I have been taking a peek at Packetfence lately, looks very interesting, probably more than you need, but has several extra features. (Captive Portal is one interesting aspect)
I have a Packetfence VM that will kill the clients switch port (puts it in a separate isolation vlan) if the Snort IDS gets tripped by P2P traffic (including BitTorrent). As all the switches have 802.1X enabled as well, it's easy to find out who is using the client PC.
If you put the Wifi on a separate physical network, that's reasonably secure.
A wired VLAN on a switch is much easier to manage. While VLANs are not bulletproof, unless you've got Kevin Mitnick as a guest, you will be fine with that. Just configure two separate VLANs, put your wifi on one, the the private wired on the other. You will need a router with dual LAN interfaces to get to the Internet or do inter-VLAN routing:
Be careful about your whole router-behind-a-router setup, as oftentimes that either makes for a painfully slow connection or causes issues with DHCP, DNS, etc. When you say 'splitter' I assume you mean an Ethernet switch of some sort? If done incorrectly you will open a big security hole with this.
Some commercial-grade access points (e.g. Cisco) allow both guest and production virtual WLANs.
There are lots of open-source captive portal solutions such as Coova, WifiDog, Packetfence.
We use an aruba 3600 controller for this. You can easily setup a page that presents any type of disclaimer to the user before they are allowed to go to the internet. This feature is included with the Controller at no additional cost, although I am unsure if you have the ability to add a required field that expects input (Email).
A cheaper way could be "Packet fence" http://www.packetfence.org/ The software is free and runs great. We trialed it and it works amazingly well. If you get stuck or would like help with the implementation, the packetfence folks sell "Support/consulting hours" Good luck.
Really? You don't think it'll be doomed nearly immediately for abuse/piracy?
Just free wifi for everyone to use as they see fit with no ToS/enforcement at all? Not even something opensource like packetfence or opennac?
Edit, nevermind, I didn't read the question fully. Packetfence is overkill.
I don't think pfsense supports what you want to do, which sounds like NAC (Network Access Control). Take a look at packetfence.
>PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, 802.1X support, layer-2 isolation of problematic devices, integration with the Snort IDS and the Nessus vulnerability scanner; PacketFence can be used to effectively secure networks - from small to very large heterogeneous networks.
/u/the_wookie_of_maine seems to be saying that it would work though. Any tutorials on setting it up with pfsense? Does the client have to support vlan tagging in order to use DHCP option 60? Does that keep someone from just manually setting the vlan on the client side?
list of open source Network Access Control
another List I found from a blog post
There is no "rational" reason to setup two networks. If you intend to educate anything about them then you should at least be able to trust your own "firewall" configuration. There is no LAN and WAN, only the internet (hint IPv6).
https://en.wikipedia.org/wiki/Network_Access_Control http://www.packetfence.org/ https://en.wikipedia.org/wiki/Network_Policy_Server
Out of curiosity, why would you want to run a RADIUS server on a Windows box if you are not using AD for authentication?
If you're trying to do network authentication, why not try something like PacketFence? It's free, has pretty good documentation and works with lots of networking devices.
I use packetfence (Opensource) running in a VM. It uses the 802.1X on the HP ProCurve switches to kick people into a separate VLAN. There's a captive portal running there to tell people how bad they've been and what their ~~punishment~~ remediation is.
Our guest wifi is actually hooked up to a pfsense box, but that's because the IT Manager wanted to air gap the guest wifi.
I could be wrong, but I think you're after RFC3576, which is what an access point has to support in order to play nice with PacketFence. It's the COA that kicks the client off the network after authentication and then assigns them the proper vlan on reconnection.
They give a nice list of supported APs on their site.
Look at either PacketFence for the free version to prevent this, or Cisco Identity Services Engine for a paid version.
If I was to sum them into one line, "They make written network access policies a reality." In most cases, companies have a written policy something like "iPads are not allowed on the corporate network." But really have no way to enforce that policy. ISE can, and Packetfence should be able to.
PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks.
Haven't used it. Just got a few switches and AP's last week to play with and see what happens.
Your auditor is either a very poor communicator or a very poor auditor.
If you have managed switches and are interested in locking things down, PacketFence is worth a look: http://www.packetfence.org
investigate packetfence, set it up or a different NAC then you have the offending server's switch port turned off automatically when the error state is detected.
or you can tie ntop into [script language of choice] and make a quick home made snmpset ifAdminStatus to down on the switch
I would also suggest getting an out of band server, so when things like this occur you can use good ol' dial up and access the console of your switch/router/server/whatever. I prefer advocent ACS gear (formerly Cyclades), but any serial console management device will do ya. You can also find super cheap console management servers on ebay. They tend to work forever imo.
good luck.
+1 To stunder and b26 for FreeNAC, that app is very nice.
But for a really robust and Free / OpenSource NAC solution check out PacketFence.
NAC solutions really don't come much better than this, great feature set, dead simple to set-up, excellent UI, can't recommend this solution enough.