This paper introduces a novel access control architecture for publicly accessible, wireless networks. The architecture was designed to address the requirements obtained from a case study of ubiquitous Internet service provisioning within the city of Lancaster. The proposed access control mechanism is based on the concepts of secure user authentication, packet marking, and packet filtering at the access routers. The paper demonstrates to what extent this tokenbased, soft-state access control mechanism improves security and robustness, and offers improved performance over that provided by existing approaches within roaming networks. Early indications show the access control mechanism can better be implemented through the use of active routers, in order to facilitate dynamic rollout and configuration of the system. In addition, extensions to Mobile IPv6 are proposed, which provide support for roaming users at a fundamental level.