16
Access Control Wireless LAN

Wireless Captive Portals

Embed Size (px)

DESCRIPTION

Wireless Captive Portals

Citation preview

Page 1: Wireless Captive Portals

Access Control

Wireless LAN

Page 2: Wireless Captive Portals

Wireless LAN

• Provide wireless network across your campus that has the following characteristics:

– Authentication – only allow your users

– Roaming – allow users to start up in one section of your network, then move to another location

– Easy to deploy and manage

Page 3: Wireless Captive Portals

Simple Campus wide wireless solution

Border

Page 4: Wireless Captive Portals

Authentication Gateway (aka Captive Portal)

Lightweight• Hotspot (wireless)• Small wired Lan (/24)

Campus Wide CP (wireless + wired)• Have to be custom build

Page 5: Wireless Captive Portals

A Wireless Captive Portal

Page 6: Wireless Captive Portals

Commercial Solutions• Aruba

– http://www.arubanetworks.com

• Cisco Wireless LAN Controllers– http://www.cisco.com/en/US/products/hw/wireless/

• Bradford Networks

– http://www.bradfordnetworks.com/

• Cisco NAC Appliance (Clean Access)– http://www.cisco.com/en/US/products/ps6128/

• Enterasys– http://www.enterasys.com

• Mikrotik – http://www.mikrotik.com/

Page 7: Wireless Captive Portals

Open Source Solutions

• CoovaChilli (morphed from Chillispot)

– http://coova.org/wiki/index.php/CoovaChilli

– Uses RADIUS for access and accounting.

– CoovaAP openWRT-based firmware.

Page 8: Wireless Captive Portals

• WiFi Dog

– http://dev.wifidog.org/

• Sweetspot

– http://sweetspot.sourceforge.net/

• Captivator-gw

– http://net.doit.wisc.edu/~dwcarder/captivator/

• Paper, Koht-Arsa, K. “Architectural design for large-scale campus-wide captive portal”

Open Source Solutions

Page 9: Wireless Captive Portals

Open Source Solutions cont.

• m0n0wall

– http://m0n0.ch/wall/

– Embedded firewall appliance solution built on FreeBSD.

– Entire configuration is stored in an xml file.

– Sample Captive Portal Configuration Screen:http://m0n0.ch/wall/images/screens/services_captiveportal.png

– Supported on low-end PC hardware, such as Soekris and ALIX platforms.

Page 10: Wireless Captive Portals

Open Source Solutions cont.

• Pfsense (forked from m0n0wall)

– http://pfsense.org/

– Can be installed on higher end PC hardware.

– RADIUS authentication.

– RADIUS accounting.

– Limit the number of connections to the portal itself per client IP.

Page 11: Wireless Captive Portals

• Zeroshell

– http://www.zeroshell.net/eng/

– Have protection against spoofed IP/MAC address

– Can protect CP against clients DoS attack

– Support SSO (Shibboleth SAML 2.0)

– Limit access base on RADIUS accounting

Open Source Solutions cont.

Page 12: Wireless Captive Portals

Network Access Control (NAC)

• Netreg

– Automated network registration system

– Use DHCP to register clients hardware (MAC) address before they can gain full network access.

– If registered, it receives fully functional TCP/IP information

– If not, bogus TCP/IP information with limit access to internet

– Some clients may learn about your network configuration

– Look at your switches/router’s bridge and/or IP ARP tables and compare them to NetReg’s registered hardware (MAC) addresses

Page 13: Wireless Captive Portals

– Use managed switch feature that bind port to DHCP lease.

• Packetfence

– Automated network registration system

– Use managed switches to assign users to the correct VLAN

– Use 802.1X to authenticate users

– Scale to large network

– Your campus must completely operate with manage switches.

Network Access Control (NAC) cont.

Page 14: Wireless Captive Portals

Enterprise Identity Management

• Processes and Documentation of users.

– Now you must deal with this.

– What to use as the back-end user store?

• LDAP

• Active Directory

• Kerberos

• Other?

– Will this play nice with future use?

• email, student/staff information, resource access, ...

Page 15: Wireless Captive Portals

What to Do?

• Review the options presented here, both commercial and Open Source.

• Review the various projects associated to understand how this all ties together.

• Devise a plan for your user identities, their storage and the processes around them.

• For sites under 3-4,000 users you might consider pfsense, m0n0wall or Zeroshell.

Page 16: Wireless Captive Portals

Questions?