? by Anonymous Coward · 2005-03-16 10:32 · Score: 0
  
  Since it was in coffee shops, I really wanted to read it as Latte-telekom instead of Lattelekom, heh.
Coffee shops by QuantumG · 2005-03-16 11:11 · Score: 2, Informative

Friends of mine used to run a coffee shop. You were given 10 minutes to sit at a table without a drink. Then someone would come collect your cup and ask "would you like another?" You were, of course, permitted to say no. You were then given another 10 minutes, and someone would again come to the table and ask "can I get you anything?" Again, you're permitted to say no. 10 more minutes and the waiter would return to the table and state "I'm sorry, if I can't get you anything I'm going to have to ask you to leave." And that got rid of the lurkers.

--
How we know is more important than what we know.
1. Re:Coffee shops by La+Camiseta · 2005-03-17 06:28 · Score: 1
  
  Yeah, that'll go over really well next to a college campus. I don't know about where you live, but there's something insane like at least 4 cafes along the street across from the university here, plus 3 ON the campus, including one in the library, where you get free wireless anyways, so the competition for customers gets pretty heated here. Not to mention that the majority of the management are college students, so they're pretty cool about stuff.
Signage by kponto · 2005-03-16 11:12 · Score: 1

I agree that verbal warnings would be a bad solution. I've had exepriences at coffeeshops where the manager came out every hour to check the timestamp on everyone's receipts. If it was more than an hour old, you had to buy something or leave. Lets just say that this practice didn't bolster a sense of respect for the establisment.

I think some obvious, well placed signage reminding people that they should support the cafe appropriate to the time spent would be the best solution. That way, you don't have to battle with your customers, and it would promote an atmosphere of support for the business. Plus, you don't want to kick out someone who may be a good regular customer just because they've only a few bucks on them one day (as students sometimes do).

--
This too, will end.
Firewall rules and a webpage by moorley · 2005-03-16 12:08 · Score: 1

**DISCLAIMER ON**
I've seen this question in different forms before. I know there has to be something out there indexed on freshmeat that will handle it, but I have yet to see it done the way I would do it. And the idea is only in my head, I haven't yet the chance to play with an actual implementation so I may be mispeaking Linuxes capabilities or how specifically to go about this.
**DISCLAIMER OFF**

The way I would look at doing it would be a simple cheap linux box with a WiFi card and a LAN Card. You can turn the linux box into a WiFi gateway with a 192.168.x.x on one side and the "real" network on the other. Add in NAT.

Now as for the authentication/control/lock down that will be accomplished via firewall rules and a webpage. If they are "authenticated" then you add the appropriate firewall rules to allow them to get out. You have a script check every 5 minutes for expires and remove them out of the firewall rules when they expire. Those that are expired are presented with a webpage that will allow them to get out again. This can all be done with firewall rules. A rule to let them out, or a rule that directs all port 80 traffic to a special web server that presents them with one page only.

This web page can take whatever input you want (ala PHP or Perl) and add them in again. I liked the idea of the reciepts. You could even have the a Linux POS/WiFi router that handles it all ;-). When it prints the reciepts with the "code" it can also add it into another database to check against when they use the webpage.

Would love the chance to put one together. If there are any coffee shops in the Boise Idaho drop me a line...

Happy Hacking!

--
"Don't fear death... fear not living..." -me :)
ChilliSpot, FreeRADIUS, iptables and a script or 2 by ikekrull · 2005-03-16 15:55 · Score: 1

Do it for me.. I built a prepay wireless gateway that works on a simple system of assigning a unique number to authenticate a connection - extra work was required to properly meter only 'external' bandwidth, and some minor mods required to disconnect users when their paid-for time expired (though this feature is in chillispot now).

I ran this on an X-Box with a USB wireless adapter, and it would work quite happily on any IP based network setup.

--
I gots ta ding a ding dang my dang a long ling long
No power outlets... by aquarian · 2005-03-16 17:16 · Score: 2, Insightful

I've been to a few places that do this already. One doesn't actually block the (plentiful) plugs, but their official policy is battery only. Signs are posted saying so. It's OK to plug in to save and shutdown if your battery runs out. The other places simply have no plugs available.
No power outlets by raider_red · 2005-03-17 03:42 · Score: 1

Just remove all of the publicly accessible power outlets. That'll limit them to the charge they have on their laptop batteries. Of course, it's still something only an asshole would do.

--
It's good to use your head, but not as a battering ram.
Turnkey hotspot by kansei · 2005-03-18 05:28 · Score: 1

I read about ZyXEL devices some time ago. Go to www.zyxel.com and look for a ZyAIR G-4100.
This device comes with a printer and all you have to do is push a button to print authentication info for the users.
http://www.zyxel.com/product/model.php?indexcate=1 103876296&indexcate1=1085450343&indexFlagvalue=102 1876859