Network Management Strategies for the CIO
Also, can this be solved with attributes within a Microsoft radius server and where would I find what attributes to put in?
Requires Free Membership to View
Various EAP types (EAP-TLS, PEAP, and the older LEAP) are used with 802.1X to control access to wireless LANs at the access point. With any of these methods, the station associates with the AP and supplies its identity. The AP relays the station's access request a RADIUS server located somewhere behind the AP (i.e., inside the protected network). The RADIUS server will then send a series of RADIUS Challenge/Response messages, with the actual content dependent upon EAP type. The AP forwards EAP messages to the station until the RADIUS server is satisfied and accepts or rejects the station's access request. If the request is accepted, the station is given access to the "port" on the AP and permitted to send and receive WLAN traffic to the adjacent network.
This is currently the most robust solution for controlling access to the WLAN itself. A common but far less robust method is to apply simple MAC address control lists at the AP, permitting access only by those stations on the list. Another common method is to enforce access control somewhere BEHIND the AP, at the edge of an adjacent network. For example, in most hotspots, a gateway redirects HTTP traffic sent to ports 80/443 to a web login page. After the user logs into the web portal, he can send web or any other traffic through the gateway (for example, into the Internet). Web portals can usually be linked to a back-end user database (RADIUS, LDAP) to assist in authentication. There are two essential differences between a web portal and 802.1X (or MAC ACLs):
You do not say why you can't use 802.1X with LEAP, PEAP, or EAP-TLS, but I will guess that your stations do not support 802.1X. If you were using Cisco wireless cards on your stations, you would be able to use Cisco's client software which supports 802.1X and LEAP/PEAP. If you are using other-vendor cards, on non-Windows operating systems, you may have trouble finding compatible "EAP supplicant" software. If this is your case, then a web portal can help you glue together unlike systems under one common authentication gateway.
Both 802.1X-enabled APs and web login portals can be integrated with RADIUS servers, but the RADIUS attributes used depend on the standard and the product's implementation. For example, to read about how RADIUS carries EAP (used by 802.1X), see RFC 3579.
This was first published in October 2003
Join the conversationComment
Share
Comments
Results
Contribute to the conversation