Wireless authentication

Dusty Doris freeradius at mail.doris.cc
Mon Sep 12 20:34:07 CEST 2005 

> We have a customer oriented wireless network and we are trying to build a
> central authentication system for it, so that we can add and easily control
> customer radios from one location. What types of authentication should we be
> using? What should be avoided? Any experiences to share?

I would use a backend such as mysql or ldap.  Either would work great for 
something like this.

>
> Additionally, would we be able to route traffic to a captive page if the
> customer is placed on hold or doesn't have an account yet? I suppose that
> more of a microtik list question, but I'm just asking in case anyone knows.
>

I use the Cisco SSG/SESM solution.  The SSG is setup as the next hop for 
the customers.  It then figures out whether that IP address has been 
authorized yet.  If not, it redirects all traffic to the SESM server.

The SESM server is merely a web front-end that displays information such 
as how long you've been active, what services you are subscribed to, and 
whether or not you need to login.  If you need to login it presents a 
login page for you and then sends your username/password to a radius 
server for authentication.  When you are authorized and authenticated, it 
can then redirect you back to the page you originally requested if you 
want and that IP now has an open connection to the Internet.

This solution is based on IP address, so that removes the ability to use 
APs that provide NAT.  You need to set them up as a bridge so each user 
can pull a different IP.  However, all authentication is centralized, 
which makes it easy to administer.

I've also looked at other solutions, where the the AP would run NAT/PAT 
and then have its own SESM type of login page for the users that are 
connected to it.  You can configure those to talk RADIUS, so you can still 
centralize user management.  The downside of that is that you have more 
smart devices out in the field to troubleshoot and you need to punch a 
bunch of holes in your firewalls to allow radius traffic from each device.

I personally prefer a centralized system.

I know there are a lot of less expensive solutions out there as well, I'm 
sure someone on the list has other ideas.

More information about the Freeradius-Users mailing list