Upload
lucas-a-oketch
View
44
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Wireless Captive Portals
Citation preview
Access Control
Wireless LAN
Wireless LAN
• Provide wireless network across your campus that has the following characteristics:
– Authentication – only allow your users
– Roaming – allow users to start up in one section of your network, then move to another location
– Easy to deploy and manage
Simple Campus wide wireless solution
Border
Authentication Gateway (aka Captive Portal)
Lightweight• Hotspot (wireless)• Small wired Lan (/24)
Campus Wide CP (wireless + wired)• Have to be custom build
A Wireless Captive Portal
Commercial Solutions• Aruba
– http://www.arubanetworks.com
• Cisco Wireless LAN Controllers– http://www.cisco.com/en/US/products/hw/wireless/
• Bradford Networks
– http://www.bradfordnetworks.com/
• Cisco NAC Appliance (Clean Access)– http://www.cisco.com/en/US/products/ps6128/
• Enterasys– http://www.enterasys.com
• Mikrotik – http://www.mikrotik.com/
Open Source Solutions
• CoovaChilli (morphed from Chillispot)
– http://coova.org/wiki/index.php/CoovaChilli
– Uses RADIUS for access and accounting.
– CoovaAP openWRT-based firmware.
• WiFi Dog
– http://dev.wifidog.org/
• Sweetspot
– http://sweetspot.sourceforge.net/
• Captivator-gw
– http://net.doit.wisc.edu/~dwcarder/captivator/
• Paper, Koht-Arsa, K. “Architectural design for large-scale campus-wide captive portal”
Open Source Solutions
Open Source Solutions cont.
• m0n0wall
– http://m0n0.ch/wall/
– Embedded firewall appliance solution built on FreeBSD.
– Entire configuration is stored in an xml file.
– Sample Captive Portal Configuration Screen:http://m0n0.ch/wall/images/screens/services_captiveportal.png
– Supported on low-end PC hardware, such as Soekris and ALIX platforms.
Open Source Solutions cont.
• Pfsense (forked from m0n0wall)
– http://pfsense.org/
– Can be installed on higher end PC hardware.
– RADIUS authentication.
– RADIUS accounting.
– Limit the number of connections to the portal itself per client IP.
• Zeroshell
– http://www.zeroshell.net/eng/
– Have protection against spoofed IP/MAC address
– Can protect CP against clients DoS attack
– Support SSO (Shibboleth SAML 2.0)
– Limit access base on RADIUS accounting
Open Source Solutions cont.
Network Access Control (NAC)
• Netreg
– Automated network registration system
– Use DHCP to register clients hardware (MAC) address before they can gain full network access.
– If registered, it receives fully functional TCP/IP information
– If not, bogus TCP/IP information with limit access to internet
– Some clients may learn about your network configuration
– Look at your switches/router’s bridge and/or IP ARP tables and compare them to NetReg’s registered hardware (MAC) addresses
– Use managed switch feature that bind port to DHCP lease.
• Packetfence
– Automated network registration system
– Use managed switches to assign users to the correct VLAN
– Use 802.1X to authenticate users
– Scale to large network
– Your campus must completely operate with manage switches.
Network Access Control (NAC) cont.
Enterprise Identity Management
• Processes and Documentation of users.
– Now you must deal with this.
– What to use as the back-end user store?
• LDAP
• Active Directory
• Kerberos
• Other?
– Will this play nice with future use?
• email, student/staff information, resource access, ...
What to Do?
• Review the options presented here, both commercial and Open Source.
• Review the various projects associated to understand how this all ties together.
• Devise a plan for your user identities, their storage and the processes around them.
• For sites under 3-4,000 users you might consider pfsense, m0n0wall or Zeroshell.
Questions?