We will start a project at our company that customers coming to us will have the possibilite to surf to the internet with their own laptops. What we would like to do is that this network will be in a seperated dmz and we would like that the traffic will be automaticaly redirected to our proxyserver to filter out some bad websites. (We do not want that people will surf to strange websites inside our building).
A third requirment we would like to put in place is that people if they connect to the wireless and want to surf, they will be redirected at a special website where they have first to authenticate with a one-time password and this password would then allow them to surf for an hour or so.....i think something could be done with 802.1x but i am not realy sure about this....
We had a similar requirement with one of our clientand we had to use Layer 3 Web Authentication -for guest Internet Access - enabled thru SSID.The Web Authentication works fine, but the Virtual IP address/DNS name that are configured in the Interfaces menu was and still is a bit puzzling!
Are you saying you want to have 2 guest WLANs in addition to your trusted user WLAN? That's certainly possible, but it will depend on what you're using for the WLAN infrastructure and the internet access proxy functions. You don't mention what proxy server you have, but the first thing you need to think about for the DMZ'd WLAN is how you're going to ingress the traffic to the proxy from the DMZ. That could be via a seporate physical interface, or preferably a new VLAN on an 802.1q trunk. Apart from that, your normal proxy rules should be configurable however you want I'd think.
For the second WLAN that you're talking about, I think you'd need what I'd call a "forced portal". It's a bit like a proxy, but with more functions. Some proxies do web based authentication which is what you want, but you'd need to check your box. Typically, you'd expect to be doing this as a layer 3 web based authentication rather than an 802.1x, which occurs at layer 2 and is required before the user can even see a web page (i.e. when the radio signal is building). Furthermore, if you want time based access for your portal, you'll need to check it does that too. And, you'll need to think about how these "tokens" get issued. Somebody will have to be doing it as part of there job, unless you automated via a HTML page for the guest to fill in themselves.
One final point with guest access. A lot of people forget that you can't implement downstream QOS from your ISP (not AFAIK). What this means is that you need to accept the risk if you're going to share a corporate web connection with the guests that they might steal a big chunk of your bandwidth. There's lots of functions you can activate to cut back guest traffic levels upstream and downstream internally and on the DMZ. But when it comes in on your inbound web router, but if the inbound traffic is already loaded, dropping the packets at your local interface won't necasarily help! I'd always suggest running guest access up a different web connection to your corporate access.