a cheap and effective way to create network user accounts

[ravenite]

hi guys, I've been tasked with the security of our network over in our small office where we have many visitors who are given access temporarily (sometimes over the period of a month and sometimes they ask for access for a year) and I'm tryign to tackle a problem that might arise with this sort of network usage.

we've already looked at buying several wireless routers or Ethernet switchboards and the switchboards are too clumsy and have wires running throughout the place... setting up different wireless routers which provide different speeds according to which router you access like this> (1 router for employees, permanent full bandwidth availability, 1 for long term guests with a lower speed which is yet to be determined and 1 capable of a max speed of 300kbps download for short term guests) which is what I thought of doing.. has not been met well by others in the office , because it doesn't solve the problem of unwelcome people being given access to the network and therefore sensitive data by short term guests or perhaps by getting a hold of the cards we have which contain router login information.

yesterday I remembered that at university, we had to login to the network via our web browser, a process through which our computer could be found/identified if we did something illegal. i wonder if there's anyone in the forum who knows how to make this system a reality? I imagine with this system we can also manage the dld speed/bandwidth that each account has access to.. I'm very much stuck.

if someone knows how to make our needs a reality using a cheap solution, i hope you'll share it with me xD

 

[Trotter]

Here's a fast and simple solution that you could implement immediately.

Set up two networks: one private for official office use, and one semi-public. The private network is only used by the office and its people, obviously, with its own security. The second one is shared with clients and you simply change the password each month/week/whatever and only share the current password with those who are supposed to have access.

 

[ravenite]

hey trotter, Unlimited thanks for sharing your time with me.

I'll suggest this idea you outlined, which is similar to what i had in mind, could I ask you arm me with something to say in defense against comments like :
'but we want a hands free way of managing this issue'

'they can just share out the login details at the start of every month'

'we don't want to have to keep checking how many people are in the office and how many ips are logged in the router to see if someone is leeching internet'

I for one believe this solution is fine, but there are others among my peers who believe ... rather strongly that there is a way of managing each connection individually.

Now some friends i have in the web firm business talked to their system administrators as a favor to me and they suggested PFSense as a solution to our problem... but it looks awfully out of my league when it comes to configuring and .. generally doing anything with it.. even after having spent a day reading through its' getting started section.

Do you think it would be too much to ask if i were to maybe even beg someone to help me through the setup of such software? I imagine it would be.. but i have nothign to lose by trying xD.

anyhow if i can convince my coworkers that the dual router/network idea is viable then I think i will have resolved the issue, I'm just lacking in points to make in defense of this idea. (and I'd like to avoid having to say it's because i haven't a damned clue about network management xD).

 

[1etherer]

We have a setup with 2 networks.. Private (office) and Public with password (vistors). Works a charm =] also we hide the private network and have added it to GPO so that wireless laptops / PCs connect automatically, that way we dont even need to give our staff the private password.

 

[DistraughtSysop]

What kind of access are we talking about? Is this just guest internet access, or do these visitors need to access certain company resources?

If it's just guest access then that's really easy. If you need to track their internet usage then it gets more complicated.

 

[Joe C]

My router has two guests accounts, 2.4 ghz and a 5ghz. Most decent routers should offer that option and just set up a password for the guest account

 

[ravenite]

My router has two guests accounts, 2.4 ghz and a 5ghz. Most decent routers should offer that option and just set up a password for the guest account

to be more precise, our main concern surrounds the fact that by Italian law (where the office is located) we are commanded to be able to track all users of our internet, to be able to report the identity of a person(his/her ip at the time and sites visited with that ip) who has broken the law if we're asked by the military police for that information.

on top of that, in order to achieve a certain level of professional appearance, we'd like to be able to give each user a unique login and password that gives them access to our internet services. (the same sort of config we've all seen at universities/schools or public hotspots that require a login to use). My common sense tells me that with this unique login configuration (that we would give once someone pays for a certain internet speed package) would also allow us to set the bandwidth/dld speed available to them via the user management panel of our router, and also monitor their online destinations. which is this one
Mikrotik routerboard 2011uias rb2011uias-rm RM

Router OS that comes preconfigured and installed on these microtik routerboards seems to encompass a great deal of functions... haven't yet gotten my hands on it yet since I've been at home for the past week but if anyone is interested i could let them know what it can do in terms of network management.


Sadly, due to being a person who decided years ago to specialize in design software, I had absolutely no clue as to how to realize this system.

 

[DistraughtSysop]

The feature you're looking for is called a captive portal - when someone connects to the network and they try to visit an internet site, they will hit a login screen where they will need to enter a username and password to proceed. You can take a consumer grade router and run third party firmware that has captive portal options like DD-WRT or use a pfsense box.

From what you've told us about the law, it sounds like you're going to need to not only track internet usage but also log it. If that's the case, then a lot of these third party firmware options should also have some logging capabilities. You'll probably need some sort of external storage to store the logs.

 

[ravenite]

thanks for the advice Distraught, we looked at pfsense boxes, didn't like the $500 starting price for what we need. I've been reading that by installing an sd card and making it the routers dedicated FTP server, I can install apps on it that function in tandem with the router OS, one of these apps, called User manager, provides the function I was looking for, the one that you kindly informed me is called captive portal. people will be asked for their own admin configured login when trying to access the network.

It doesn't look as though it has bandwidth limiting options per user account though... which is another option we wanted, but i imagine the answer to that is again third party firmware i take it.

if you have any information on how to log a devices web history that is specific to routerOS, it would be very much appreciated.

Would third party firmware have to be checked for compatibility with the router boards os?

 

[DistraughtSysop]

Is that routerboard what you're currently using for a router? I just looked it up and it looks to be a standard SOHO box, which typically has more advanced options like bandwidth limits.

Here's what I found through a quick google search:
How to setup bandwidth limitation by using a MikroTik Router Board - Miro.co.za

FYI, pfsense is really just the OS - if you have an old computer lying around that you're not using and an extra NIC or two then it is essentially free. The prices you're seeing are for pre-assembled systems.