non AD dependant WLAN RADIUS machine authentication or similar solution

I need a non AD dependant WLAN RADIUS machine authentication or similar solution

"      MS 2003 R2 Std PDCs
"      MS ISA 2004 Std Running as an Edge Firewall with Proxy
"      D-link DWL-8200AP access points
"      MS Clients (domain and non-domain members)

I have a school solution where the students bring their own laptops and I need a WLAN validation model that will include the following
"      Not dependant of AD  since most students have XP Home or Vista Premium
"      Security level equivalent of WPA-something or RADIUS
"      Centralized Simple-Stupid management of access rights to the WLAN
"      Log with the ability to track students MAC and IP address and  preferably the ability to do rARP lookups on MAC address

To top that of, we also have our own laptops, which are all domain members and need to take into account the many changing users that they service. Therefore the solution should preferably be machine- and not user dependent.

We have our own Linux RADIUS solution that we use along with HP or Cisco Access Points, but the mentioned dwl-8200ap has some shortcomings that make it impossible to use our regular solution. They cannot forward the MAC address when running as RADIUS clients.

Any of you guys/galls have a tested solution for this setup?
Who is Participating?

Improve company productivity with a Business Account.Sign Up

spooky-mulderConnect With a Mentor Author Commented:
We will try and make do with this Mobility Controller from Aruba Networks.

JohnGerhardtConnect With a Mentor Commented:
Have you a budget to buy new kit..
We use a system from Nortel built on the 3com Trapezium..
It is not cheap but will do everything you have suggested...
If you want more info then let me know...
spooky-mulderAuthor Commented:
Out-of-the box WLAN mng. product usually have a problem with allowing access through the MS ISA Proxy Server. The ISA detects the extensions to the data packages from the mng. modules and drops them dead in their track. Weve experienced similar problems with Zyxel and D-link WLAN mng. modules. Anyways if I have to trade in the APs I might as well buy HP APs that comply with our own RADIUS solution. So I guess what Im looking for is a solution  perhaps a management module  that will work with the dwl-8200ap and the MS ISA Server
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

spooky-mulderAuthor Commented:
BTW John, thx for the speedy reply
We front ours with an ISA server.. To stop users mis behaving on the system, to works fine although there are a good amount of rules that you have to get right!

have a look @
from adventnet... It will manage all of your APs for you... in one go..
Does this help or have a mis understood exactly what you are looking for...?
spooky-mulderAuthor Commented:
Thx John,
This might very well be what Im looking for  Ill read the specs and run the demo to find out.
Any experience with this product regarding ISA  is it a transparent solution?
spooky-mulderAuthor Commented:
Hi John,
Am I mistaking or is this product dependent of some external validation device  e.g. WPA on the Access Point or an external RADIUS Server?
If so then Im almost back to square one. I need a validation setup that includes the monitoring.
The product from adventnet (as far as i know i have never used it...!) will allow you to configure and monitor all of the access points but it doesnt add any more features..
I am a little confused on exactly what you want..
spooky-mulderAuthor Commented:
Perhaps I should try to explain what we usually do and what we would like to be able to replicate as closely as possible.
We have a Linux based RADIUS Server IAS freeradius with a web interface on top for administration and logging.
We use the clients mac address for RADIUS validation, they are forwarded from the Access Points (the thing that D-link dwl-8200ap is not capable of). First we make a rARP lookup to validate that the MAC address hasn't been tampered with, then the MAC address is sent to the RADIUS Server which then decides whether or not the client is allowed access to the network.
We feed the allowed mac addresses and username (merely for easy identification)into the RADIUS Server by web interface or csv file.
This model enables us to easily correct who should be allowed access and more important who should not (if they dont behave for some reason  thats what the ISA Server is for). And it doesnt mind if youre a domain member or not.
Ok, I understand now...!
The product from Adventnet is a tool design for network admins to control acess points (maybe multiple vendors) in a sort of batch mode.. IE you can say that you want all of the 50 Access points to use RADIUS authencaition (if the AP is capable of it) and that they shoudd transmit and SSID of "FOO" etc.

The nortel product will do what you want and very elegantly.... All of the APs (unfortunately though they are Nortel branded APs) are totally dumb, meaning they boot up and then they download there config from the local Security Switch..
You centrally managed the Security switch, and can apply SSIDs, Authenication types, etc to any groups of access points..

Across the whole enterprise you transmit your corporate SSID with RADIUS authenication.
You could transmit a clear SSID with no authenciation that allows access only to the internet for users in the caferira area.
In the CEOs office (the access points can be tuned so as to stick to walls (works in theory not always in practice!) you trasmit an extra SSID for him allowing
access for his Blackberry using straight MAC address authenication so he can access the internet nice and quick..!

The software allows you total monitoring of the installation, the thing that this system does very well is roaming. Or as they call it a "mobility domain".. with a laptop you can easily walk around and the the Security switch will make sure that you keep access to everything that you are meant to have access too. I have seen isntallations with judt randomn access points scattered across the place with the same SSID in the idea to achieve this.. Suffice to say that it doesnt happen as smooth as I would like...!

I have a number of domain laptops that use the wireless with simple MAC address auth on a hidden SSID. I can walk between buildings with a webcam of my office and it doesnt drop once...!

It is however a hefty investment.. and there are other compnaies that do the same sort of thing... All I can say is that wireless was the bain of our lives before we installed this..! Now we have complete control over everything and can easily expand to accomodate any of the managements new ideas...!

yawn..! GMT + 1 here so getting late, post any comments when you get  a mo..
I hope i have helped..!
Darr247Connect With a Mentor Commented:
Depending on which version you have...

in AP Manager (for hardware version A) you should be able to specify a syslog server on the Log tab, then parse that log output as it's sent, for the MAC address of the client.

in AP Manager II (for hardware version B), there should be an option to enable accounting with WPA/WPA2 Enterprise security, and though there's no explanation of that option in the AP Manager II's manual (at least the one they have available for download; possibly there is in the manual on CD), for accounting there has to be SOME way in that to uniquely identify the client.

There's also a MAC-based ACL in both of those, but I see no way to import such a list into either version, and I'm sure you don't want to type them all in manually (then manually add more every time someone brings a new laptop to school or changes their wireless card)... plus, that would not automatically let domain members through (without also adding their MAC addresses to the list too).
spooky-mulderAuthor Commented:
We have a similar solution based on HP ProCurve Intelligent Edge. But again it demands that you have to buy new APs for the entire campus, and this school have a big bunch of those.
We have experimented with the AP mng. but as far as I know it only gives me the ability to manage the APs  much like the WIFI mng. John suggested  and is not in itself a validation device. Unfortunately there is some divergence between the EMEA and the US version of the dwl-8200ap, hence the ap mng II, which has immensely more features, is not yet released in EMEA and the US version wont detect the APs properly. At least thats what Ive experienced.
And you cannot parse the syslog output?
spooky-mulderAuthor Commented:
I can parse the syslog all right; I already use that in combination with Kiwi Syslog to monitor the health of all the network components. So I'm able to monitor the mac and ip - sort of - but the information level is massive and not very user friendly since it contains so much more...
Furthermore the main problem still remains, how to validate the various (non)domain member clients in an easy way combined with the monitoring util.
spooky-mulderAuthor Commented:
Do you know if one could use some kind of AD user validation for WLAN access from clients that are not member of the AD? And if that could be done without certificates? That would probably solve some of the issues.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.