Howdy,

We deployed Guest Internet Access (GIA) a year ago, before our LWAPP migration began across 30 hospital systems. Our business requirements were:

1) No charge to guests

2) Minimize have VS have not's issues (no using credit cards, etc for validation)

3) Centralized ISP(s)

4) Some form of self-reg as NONE of the hospitals wanted staff to have to do anything

We ended up doing an Advanced Services engagement with Cisco. Looked at BBSM & SSG. Settled on BBSM. GRE + VRF overlay network. The main part of the CAES engagement was to 'adapt' their existing custom 'sponsor' app to accomodate self-reg. Bottom line is we were underwhelmed with the sponsor app, although I heard @ Networkers last year from a Cisco internal IT manager that they've enhanced it considerably so YMMV.

We dropped the sponsor app & I dug in to the BBSM's SDK docs. I built a simple web form that folks get re-directed to in the BBSM's 'walled garden'. They choose Dr, Guest of Patient or business partner and based on this selection have to provide add'l info such as contact within our company. Bear in mind that there's no way to check any of this so we do have some 'donald ducks' show up in registration. Once they fill in the info, we replay their info & IP to them visually along w/ the AU policy. They click accept & it posts a string back to the BBSM that calls a pageset to initiate their session. For the doctors personal devices we BBSM auth them against radius so that they can use existing novell credentials & not have to 'sign up' each time.

This has worked pretty well for > 1yr. The BBSM unfortunately is not the most stable platform. Appliance, Win2k w/ MS ISA & some fancy cisco nat code is what it amounts to. I have 2 of them. One died already (HDD/controller) and both have had to be rebooted (hung) probably 5-6 times in 1yr.

Sooo. We are excited about GIA via LWAPP. Removes the complexities of the overlay network, gets rid of BBSMs (potentially) and has the capability to provide some redundancy where the BBSMs do not.

As far as self-reg under GIA-over-LWAPP... Since there is no way to enforce truthful registration, it is, in my opinion, of dubious value. Our previous 'extremest' security officer that insisted on it has left the building and I am exploring forgoing it completely with mgt as it's the one major complaint we get amongst otherwise raving reviews of the service (we survey the guests, etc).

One other complaint we've had is "We don't like having to (completely) re-register every 8 hours. Couldn't we just set up our own userid/password & reuse @ session expiry?"

Considering all of this, if push comes to shove & I'm forced to keep self reg as we migrate to LWAPP then here is my plan & what I think you'll want to explore:

1) Redirect the guest users to a (offbox) webform. Collect info including chosen userID/pass.

2) On post, write to sql backend. Mysql should work fine on the cheap.

3) Use ACS (or freeradius) to radius auth the user against this external (to ACS) database, just need a second or two delay to make sure form post data makes it into DB prior to posting url back to anchor controller.

Benefits:

1) Easier reporting then old reg form-post text file

2) Ability to do sql replication to alt datacenter where redundant anchors live

3) Upon user's session expiration, they can re-login using credentials they chose instead of having to completely re-register.

4) Radius server can still look @ novell via sldap for our docs.

Obviously you have to determine what the ultimate life of the user account in radius is before it's auto-purged.

Still have some details to flesh out but that should give you some ideas. Also, don't be afraid to survey your guests, even using free or cheap online survey tools (surveymonkey). Link to it @ top of selfreg form. Our users have NO problem filling out the survey & telling us what they like & don't. Good info.

Hope it helps.