Programatically answering MS IAS RADIUS server requests from WLAN - how?
Using IAS (Internet Authentication Service), I am setting up a RADIUS server that will authenticate WLAN clients.
My question is: Is my concept doable, and how would I have to interface IAS exactly.
Concept of operation:
WLAN clients are going to connect to an Access Point that uses RADIUS towards a Windows Server machine (on its LAN). Between each client connection request - it may pass hours or even days.
The WLAN clients are not known in advance, and the server machine *user* has to *manually* accept/reject each incoming client as they come by clicking Yes/No on a dialog box (which I am going to pop up from a standalone EXE file made by me).
If a client was accepted once earlier, it is allowed to connect without this manual confirmation.
Once accepted, the WLAN client may connect, and a AES encrypted WLAN connection is started.
Type of Windows Server and IAS: Suggest the best one (we'll prefer the newest version).
So, my idea of implementation is as follows:
1. To configure IAS to somehow notify my EXE file each time a RADIUS client wants to connect.
2. My EXE file will present a dialog box to the user
3. Minutes / hours may pass if the user does not pay attention or does not want to decide.
4. If user presses 'Yes', my EXE must notify IAS that the client may accept.
5. If user presses 'No', should probably also notify IAS
So my exact question is:
How would I go about to make those notifications towards the IAS server?
I can write a standalone executable, or a Windows Service.
Thank's.
My question is: Is my concept doable, and how would I have to interface IAS exactly.
Concept of operation:
WLAN clients are going to connect to an Access Point that uses RADIUS towards a Windows Server machine (on its LAN). Between each client connection request - it may pass hours or even days.
The WLAN clients are not known in advance, and the server machine *user* has to *manually* accept/reject each incoming client as they come by clicking Yes/No on a dialog box (which I am going to pop up from a standalone EXE file made by me).
If a client was accepted once earlier, it is allowed to connect without this manual confirmation.
Once accepted, the WLAN client may connect, and a AES encrypted WLAN connection is started.
Type of Windows Server and IAS: Suggest the best one (we'll prefer the newest version).
So, my idea of implementation is as follows:
1. To configure IAS to somehow notify my EXE file each time a RADIUS client wants to connect.
2. My EXE file will present a dialog box to the user
3. Minutes / hours may pass if the user does not pay attention or does not want to decide.
4. If user presses 'Yes', my EXE must notify IAS that the client may accept.
5. If user presses 'No', should probably also notify IAS
So my exact question is:
How would I go about to make those notifications towards the IAS server?
I can write a standalone executable, or a Windows Service.
Thank's.
ASKER
I actually mean that a person need to click Yes or No in a dialog box to accept/reject a client.
When the WLAN client contacts the RADIUS server it also transfers its MAC address and its SSID to the RADIUS server. The operator (the physical person) will use the SSID and visual contact in order to determine if he/she should accept or not. I will for example present the SSID in the dialog box, or whatever ID the WLAN client is presenting.
So my application will therefore act like an 'addon' for the RADIUS server providing a dialog box.
And my application must communicate with the RADIUS server.
You mention flat files. That will be an excellent and easy interface for me to implement.
So my question is how to set up IAS to use this or another convenient method.
I have absolutely no experience with IAS and need hints to get started - if this concept is possible.
Hope that clarified.
When the WLAN client contacts the RADIUS server it also transfers its MAC address and its SSID to the RADIUS server. The operator (the physical person) will use the SSID and visual contact in order to determine if he/she should accept or not. I will for example present the SSID in the dialog box, or whatever ID the WLAN client is presenting.
So my application will therefore act like an 'addon' for the RADIUS server providing a dialog box.
And my application must communicate with the RADIUS server.
You mention flat files. That will be an excellent and easy interface for me to implement.
So my question is how to set up IAS to use this or another convenient method.
I have absolutely no experience with IAS and need hints to get started - if this concept is possible.
Hope that clarified.
Interesting, never heard about a physical person acting as a RADIUS server on visual contact ...
1- I think it's a lot of work for an already known result: The operator will click on yes each time, as every single device that is wireless enabled will try to connect to your hotspot ... It can be a lot of requests ... Radius servers are made for that if the design is correct.
2- I've doubts that the RADIUS protocol is made for such utilization as you would add some user delay that may lead to protocol timeout ...
I've no answer for your question, but doubts about the design.
It seems that we are speaking about guest users.
Usually, depending the number of users and the security you want to add, you can:
- let them use wireless without authentication
- No authentication but a web portal with legal conditions to be accepted
- have a single PSK (small networks)
- or provision (automatically or manually) temporary login/password that a user will have to enter on a web portal, and that will be deleted after a certain amount of time.
