Wireless authentication with DD-WRT, Cisco and Microsoft

I'm looking for a way to authenticate my wireless users beyond them just knowing the wireless password. Ideally they would join the access point then get dumped to the login portal that they'd have to log in with their current user name and password, which would get checked against AD.

Additionally, I'd be looking for two features: 1) That users could be "remembered" for 30 days (or some period of time) so they don't need to log in every time they want to use wireless 2) Somehow we could lock users out through some action in AD

My access points are Buffalo routers running DD-WRT. I have mostly Windows 7 machines and servers running Server 2008 r2. In addition I have a Cisco router and ASA firewall.

Can someone suggest a piece of software (or multiple pieces in combination) that can do this? From what I've Googled around this can't be done with my existing equipment but maybe I've haven't looked hard enough.
travisryanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Craig BeckCommented:
DD-WRT can use RADIUS authentication.  Microsoft server has NPS which is a RADIUS server.  This ties in to Active Directory, so you have a user database right there.

You don't need to use the hotspot functionality of the DD-WRT software - just use a SSID which is secured with WPA2-Enterprise.  The authentication method you need to configure in NPS is PEAP-MSCHAPV2.  You can set the RADIUS session timeout on the APs, so you can allow the connection for as long as you like before reauthentication, but you don't even need to do it that way.  Simply create a GPO to push the wireless configuration to the clients, then they'll automatically connect every time the SSID is in range.  They'll reauthenticate as and when required with no disconnection, and they will roam between APs without a problem too.

Create a security group in AD for wireless users and add each user that you want to allow wireless connectivity to.  If you want to stop a user from connecting to the wireless (while still allowing them to use their AD account for wired machines, etc, just remove them from the security group.  In NPS create an access policy which uses the security group as a condition.

Job done :-)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
travisryanAuthor Commented:
Craig, as I'm not familiar with NPS do you have a good resource for me to check out on that subject?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.