# Configuring Airport extreme



## smiffy07 (Nov 15, 2006)

Hi all, 

We have an airport extreme base station set up in our office for staff to log in and roam wireless. At the moment it is set up and password protected. It possible to set up multiple accounts on the base so that users can log in with the usual password but when clients come in they see a guest account?


----------



## sgould (Nov 15, 2006)

I don't know a way to do this, so I would say it can't be done.

Anyway, what would you gain by it?  Surely all your work files are protected so whatever means a "guest" used to get in, they would only see the public area?

My local car dealer has a notice in his waiting room for customers giving "today's user name and password" so you can work while you wait!  So, again, if he can't do it on a PC system, it seems unlikely any other manufacturer would.


----------



## macbri (Nov 15, 2006)

I haven't set this up myself but having a RADIUS server *(*[SIZE=-1]*Remote Authentication Dial In User Service*[/SIZE]) on your network should let you do exaclty what you want. The Airport can request authentication info. from the Radius server.

Regular staff could either each have their own account, or a "common" password (much as they do now) and then you could have a different one for guests & visitors.   And as with so many other things, there's at least one open source solution: FreeRADIUS (http://www.freeradius.org/).

HTH


----------



## Smuth (Dec 4, 2006)

RADIUS isn't what you are after, I use one to filter MAC addresses but there is no prompt to enter credentials passed back through the Airport.You are either on or off based on the packet info passed up to the RADIUS. I have a solution from Nortel that uses a secure switch that offers this option at one location but it is expensive.

THe Airport doesn't offer multiple password support. Why not run 2, one using Mac filtering and WPA, the other open to guests and bypassing the internal network going straight out?


----------



## macbri (Dec 4, 2006)

Are you sure about that?  RFC 2865 seems to imply it does exactly that - i.e.  provide a method for username/password authentication, among other things...  or am I reading it wrong??


----------



## Smuth (Dec 5, 2006)

I ran Free Radius and couldn't get an encrypted Authentication request back through either the Aiport Snow or Extreme so I went to MAC filtering.  The most common use of RADIUS is MAC filtering such as:
http://www.oreillynet.com/pub/a/wireless/2003/12/18/wap.html

In order to use a name/password, a client package must be used on the client to handle the request:
http://www.infopeople.org/resources/security/network/wireless.html

I've seen this done within a SSL browser but it requires custom programming skills.I suppose you could use the Mac dial in software for the client if you don't mind passing clear text on the network. Many VPN packages include support for RADIUS authentication such as Cisco's client but in the long run, adding an Access Point between the Internet Pipe and main network in a simple DMZ is easier and far cheaper.


----------

