AP5131 and RFS7000 Hotspot Challenge

G Gerald Fehringer 3 years 6 months ago
1 3 0

Hello, Environment: RFS7000: WiNG 4.3.3 AP5131: Independant Mode RADIUS: MS NAP Challenge: -using GRE tunnel from AP5131 to RFS to redirect hotspot traffic - possible? -use Microsoft NAP as external RADIUS on RFS7xxxx to authenticate Guest users - possible? -use Microsoft RADIUS VSA to set time-limit of Guest users - possible, with external RADIUS?  (RADIUS re-authentication evaluated by RFS?) Thanks a lot! Gerald

Please Register or Login to post a reply

3 Replies

K Kevin Marshall

Gerald, Responses below: 1) using GRE tunnel from AP5131 to RFS to redirect hotspot traffic - possible? GRE is not supported by the AP5131. The ONLY way you can tunnel the traffic between an AP5131 and a Wireless Controller would be to use a Extended WLAN (i.e. WiSPH / CAPWAP) or IPsec. If you use WiSPH the captive portal would operate on the Controller while if you use IPsec the captive portal would operate on the AP5131 Access Point. If you want full centralized management & control, I would use an Extended WLAN! I would not even consider using an Independent WLAN! As an alternative I would check out WiNG 5.X which offers a much more flexible captive portal implementation as we can perform the capture and redireciton of any WiNG 5.X device in the network. In addition we can also offer centralized management. Its a much cleaner solution! 2) use Microsoft NAP as external RADIUS on RFS7xxxx to authenticate Guest users - possible? Microsoft NAP operates in three modes and supports 802.1X, DHCP or IPsec. The only implementation which I would consider for guest users would be DHCP which places users in a specific range of IP addresses based on compliance and leverages firewall policies to determine the users access. Check out http://technet.microsoft.com/en-us/network/bb545879 for more details. The ONLY issue with Microsoft NAP is that it will ONLY work for Microsoft Windows XP, Vista and Windows 7 operating systems. It also requires the NAC agent to be operational and pre-configured which will not be the case for guest users. Its fine for corporate deployments but NOT guest applications. 3) use Microsoft RADIUS VSA to set time-limit of Guest users - possible, with external RADIUS?  (RADIUS re-authentication evaluated by RFS?) We can absolutely force re-authentication (standard RADIUS) so I don't see any issues here. However we do not support any Microsoft VSAs. We do however support various Motorola VSAs which can be enabled to control time and date access which will do the same thing. Please check out http://compass.mot-solutions.com/doc/400537129/WiNG_4.X_-_5.X_-_RADIUS_… more details. Please note however that these attributes apply to Controllers running WiNG 4.1 or Access Points and Controllers running WiNG 5.X! They do not apply to AP5131 Adaptive Access Points. Regards, Kevin

G Gerald Fehringer

Hi Kevin, thanks a lot for your quick and comprehensive anwser! MS NAP is used as primary RADIUS, not for any NAC/NAP related stuff and for Accounting purposes. Also used for 802.1X/EAP-PEAP 802.1x and therefore should be used as the primary authentication source. As in many productive infrastructure, running AP5131, WiNG5 is not an option at the moment. So three more questions: 1. If we use extended VLAN, is it possible to use the external RADIUS also for Hotspot user    authentication or is onbard mandatory (don't forget we use already external for PEAP)? 2. If we use independant VLAN's, bandwidth and time policies can be fully applied through RADIUS VSA as well ("Symbol-Expiry-Date-Time", "Symbol-Downlink-Limit" & "Symbol-Uplink-Limit" will be evaluated by the AP)? 3. Sending the VSA "Symbol-Expiry-Date-Time" is enough or needs the RADIUS also send the "Symbol-Start-Date-Time" in the access-response? NOTE: I'll use multiple MS RADIUS/NAP Policies to be able to use PEAP and Hotspot authentication (1st will be the Hotspot P and 2nd PEAP Policy) - so both user authentication scenarios should be authenticated. Besides I'm not sure how to send VSA on a per User base from Active Directory - anyone ever worked with VSA mapping? Best Regards, Gerald

K Kevin Marshall

Gerald, I think your refering to Microsofts Network Policy Server (NPS) which is absolutely supported. 1) If we use extended VLAN, is it possible to use the external RADIUS also for Hotspot user authentication or is onbard mandatory (don't forget we use already external for PEAP)? In WiNG 4.X the AAA server is applied to the WLAN allowing different AAA servers to be used by each WLAN. This is regardless if the WLAN is Independent or Extended. 2) If we use independant VLAN's, bandwidth and time policies can be fully applied through RADIUS VSA as well ("Symbol-Expiry-Date-Time", "Symbol-Downlink-Limit" & "Symbol-Uplink-Limit" will be evaluated by the AP)? I would not even consider using Independent WLANs for Hotspot as your heading towards pain and missery. I have been there, done that there are some many limitations that its simply not worth it. One of the limitations is not support for any of the VSAs (as I mentioned in my previous post). The only implementation with the AP5131 that I would consider would be to use Extended WLANs and tunnel all the traffic to the Controller. 3) Sending the VSA "Symbol-Expiry-Date-Time" is enough or needs the RADIUS also send the "Symbol-Start-Date-Time" in the access-response? The attribute Symbol-Expiry-Date-Time is enough to control when the user is denied access. The Symbol-Start-Date-Time attribute is simply used to determine the date and time the user can begin accessing the system. Regards, Kevin

CONTACT
Can’t find what you’re looking for?