If you are running DHCP auto-auth and HotSpot on a wireless interface, how do you handle multiple connections behind a CB3 without using a router?

You don't. The CB3 has to handle the Server tasks such as Hotspot and DHCP. It is a device that is meant for a single purpose and as such is not suited for the connection point with multiple clients.

Use a WRAP board and StarOS if you need that ability.

I have a CB3 that has a static IP address. The client behind it is using DHCP auto-auth for Hotspot authentication. Once the client PC authenticates, I can no longer manage the CB3 with the static address.

How do I get around this problem?

Seems to me that strikes the nail on the head as to why we do not use the autoauth/hotspot features.

It seems that it should be able to handle two addresses from the same MAC. Better yet, let us designate how many addresses per MAC. I do not see how you can use Hotspot with CPE. I am using it, and it works great for authentication without having to install PPPoE.

How do we get around this?

If you look at the DHCP Auto-auth leases, you see the actual MAC of the customer's PC. This MAC address is not proxied. If this is the case, then you should be able to get as many addresses as are required in my scenario.

When you look at the Hotspot sessions page, you see only the MAC address of the CPE because of the MAC proxy feature.

There has to be some way around this "feature".

The DHCP request packet contains the MAC of the machine requesting the packet. It is given an IP by the DHCP AutoAuth. Unfortunately the CB3 is a proxy arp device and when that unit tries to talk it does so with the MAC of the CB3. The Hotspot is MAC driven so this unit takes the slot for that MAC - thus ruling out all the other MAC addresses that are behind the CB3.

If it is so important to handle multiple users behind the client radio, then simply make that client device a WRAP board running StarOS. It works. Why are you expecting that you can just mix and match and have the results that we crafted as a complete system? Come on, don't blame us for the faults of the other units.

You guys knew those CB3 were going to have limitations. Now that you have hit them don't expect them to magically disappear because you have begun to use them. That is simply sticking your head in the sand, and you know what gets exposed when you do that.

I am not asking for multiple IP addresses behind the CB3. I am simply asking for one. I have my CB3's statically addressed so that they won't query for an address. I let the router or PC behind it query for an address.

What I am saying is that the radio is not asking for an address. I simply want to be able to talk to the CB3 without causing the hotspot security to turn the customer off.

But that is how it works. The MAC presented to the Hotspot session is the CB3 MAC and it creates an ARP entry with the MAC to the IP of the client. That rules out the CB3 from haiving its own IP. Your example is really trying to have two IP behind the one MAC.

Let me understand the process of how the "hotspot security" works. If a MAC address is granted authorization, and then a different IP address from the same MAC tries to gain entry, the customer is logged out, locked up, or the last IP address is not allowed entry? Or does the last IP address simply gain the authorization of the hotspot?

If I do not use DHCP auto-auth, and make the customer open a web page before they start using the Internet in any form, will this negate the CPE from alerting the Hotspot security feature?

Our Hotspot implementation locks the guy out if the IP changes for the authorized MAC. It is part of the security. When you authorize something you cannot allow it to change unless you re-authorize them. This avoids people trying to change IP in order to be untraceable or to avoid bandwidth rules.

Each Hotspot session has a MAC, an IP, and a bandwidth rule.

Since the CB3 cannot initiate a web stream, would it be wise to say that if you simply allow the customer to do MAC authorization via the web page instead of DHCP auto-auth, that you would get around the CB3 knocking them off? I will wait for an implementation where I can either bridge CPE devices or authorize more than one IP per MAC.

Last question on the method of security and I will leave you alone.

The hotspot security only checks the IP/MAC combo if the device is trying to "go through" the StarOS router, correct? So, if I put a static address on the CB3 with no default gateway, it wouldn't attempt authorization, right?

If I then VPN into that particular router and receive an address on the same subnet as the CB3's, I could manage them without actually passing any IP through the hotspot.

Your thoughts?

Since the CB3 cannot initiate a web stream, would it be wise to say that if you simply allow the customer to do MAC authorization via the web page instead of DHCP auto-auth, that you would get around the CB3 knocking them off? I will wait for an implementation where I can either bridge CPE devices or authorize more than one IP per MAC.

MAC anything coming through a CB3 uses the MAC of the CB3 but the IP of the customer. Since our Hotspot is MAC based you can have ONE IP and ONE MAC pair.

This is just not something we can change in this release. Sorry.

I guess I didn't ask the question properly.

Will an ARP be enough to kick a user out of the hotspot when not using DHCP auto-auth?

Yes. AutoAuth simply checks for radius authentication and override on the IP assignment. If you have it set to begin a Hotspot session it will do so. After that it has no hand in the sequence and the Hotspot Server will be watching for IP changes, as evidenced by a new IP from the old MAC.

Thanks!

Thanks!

Kelly,

Good to see you're still around -- i'd appreciate it if you would get in touch with me.

-Merlin
merlin@merlin.net

Ok, so I get it why a cb3 doesn't work, it is a proxy arp device.

What about a device like a switch, where you actually see the remote unit's mac... that should work pretty good, eh?

So I should be able to hotspot clients on a switch, or a network such as canopy? As long as each mac has one and only one ip associated with it, and no proxy-arp in use...

right?

Ok, so I get it why a cb3 doesn't work, it is a proxy arp device.

What about a device like a switch, where you actually see the remote unit's mac... that should work pretty good, eh?

So I should be able to hotspot clients on a switch, or a network such as canopy? As long as each mac has one and only one ip associated with it, and no proxy-arp in use...

right?
Yupe. That's how my hotspot for hotels/condominiums work.
All the clients are located behind the StarOS unit on managed/unmanaged ethernet and homepna/vdsl switches. The StarOS unit works as an 'Edge Authentication Gateway' :)

- Szern

Does any one know of any true wireless bridges? I have an old Smartbirdge (the new firmware changes it to proxy arp) that does just that it is transparent it will present the mac of the client to the AP. I allows several users to work behind it. The problem is the old firmware locks about every 30 days.

Thanks,

Joe