wireless captive portals
DESCRIPTION
Wireless Captive PortalsTRANSCRIPT
![Page 1: Wireless Captive Portals](https://reader034.vdocuments.us/reader034/viewer/2022052205/563db9d3550346aa9aa04a1f/html5/thumbnails/1.jpg)
Access Control
Wireless LAN
![Page 2: Wireless Captive Portals](https://reader034.vdocuments.us/reader034/viewer/2022052205/563db9d3550346aa9aa04a1f/html5/thumbnails/2.jpg)
Wireless LAN
• Provide wireless network across your campus that has the following characteristics:
– Authentication – only allow your users
– Roaming – allow users to start up in one section of your network, then move to another location
– Easy to deploy and manage
![Page 3: Wireless Captive Portals](https://reader034.vdocuments.us/reader034/viewer/2022052205/563db9d3550346aa9aa04a1f/html5/thumbnails/3.jpg)
Simple Campus wide wireless solution
Border
![Page 4: Wireless Captive Portals](https://reader034.vdocuments.us/reader034/viewer/2022052205/563db9d3550346aa9aa04a1f/html5/thumbnails/4.jpg)
Authentication Gateway (aka Captive Portal)
Lightweight• Hotspot (wireless)• Small wired Lan (/24)
Campus Wide CP (wireless + wired)• Have to be custom build
![Page 5: Wireless Captive Portals](https://reader034.vdocuments.us/reader034/viewer/2022052205/563db9d3550346aa9aa04a1f/html5/thumbnails/5.jpg)
A Wireless Captive Portal
![Page 6: Wireless Captive Portals](https://reader034.vdocuments.us/reader034/viewer/2022052205/563db9d3550346aa9aa04a1f/html5/thumbnails/6.jpg)
Commercial Solutions• Aruba
– http://www.arubanetworks.com
• Cisco Wireless LAN Controllers– http://www.cisco.com/en/US/products/hw/wireless/
• Bradford Networks
– http://www.bradfordnetworks.com/
• Cisco NAC Appliance (Clean Access)– http://www.cisco.com/en/US/products/ps6128/
• Enterasys– http://www.enterasys.com
• Mikrotik – http://www.mikrotik.com/
![Page 7: Wireless Captive Portals](https://reader034.vdocuments.us/reader034/viewer/2022052205/563db9d3550346aa9aa04a1f/html5/thumbnails/7.jpg)
Open Source Solutions
• CoovaChilli (morphed from Chillispot)
– http://coova.org/wiki/index.php/CoovaChilli
– Uses RADIUS for access and accounting.
– CoovaAP openWRT-based firmware.
![Page 8: Wireless Captive Portals](https://reader034.vdocuments.us/reader034/viewer/2022052205/563db9d3550346aa9aa04a1f/html5/thumbnails/8.jpg)
• WiFi Dog
– http://dev.wifidog.org/
• Sweetspot
– http://sweetspot.sourceforge.net/
• Captivator-gw
– http://net.doit.wisc.edu/~dwcarder/captivator/
• Paper, Koht-Arsa, K. “Architectural design for large-scale campus-wide captive portal”
Open Source Solutions
![Page 9: Wireless Captive Portals](https://reader034.vdocuments.us/reader034/viewer/2022052205/563db9d3550346aa9aa04a1f/html5/thumbnails/9.jpg)
Open Source Solutions cont.
• m0n0wall
– http://m0n0.ch/wall/
– Embedded firewall appliance solution built on FreeBSD.
– Entire configuration is stored in an xml file.
– Sample Captive Portal Configuration Screen:http://m0n0.ch/wall/images/screens/services_captiveportal.png
– Supported on low-end PC hardware, such as Soekris and ALIX platforms.
![Page 10: Wireless Captive Portals](https://reader034.vdocuments.us/reader034/viewer/2022052205/563db9d3550346aa9aa04a1f/html5/thumbnails/10.jpg)
Open Source Solutions cont.
• Pfsense (forked from m0n0wall)
– http://pfsense.org/
– Can be installed on higher end PC hardware.
– RADIUS authentication.
– RADIUS accounting.
– Limit the number of connections to the portal itself per client IP.
![Page 11: Wireless Captive Portals](https://reader034.vdocuments.us/reader034/viewer/2022052205/563db9d3550346aa9aa04a1f/html5/thumbnails/11.jpg)
• Zeroshell
– http://www.zeroshell.net/eng/
– Have protection against spoofed IP/MAC address
– Can protect CP against clients DoS attack
– Support SSO (Shibboleth SAML 2.0)
– Limit access base on RADIUS accounting
Open Source Solutions cont.
![Page 12: Wireless Captive Portals](https://reader034.vdocuments.us/reader034/viewer/2022052205/563db9d3550346aa9aa04a1f/html5/thumbnails/12.jpg)
Network Access Control (NAC)
• Netreg
– Automated network registration system
– Use DHCP to register clients hardware (MAC) address before they can gain full network access.
– If registered, it receives fully functional TCP/IP information
– If not, bogus TCP/IP information with limit access to internet
– Some clients may learn about your network configuration
– Look at your switches/router’s bridge and/or IP ARP tables and compare them to NetReg’s registered hardware (MAC) addresses
![Page 13: Wireless Captive Portals](https://reader034.vdocuments.us/reader034/viewer/2022052205/563db9d3550346aa9aa04a1f/html5/thumbnails/13.jpg)
– Use managed switch feature that bind port to DHCP lease.
• Packetfence
– Automated network registration system
– Use managed switches to assign users to the correct VLAN
– Use 802.1X to authenticate users
– Scale to large network
– Your campus must completely operate with manage switches.
Network Access Control (NAC) cont.
![Page 14: Wireless Captive Portals](https://reader034.vdocuments.us/reader034/viewer/2022052205/563db9d3550346aa9aa04a1f/html5/thumbnails/14.jpg)
Enterprise Identity Management
• Processes and Documentation of users.
– Now you must deal with this.
– What to use as the back-end user store?
• LDAP
• Active Directory
• Kerberos
• Other?
– Will this play nice with future use?
• email, student/staff information, resource access, ...
![Page 15: Wireless Captive Portals](https://reader034.vdocuments.us/reader034/viewer/2022052205/563db9d3550346aa9aa04a1f/html5/thumbnails/15.jpg)
What to Do?
• Review the options presented here, both commercial and Open Source.
• Review the various projects associated to understand how this all ties together.
• Devise a plan for your user identities, their storage and the processes around them.
• For sites under 3-4,000 users you might consider pfsense, m0n0wall or Zeroshell.
![Page 16: Wireless Captive Portals](https://reader034.vdocuments.us/reader034/viewer/2022052205/563db9d3550346aa9aa04a1f/html5/thumbnails/16.jpg)
Questions?