Authentication and logging of users for a Wireless ISP?

I have to upgrade a Wireless ISP's (WISP) network. Their current setup consists of a router (Mikrotik RouterBoard 1100AHx2), Ubiquiti Rockets (with sector antennas) for clients, and Ubiquiti NanoStations for client CPEs.

Their security consists of WPA2-PSK for the CPEs, and they dial PPPoE to provide access. PPPoE makes it trivial to control users, disconnect them, wall-garden them in case they don't pay, etc.

But PPPoE is always problematic in other aspects (MTU issues, tunnels randomly dropping, etc). So I want to keep things as pure as possible: no tunneling of any sort, just bare ethernet.

Authentication can be solved easily with 802.1x (EAP) which all devices support just fine. Then it's just a matter of assigning IP addresses with DHCP (and DHCPv6 even).

But my problem is that 802.1x authentication is based on user+password, while DHCP only uses MAC. So, I need a way to provide an IP from a specific pool to every type of user - Freeradius can act as a DHCP server and do this, but it's not possible to use the 802.1x credentials for DHCP - or at least, I haven't found a way to do this.

What options do I have to accomplish this? New hardware is not an option, the solution has to be as FOSS as possible, and run on Linux or FreeBSD.


Solution 1:

Freeradius can work with different backends, such as SQL or LDAP. You could maintain a list of users and some RADIUS specific token that you specify in Freeradius to designate subnet and/or account status (active, inactive, non-pay, etc). You will need to really dig into Freeradius and the customization of it, but I know it can be done, especially since quite a few medium-sized ISPs run something similar to do carrier DHCP and the sort.