Solved

non AD dependant WLAN RADIUS machine authentication or similar solution

Posted on 2008-10-08
15
888 Views
Last Modified: 2013-11-12
I need a non AD dependant WLAN RADIUS machine authentication or similar solution

Setup
"      MS 2003 R2 Std PDCs
"      MS ISA 2004 Std Running as an Edge Firewall with Proxy
"      D-link DWL-8200AP access points
"      MS Clients (domain and non-domain members)

I have a school solution where the students bring their own laptops and I need a WLAN validation model that will include the following
"      Not dependant of AD  since most students have XP Home or Vista Premium
"      Security level equivalent of WPA-something or RADIUS
"      Centralized Simple-Stupid management of access rights to the WLAN
"      Log with the ability to track students MAC and IP address and  preferably the ability to do rARP lookups on MAC address

To top that of, we also have our own laptops, which are all domain members and need to take into account the many changing users that they service. Therefore the solution should preferably be machine- and not user dependent.

We have our own Linux RADIUS solution that we use along with HP or Cisco Access Points, but the mentioned dwl-8200ap has some shortcomings that make it impossible to use our regular solution. They cannot forward the MAC address when running as RADIUS clients.

Any of you guys/galls have a tested solution for this setup?
0
Comment
Question by:spooky-mulder
  • 9
  • 4
  • 2
15 Comments
 
LVL 17

Assisted Solution

by:JohnGerhardt
JohnGerhardt earned 250 total points
Comment Utility
Have you a budget to buy new kit..
We use a system from Nortel built on the 3com Trapezium..
Try http://www2.nortel.com/go/product_content.jsp?parId=0&segId=0&catId=-9227&prod_id=52544&locale=en-us
It is not cheap but will do everything you have suggested...
If you want more info then let me know...
0
 

Author Comment

by:spooky-mulder
Comment Utility
Out-of-the box WLAN mng. product usually have a problem with allowing access through the MS ISA Proxy Server. The ISA detects the extensions to the data packages from the mng. modules and drops them dead in their track. Weve experienced similar problems with Zyxel and D-link WLAN mng. modules. Anyways if I have to trade in the APs I might as well buy HP APs that comply with our own RADIUS solution. So I guess what Im looking for is a solution  perhaps a management module  that will work with the dwl-8200ap and the MS ISA Server
0
 

Author Comment

by:spooky-mulder
Comment Utility
BTW John, thx for the speedy reply
0
 
LVL 17

Expert Comment

by:JohnGerhardt
Comment Utility
We front ours with an ISA server.. To stop users mis behaving on the system, to works fine although there are a good amount of rules that you have to get right!

have a look @ http://manageengine.adventnet.com/products/wifi-manager/index.html
from adventnet... It will manage all of your APs for you... in one go..
Does this help or have a mis understood exactly what you are looking for...?
!
0
 

Author Comment

by:spooky-mulder
Comment Utility
Thx John,
This might very well be what Im looking for  Ill read the specs and run the demo to find out.
Any experience with this product regarding ISA  is it a transparent solution?
0
 

Author Comment

by:spooky-mulder
Comment Utility
Hi John,
Am I mistaking or is this product dependent of some external validation device  e.g. WPA on the Access Point or an external RADIUS Server?
If so then Im almost back to square one. I need a validation setup that includes the monitoring.
0
 
LVL 17

Expert Comment

by:JohnGerhardt
Comment Utility
The product from adventnet (as far as i know i have never used it...!) will allow you to configure and monitor all of the access points but it doesnt add any more features..
I am a little confused on exactly what you want..
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:spooky-mulder
Comment Utility
Perhaps I should try to explain what we usually do and what we would like to be able to replicate as closely as possible.
We have a Linux based RADIUS Server IAS freeradius with a web interface on top for administration and logging.
We use the clients mac address for RADIUS validation, they are forwarded from the Access Points (the thing that D-link dwl-8200ap is not capable of). First we make a rARP lookup to validate that the MAC address hasn't been tampered with, then the MAC address is sent to the RADIUS Server which then decides whether or not the client is allowed access to the network.
We feed the allowed mac addresses and username (merely for easy identification)into the RADIUS Server by web interface or csv file.
This model enables us to easily correct who should be allowed access and more important who should not (if they dont behave for some reason  thats what the ISA Server is for). And it doesnt mind if youre a domain member or not.
0
 
LVL 17

Expert Comment

by:JohnGerhardt
Comment Utility
Ok, I understand now...!
The product from Adventnet is a tool design for network admins to control acess points (maybe multiple vendors) in a sort of batch mode.. IE you can say that you want all of the 50 Access points to use RADIUS authencaition (if the AP is capable of it) and that they shoudd transmit and SSID of "FOO" etc.

