Corporate implementation questions

[slilley]

We are evaluating FirstSpot for a corporate guest application. So far it looks very, very promising. :-) This online forum is a great source of info, btw! We've got a couple of questions that we didn't see answers to in the PDF and this online forum:

(1) In the user self-signup page, you can add several additional user fields (in addition to the username and password). Can these be read and/or added from the management console? We'd like to use one of these fields to track the actual user's name, and possibly a second field to track additional user information like their employee status or location (employee, contractor, visitor, retiree, etc.).

(2) Is there an easy way to disable the self-signup function? We'd like to manually control the user list (everything added via the management console), and although we can remove the "Sign Up Now!" link on the main webpage, that page can still be accessed if a user knows the URL. We currently have it set so that if someone tries to use the self-signup, they don't get any minutes, and therefore can't get in.

(3) Is there an easy way to disable all Paypal and/or credit card stuff? We won't be charging for this service, so if there is a way to make the server more secure by disabling unnecessary integration, we'd like to do it.

More questions to come, I'm sure. Thanks in advance for any info!

Regards,
Steve

[alan]

1) To change the definition of "Extra Information Fields", you can go to the UI customization tab of Configuration Manager. Once the user filled in the information, you can extract them from the table fsusr.

2) You can delete the file signup_form.php.

3) To disable credit card support, you can
i) go to UI Customization tab, uncheck the "Show 'Get Air Time' button"
ii) replace cart.php with a blank php/html/text file
_________________
~ Patronsoft Limited ~

[slilley]

Thanks for the info; we implemented those suggestions on Friday and they worked great! These are the last of the questions (for now :-) regarding our setup (Network Scenario 3):

(1) We are using /28 subnet masks (255.255.255.240) on our internal and external server NICs, but are using /22 subnet masks (255.255.252.0) on the subnet where the wireless clients are connected (these are hanging off another router with DHCP forwarding configured to direct these requests to the FirstSpot server). We noticed that the DHCP clients on these /22 subnets are getting a /28 (255.255.255.240) subnet mask from FirstSpot's DHCP, instead of the /22 mask that we configured in the Multiple Network tab. The clients are getting the correct default gateway, so everything is working fine, but this behavior has us scratching our heads. Why is the DHCP server handing out the /28 subnet masks instead of the /22?

(2) We noticed that when a user mistypes their username or password, they are told that they need to re-enter them, but they aren't redirected back to the login page. They need to click another link in their browser before they are re-prompted for their username/password.

(3) Does the client isolation setting apply for indirectly connected networks? We are using Network Scenario 3, but I have my doubts that this setting will do anything for us. How does client isolation work?

(4) We've found the DHCP trace.txt file, but is there any other file that contains (for example) a list of all the DHCP IP addresses, and the current user for that address (or if the IP is still unused/unassigned)?

(5) Can you recommend an Anti-Virus product that you know works well with FirstSpot? Also, do you recommend an personal firewall software to lock down the server from internal attack? Our FirstSpot server is behind a Cisco PIX firewall that connects it to the Internet, so we feel more exposed from the internal side that we do from the Internet.

(6) If we are using Radius, is there any way to see which users are currently online? We won't be using Radius at first, but would likely want to leverage it in the future.

Regards,
Steve

[alan]

1) In Multiple Network Segments (MNS) case, the IP the client obtains is based on the Router IP and the subnet mask configured in the MNS setting. So in your case, if the setting is configured correctly, the client should be getting IP based on subnet mask 255.255.252.0.

Please make sure:
- you configure your DHCP relay in your router correctly
- also note that FirstSpot only supports Router and the DHCP relay to be on the same IP

If you still have difficulty, please post your config.ini for further analysis.

2) Do you have this problem in the "local" segment? FirstSpot should redirect user back to login page after a few seconds.

3) Yes, client isolation will work in MNS also. FirstSpot Client Isolation will prevent client from seeing each other in Windows "My Network Places" or "Network Neighborhood".

4) check out dhcpservice.ini. Make sure you don't change the content though.

5) To secure FirstSpot:

For the Public side (i.e. Internet), normally you will put a NAT router/Firewall there to block the traffic so it is very secure

For the Private side (i.e. Hotspot), it is a bit more tricky since most personal firewall is not compatible with FirstSpot as they both work in the driver level. You can, nevertheless, minimize the risk significantly by only opening the ports needed by FirstSpot. FirstSpot only needs the following ports to function properly:

TCP 80, 443, 5786, 5787, 5788, 5789
UDP 53, 67

Just select "Permit Only" for the above ports in Windows TCP/IP Filtering (see http://support.microsoft.com/default.aspx?scid=kb;en-us;309798 for instruction).

6) The current FirstSpot v3 does support viewing user Status in Configuration Manager when using RADIUS Authentication Mode. You have the view in the RADIUS server directly.

The upcoming v4 will support this.
_________________
~ Patronsoft Limited ~

[slilley]

Thanks again for the info. Here's some additional details on two of the questions above:

(1) We figured out the problem with remote DHCP clients getting /28 masks on a subnet that is /22: we actually have two routers (for redundancy) on the remote segment connected to the clients. Since both of these routers can forward DHCP requests, we put the subnet number (10.151.12.0) in the Router IP field. When we deleted that remote network, and added it back with the Router IP field to the actual router address (10.151.12.1) (and turned off the other redundant router for this test), the server correctly handed out the /22 subnet mask. Then, when we turned off the 10.151.12.1 router and turned on the 10.151.12.2 router, the subnet mask assigned via DHCP changed to a /28. So it seems like this behavior only occurs when the FirstSpot server receives a DHCP request forwarded by a router other than the one specified by the Router ID field.

(2) Regarding the problem when a user mistypes their username or password but they aren't redirected back to the login page: This problem doesn't occur when the client is connected to the "local" subnet; those users automatically get redirected back to the login page. That redirection doesn't work for remote users though. Any ideas?

Regards,
Steve

[alan]

1) Well, this is as expected. Again, FirstSpot only supports Router and DHCP relay belong to the same IP, and that IP needed to be added to the Router IP field in the MNS settings for FirstSpot to function correctly.

2) We cannot reproduce your problem in our lab. Can you post your:

- ipconfig/all of the client
- ipconfig/all of FirstSpot
- config.ini file
_________________
~ Patronsoft Limited ~