Possible for an AP to send WPA/encryption settings to connecting computers?

[Whatsisname]

Greetings

I am a manager at a housing unit, and we want to install wireless. We want a fairly good setup though, and we want everything as automatic as possible. If anyone could give this a quick read, and let me know if its possible, and what brands or models of wireless networking gear would make this possible, I would appreciate it.


Goal: we want all wireless traffic encrypted, but we don't want to have to deal with handing out encryption keys all the time.

What we'd like to do, is that when a client connects to the wireless connection, our router can redirect all connections to an internal web server that serves up an https authentication page. The user can then supply their username and password, that they have for other services on the wired network.

If they produce the proper login credentials, we'd like the login server to order the AP to send down a randomly generated encryption key to the client. That key would last for the life of the wireless session. We'd also like if windows would automagically accept the certificate and encrypt all traffic with it. At that moment the redirects would be lifted and the client could browse and use the network normally.

Does anyone know of any wireless access points that can send down certificates, and will windows clients accept them?

Everything on the wired side we have the capability to do, I am just unsure about the wireless side.

Thanks

 

[Charlie Hustle]

goodness i wish i can help you. My apartment complex when i had just graduated had that feature. And also some hotels does that also.. I know someone has that knowledge here.

 

[Whatsisname]

are you sure everything gets run through an encrypted channel? I know lots of places that do it, but I haven't seen any so far that setup encryption on the entire connection. Once you authenticate with them everything is sent in plain text unless you use https or setup a tunnel on your own, from what I've seen.

goodness i wish i can help you. My apartment complex when i had just graduated had that feature. And also some hotels does that also.. I know someone has that knowledge here.

 

[sdotbrucato]

What you're looking for is a Captive Portal

As for which devices will allow this, I can not speak, but figured I'd give you something to search around for.

But for others to help
How big of a complex are we talking about? How many people will be using this wireless? Budget (this is going to be a big factor in recommendations)

 

[berky]

It almost sounds like you want to do some sort of reverse client VPN connection. normally you do this to connect remotely to some network, but theoretically you could set up a VPN router that will only allow outbound access if they've authenticated.


so basically:

wireless client ----> AP -----> VPN ------> rest of network

I don't really think this would be ideal though, as it seems to be a bit of a kludge, but you could probably get it to work. I'm sure someone else will know about a better solution.

 

[Whatsisname]

We only want coverage within our house, but there are a lot of nearby houses with people that would attempt to leech our internet. We also want to allow guests to come over, and make it easy to add folks onto the network when a resident gives them permission. We'd expect maybe 10-15 people could be using it at any one time.

Budget is about 300 bones for the wireless access point.


I have no issues with setting up the basic authentication, like d3c1us mentioned, we're setting up a captive portal. What we are having trouble with is setting up WPA/WPA2 or some other encryption on the wireless link automatically. Additionally, we want the access point to deny IP-IP communication, and should send everything through the router for that. We don't want someone unable to authenticate but still able to access people's shared folders and stuff.

It would be nice if windows and the AP were able to setup a public key encrpytion upon authentication, and run all communication through that.

We also can't just do layer 3 restrictions otherwise someone could spoof the MAC and IP and get rolling. It seems WPA2 has something along the lines of sending out keys automatically to clients, but we aren't sure how it works, how its setup, and documentation is a bit sketchy and riddled with marketing rather than technical details.

 

[Captain Colonoscopy]

Wow, I am not certain you can do that with a budget of $300. You mentioned already having the capability to do this for the wired connections, how are you doing that? Do you have an LDAP or RADIUS server somewhere that users are connecting to? You are also going to need a web server or something to host the captive portal web page that will sent authentication to your backend. Some APs and most wireless controllers have the capability to host the active portal website. Also, you mention "A" AP, how big is this complex? Only an enterprise-grade AP is going to be able to handle 10-15 concurrent connections.

A little more insight into what you already have implemented and/or any server stuff you have now would help me make some recommendations.

 

[vage]

Look into a router from ZyXEL called the ZyAir G-2000 Plus. It has a built in radius server and is very useful for doing exactly what your looking for and is only about $120 I think.