The nortel product will do what you want and very elegantly.... All of the APs (unfortunately though they are Nortel branded APs) are totally dumb, meaning they boot up and then they download there config from the local Security Switch..
You centrally managed the Security switch, and can apply SSIDs, Authenication types, etc to any groups of access points..

EG
Across the whole enterprise you transmit your corporate SSID with RADIUS authenication.
You could transmit a clear SSID with no authenciation that allows access only to the internet for users in the caferira area.
In the CEOs office (the access points can be tuned so as to stick to walls (works in theory not always in practice!) you trasmit an extra SSID for him allowing
access for his Blackberry using straight MAC address authenication so he can access the internet nice and quick..!

The software allows you total monitoring of the installation, the thing that this system does very well is roaming. Or as they call it a "mobility domain".. with a laptop you can easily walk around and the the Security switch will make sure that you keep access to everything that you are meant to have access too. I have seen isntallations with judt randomn access points scattered across the place with the same SSID in the idea to achieve this.. Suffice to say that it doesnt happen as smooth as I would like...!

I have a number of domain laptops that use the wireless with simple MAC address auth on a hidden SSID. I can walk between buildings with a webcam of my office and it doesnt drop once...!

It is however a hefty investment.. and there are other compnaies that do the same sort of thing... All I can say is that wireless was the bain of our lives before we installed this..! Now we have complete control over everything and can easily expand to accomodate any of the managements new ideas...!

yawn..! GMT + 1 here so getting late, post any comments when you get  a mo..
I hope i have helped..!
0
 
LVL 44

Assisted Solution

by:Darr247
Darr247 earned 250 total points
Comment Utility
Depending on which version you have...
(http://support.dlink.com/products/revision.asp?productId=DWL-8200AP)

in AP Manager (for hardware version A) you should be able to specify a syslog server on the Log tab, then parse that log output as it's sent, for the MAC address of the client.

in AP Manager II (for hardware version B), there should be an option to enable accounting with WPA/WPA2 Enterprise security, and though there's no explanation of that option in the AP Manager II's manual (at least the one they have available for download; possibly there is in the manual on CD), for accounting there has to be SOME way in that to uniquely identify the client.

There's also a MAC-based ACL in both of those, but I see no way to import such a list into either version, and I'm sure you don't want to type them all in manually (then manually add more every time someone brings a new laptop to school or changes their wireless card)... plus, that would not automatically let domain members through (without also adding their MAC addresses to the list too).
0
 

Author Comment

by:spooky-mulder
Comment Utility
John,
We have a similar solution based on HP ProCurve Intelligent Edge. But again it demands that you have to buy new APs for the entire campus, and this school have a big bunch of those.
Darr
We have experimented with the AP mng. but as far as I know it only gives me the ability to manage the APs  much like the WIFI mng. John suggested  and is not in itself a validation device. Unfortunately there is some divergence between the EMEA and the US version of the dwl-8200ap, hence the ap mng II, which has immensely more features, is not yet released in EMEA and the US version wont detect the APs properly. At least thats what Ive experienced.
0
 
LVL 44

Expert Comment

by:Darr247
Comment Utility
And you cannot parse the syslog output?
0
 

Author Comment

by:spooky-mulder
Comment Utility
I can parse the syslog all right; I already use that in combination with Kiwi Syslog to monitor the health of all the network components. So I'm able to monitor the mac and ip - sort of - but the information level is massive and not very user friendly since it contains so much more...
Furthermore the main problem still remains, how to validate the various (non)domain member clients in an easy way combined with the monitoring util.
0
 

Author Comment

by:spooky-mulder
Comment Utility
Do you know if one could use some kind of AD user validation for WLAN access from clients that are not member of the AD? And if that could be done without certificates? That would probably solve some of the issues.
0
 

Accepted Solution

by:
spooky-mulder earned 0 total points
Comment Utility
We will try and make do with this Mobility Controller from Aruba Networks.
http://www.arubanetworks.com/products/mobility-controllers/aruba-800.php

0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Working settings for French ISP Orange "Prêt à Surfer" SIM cards for data connections only. Can't be found anywhere else !
DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now