The functionnality will nearly be the same as your actual concept: instead of accepting manually the request, the operator simply give a PSK or login/password to the guest that need an internet connection.
Speaking about AES, in case of a web portal with a login/password form, that's usually open wireless networks, because you authenticate user only once the wireless connection is fully established.
1- I think it's a lot of work for an already known result: The operator will click on yes each time, as every single device that is wireless enabled will try to connect to your hotspot ... It can be a lot of requests ... Radius servers are made for that if the design is correct.
2- I've doubts that the RADIUS protocol is made for such utilization as you would add some user delay that may lead to protocol timeout ...
I've no answer for your question, but doubts about the design.
It seems that we are speaking about guest users.
Usually, depending the number of users and the security you want to add, you can:
- let them use wireless without authentication
- No authentication but a web portal with legal conditions to be accepted
- have a single PSK (small networks)
- or provision (automatically or manually) temporary login/password that a user will have to enter on a web portal, and that will be deleted after a certain amount of time.
The functionnality will nearly be the same as your actual concept: instead of accepting manually the request, the operator simply give a PSK or login/password to the guest that need an internet connection.
Speaking about AES, in case of a web portal with a login/password form, that's usually open wireless networks, because you authenticate user only once the wireless connection is fully established.
ASKER
I think I must inform more about the usage so that you understand that my concept is necessary.
Any other concept is not an option.
In fact, I have already implemented this exact solution using another RADIUS server, only that we want to switch to IAS.
The WLAN clients are industry installations (client modules, CM)
The WLAN Access Points (AP) are vessels.
The RADIUS server is a machine on the same LAN as the AP onboard the vessel.
When a vessel approaches an industry installation, the CM operator may want to connect to the vessel in order to transfer data. The operator gives a command to connect the CM to the AP.
The CM/AP will then issue a RADIUS request.
The RADIUS server will now consult my application if it is allowed or not by telling me the SSID and MAC.
My application will now handle the authentication.
In case of unknown SSID or previous rejection, my app returns negative and the RADIUS server will return negative and the connection is not made.
The CM will continue to issue RADIUS request a few minutes (with a few seconds interval) to let the user decide.
In case of acceptance, my app returns positive and the RADIUS server will immediately allow and the AES connection is established.
So, that means the RADIUS server will continue to reject until my application gives acceptance - which only occurs after the user has pressed 'Yes' on his dialog.
I hope you now understand the concept.
So the question is basically if IAS is usable for such a scheme and how it is configured.
My application has to receive an event immediately when a RADIUS request is made containing SSID and MAC.
My application then responds either Yes or No
Any other concept is not an option.
In fact, I have already implemented this exact solution using another RADIUS server, only that we want to switch to IAS.
The WLAN clients are industry installations (client modules, CM)
The WLAN Access Points (AP) are vessels.
The RADIUS server is a machine on the same LAN as the AP onboard the vessel.
When a vessel approaches an industry installation, the CM operator may want to connect to the vessel in order to transfer data. The operator gives a command to connect the CM to the AP.
The CM/AP will then issue a RADIUS request.
The RADIUS server will now consult my application if it is allowed or not by telling me the SSID and MAC.
My application will now handle the authentication.
In case of unknown SSID or previous rejection, my app returns negative and the RADIUS server will return negative and the connection is not made.
The CM will continue to issue RADIUS request a few minutes (with a few seconds interval) to let the user decide.
In case of acceptance, my app returns positive and the RADIUS server will immediately allow and the AES connection is established.
So, that means the RADIUS server will continue to reject until my application gives acceptance - which only occurs after the user has pressed 'Yes' on his dialog.
I hope you now understand the concept.
So the question is basically if IAS is usable for such a scheme and how it is configured.
My application has to receive an event immediately when a RADIUS request is made containing SSID and MAC.
My application then responds either Yes or No
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank's for your assessment.
It's actually very good to know it would be difficult - it saves me a lot of time trying to develop such a solution.
It's actually very good to know it would be difficult - it saves me a lot of time trying to develop such a solution.
I don't understand your sentence: "the server machine *user* has to *manually* accept/reject each incoming client as they come by clicking Yes/No on a dialog box"
Do you mean there will be a guy in front of the radius server that will manually accept/reject a client ?
On which criterion ? you'll only receive a mac adress/ip address/maybe username depending your authentication method.
Please give more information, the "manually" thing has to be explained.
Usually a radius server has criterion to filter the client request by its own (password / certificate / filter on mac address / username ...) or using a third database (Active Directory, LDAP, SQL, flat files), without the need of an extra application.