Problem solve Get help with specific problems with your technologies, process and projects.

How do we control who gets our wireless network's free Internet access?

Learn how to control access to your wireless network's free Internet.

If we are providing free wireless Internet access to people through our portal, what is the best way to stop someone in the parking lot from having the same free access? What kind of system or equipment is needed?

There are several ways that you can discourage outsider use of your free Internet access wireless LAN (WLAN).

  1. You could give everyone who visits your facility a WPA or WPA2 Pre-Shared Key (PSK). This technique is used by some restaurants and hotels, where patrons receive "today's PSK" on their purchase receipt or check-in card. Legitimate users must type that PSK the first time that they are connected to the WLAN -- for example, when prompted by the Windows XP/Vista connection manager. To support this, all of your APs must be configured with an SSID that requires WPA or WPA2-PSK (aka WPA or WPA2-Personal).

  2. You could give everyone who visits your facility an individual or a group login and password, to be entered on your portal page. This technique is the most common method of limiting access to public Internet WLANs. Some portals even support guest self-registration, issuing time-bounded logins for this purpose. If you don't really care who is using your WLAN -- you just want to discourage outsiders -- then a group login is easier.

  3. You could configure your APs or your WLAN controller or even your portal with a list of known MAC addresses, denying access to everyone else. This technique tends to be used with limited devices, like voice handsets, that cannot interact with a Web portal. However, it is rarely used in true guest WLANs because you do not usually know guest MAC addresses in advance.

  4. You could use a Wireless IPS system to break connections attempted by any device not on an authorized station list or that appears to be located outside your facility. For a guest WLAN, the most applicable scenario is location-based blocking, and you would need to install a WIPS that supports this feature.

  5. Finally, you could use physical barriers to reduce the likelihood of outside connection. For example, if you have a large facility, put the guest WLAN APs as far as possible from exterior walls, or use directional antennas to focus their transmit energy inward. Use site survey tools to measure and reduce leakage.

None of these methods are foolproof, and several have well-known weaknesses like password sharing or MAC spoofing. However, any of these could help you discourage outsiders, if all you really want is to raise the bar against casual access. But note that an intruder with tools can easily circumvent most of these methods. Strong WLAN access control requires more robust authentication and enforcement -- for example, using 802.1X (WPA/WPA2-Enterprise).

This was last published in August 2007

Dig Deeper on WLAN Security