IAS/RADIUS Implementation in a Coffee Shop?

noyler asks: "I've been asked to decide on the best way for metering a 'free' wireless network at a local coffee shop. Here's the scenario: currently, local college students come to the coffee shop, grab a cup of coffee, and then spread out like it's a study hall for 6 to 10 hours at a time and use the free internet. The coffee shop loves this, but it's getting really crowded for the other customers that just come in for some coffee and have nowhere to sit. The management wants to implement a system that, upon buying a drink, grants a time-limited connection for that customer of 3 or 4 hours. If the customer wants more access, another drink will need to be purchased. The store network is a simple cable modem with wireless access point attached right now. After implementation, customers should be prompted for a username/password (which can come from his or her receipt) and then have access to the 'net. One limitation is that the customers should not have to install any third-party software to use it--no window for software corruption liability that way. The customer base is mostly Windows with an ever-growing number of Mac users as well. What are some good ideas for doing this? I've considered RADIUS, or some kind of portal software, but don't see any clear answers. Any suggestions for software to use?? The coffee shop is very low budget, so cheap hardware and free software would be best!"

A contraction and two words: Don't do it!

[ZosX]

This idea is so asinine and restrictive that I can almost guarantee that it will fail miserably as well as probably upset a great deal of the existing customer base. Case in point: I frequent a coffee shop here in Pittsburgh constantly. The Beehive offers free wireless access as well as has around 8-9 computers with all sorts of multiplayer games installed, as well as DVD drives (you can watch movies), and believe it or not, cable access. A number of the computers have tuner cards built in. The money they get from the PCs more than covers the costs of their relatively low upkeep, upgrades, and of course the DSL, which seems to be basic SDSL at maybe.....1.5mps? They are the only coffee shop in the area to offer free internet, and of course people come and congregate based on this fact. The most comparable coffee shop that offers internet would be the Quiet Storm, and it costs roughly $20/month to $10 for a few hours or something (maybe the day). Of course, Starbucks has T-Mobile hotspots that are completely locked down, but I won't get into THAT. Don't charge by the hour. By imposing a fixed cost for a fixed period of time (1 coffee = 3 hours or whatever) people will feel like they are being charged for internet usage. No coffee, no internet. If your crowd is a mostly college crowd, it is understandable that many of them are rather poor and cannot afford $10 in coffee a day. I'm sure that a sizable percentage of your customers comes by just to hang out and sees a coffee or two as the cost of admission. This is the appeal of coffee shops, right? The more friends people have with them, the more paying customers you have. If you have a problem with a large group that does not buy enough to use up your entire space, they need to be kindly, and politely I might add, informed about the simple economics of running a coffee shop. I'm sure the owner pays rent or a mortgage, taxes and obviously, employees. Also, you should look at supplementing the costs of the free net with some rental computers or something that people can use out of convenience, like a CD burner and a printer. Sometimes it is incredibly convenient to be working on a project and have such things available without having to go to kinkos, especially in a college environment. Just think about this differently at least. Anything so restrictive is sure to raise complaints and decrease the overall satisfaction of your customers. $100/month is totally worth it to spend, especially when your customers are buying freaking $2-3 coffees. If you implement a system like this, it is going to take time and money to deploy and test, depending on your setup, which I'm guessing isn't probably all that sophisticated. The problem is really the people that are just using the space. Those are customers you can certainly afford to lose and the best way is ultimately to politely ask them to leave if they are finished with their drinks so that paying customers can use their space. Every bar and coffee shop (the successful ones at least) I've been to will certainly follow some similar policy. I drive a taxi and I clearly wouldn't let someone ride around without giving me some cash. I expect any other sensible businessman to do the same.

Re:A contraction and two words: Don't do it!

[CXI]

This idea is so asinine and restrictive that I can almost guarantee that it will fail miserably as well as probably upset a great deal of the existing customer base.

Are you kidding me? Perhaps if we didn't have people that assumed they had some kind of right or privilege to take up a chair all day using someone else's bandwidth and are rude enough that they can't fork out $3 every FOUR HOURS then there wouldn't be a problem to begin with? That's cheap compared to normal hourly rates some places charge! Not only that, but it's much more fair to treat everyone on the same level than to go around picking and choosing who you want to throw out.

I drive a taxi and I clearly wouldn't let someone ride around without giving me some cash. I expect any other sensible businessman to do the same.

This makes no sense with the rest of your argument, unless you are willing to let random people get in your taxi possibly taking up all the seats, ride around for a while as you pick up and drop off paying customers (if there is room, if not keep driving until someone gets out), and then get out at some point without paying you. That's the analogy which matches what you are trying to get the coffee shop to do, mainly submit to freeloaders.

I can't believe your comment was rated as insightful.

These are neat, but not exactly cheap...

[JofCoRe]

These "Vantage Service Gateway" appliances that Zyxel sells are pretty neat, but not exactly cheap: vsg-1200 @ buy.com.

They have some quirks, as we're still playing around w/the one we have.. Like they seem to break VPN for example. They do a weird rewrite of DNS that screws up people trying to check their email via outlook over a VPN... But if you don't need VPN from behind then, they seem to do the job.

Transparently controls access to the internet, no configuration on the user's machine is needed. It intercepts any web traffic and makes the user login, as you were mentioning. You can set up user accounts locally on the VSG, or use a RADIUS server. You can control access time and bandwidth limits based on users and billing profiles that you set up on the box. The web interface seems a little "clunky" to me... think it was written in a different country and translated based on the wording of some of the error messages :)

Re:Simple Answer...

[innosent]

Here's the solution: do what some hotels do to get you to agree to terms of service, only taken a bit further. Allow any device to connect (no WEP, just an open AP, keep it simple). Allow only DNS queries from anyone. Set up either a proxy or use a packet rewriting algorithm (like the "forward" command in FreeBSD's ipfw firewall) to redirect all outbound web traffic from source IPs/MACs (remember not to use NAT on the AP, you need the unique addresses, or use MAC addresses [better] if the firewall/proxy is the AP) that are not in a valid table or list (like one table for each hour, half hour, etc, I'm using table because that would follow with a FreeBSD ipfw2 firewall). Drop packets for any ports other than 80 (and 53, of course) for any host not in the valid list. Redirect them to a server that serves up the same single page for any requested page (they could have specified a path other than "/"). This single page should redirect them to your authentication server (this will most likely all be on the firewall, just an aliased IP that answers anything for the first page).

The authentication server gets some sort of confirmation number from the user. (printed on the reciept, insert your own clever algorithm for unique, difficult-to-guess numbers here [even better if the time can be determined by the number, or if the numbers are saved to a database somewhere]). Using the (valid) confirmation number from the receipt, the firewall/proxy adds the source IP or MAC to the valid source address table, and if you want to be really nice, you could have passed the original requested url through from the initial page that redirected them to the authentication site, and now redirect them to that page.

Set up a cron script to clean out the tables for tickets that have expired (this is why it would be easier to have your tables named for the time they expire), and you're done. Once a source IP or MAC is removed from the table, all further traffic will send them back to your authentication page, which can inform them that purchases are required for access, and the cycle can repeat. It would be best to use the firewall as the access point (put in a wireless card that is capable of being an AP), so that you can use MAC addresses to filter, and avoid the possibility that someone could leave while they have time left and have another person get the same IP, but as a minimum, you should do the DHCP from the firewall, and must do NAT from the firewall for outbound (validated) connections.

Re:Give me a breakj

[NevermindPhreak]

coffee shops are much different than resturants in that you want more of a social atmosphere. i think they want to keep their coffee shop as full as possible, while keeping returning customers, and still have room for new people as they come in.