Ads 468x60px

WiNG - Hotspot Authentication - Overview

Wednesday, February 12, 2014 5:09 AM

The Motorola Hotspot authentication feature offers a simple way to provide secure authenticated access on a WLAN for users and devices using a standard web browser. Hotspot authentication allows enterprises to offer authenticated access to the network by capturing and re -directing a web browsers session to a captive portal login page where the user must enter valid credentials to be granted access to the network.
The Motorola RF Switch supports the following advanced feature set that can be deployed to support Hotspot authentication for guest user or private user access:



Common Applications:
Hotspot authentication can be utilized for multiple applications including guest and visitor access or 
private user access and can be found in private enterprises, hospitality, healthcare, transportation and 
education environments. Hotspot authentication is fast becoming a popular means for authenticating 
users and devices as it provides administrators with the means for performing authentication without 
deploying 802.1X or distributing shared keys.

Authenticated Visitor Access:
A common application for the Hotspot feature is to provide secure authenticated access for guest users and visitors at a site. Prior to Hotspot authentication organizations wishing to provide guest access would establish an open ESSID that was separated from the internal network which any authorized or unauthorized device could access. While this approach provided the necessary access it also provided no means of authentication and provided free open access to the Internet for any device in range of the network.

Hotspot authentication solved this problem by providing an authentication component using a standard web browser. Visitors and guest users at a site would be provided with a temporary username and password from front desk personnel during the sign-in process which would permit access to the network for the duration of their visit. Once the time for the guest account expired, the user would be denied access to the network.

Employing Hotspot authentication for visitor access provides enterprises with the following benefits:
1.      Authentication ensures that only authorized users are permitted access to the guest network. Casual users looking for a free Internet access are not permitted.
2.      Provides the ability to associate different network access permissions to classes of users. For example visitors can be provided with one class of access vs. contractors who be provided with a different class of access.
3.      Time limits can be applied and enforced for accounts ensuring that Internet access is only permitted to a visitor for the duration of the visit. 
4.      Time of day and day of week policies can be enforced for long term visitors ensuring Internet access is only permitted during operating business hours.
5.       Bandwidth policies can be applied ensuring guest users cannot monopolize or abuse the network.
6.      Firewall policies can be applied to restrict access to only specific protocols and applications.

Authenticated Private Access:

Another common application for the Hotspot feature is to provide authenticated access to private networks for un-managed devices. In certain vertical markets such as education administrators need to provide access to un-managed devices that are owned and maintained by end users such as students and faculty.

In typical enterprise environments 802.1X authentication is commonly employed to p rovide secured authenticated access into the private network. This approach is typically very easy to deploy and maintain as the end user devices are all owned, managed and maintained by the enterprise IT organization.

However in environments such as education the make, model and OS of the end-user devices variesmaking 802.1X very challenging to deploy, manage and maintain.

Prior to Hotspot authentication it was very common for education environments to deploy an SSID that utilized shared keys and/or MAC authentication. This approach eliminated the need for 802.1X authentication but placed increased burden on IT staff which each semester had manage and rotate keys as well as maintain MAC lists of all the permitted devices.

Hotspot authentication provides an elegant way to solve these administrative challenges. First Hotspot authentication provides the means for tying the user authentication into an existing RADIUS or LDAP user database allowing students to authenticate using their assigned student ID and password. Secondly as Hotspot authentication only requires a standard web browser for authentication any end-user device can be supported.
Employing Hotspot authentication for private network access provides enterprises with the following benefits:
1)  Eliminates the administrative burden for managing and maintaining MAC address lists.
2)  Ties authentication into an existing RADIUS or LDAP back end allowing users to utilize their network credentials for access.
3)  Provides secure authentication without having to deploy, manage or maintain 802.1X on the end user devices.
4)  Provides the ability to associate different network access permissions to classes of users. For example students can be provided with one class of access vs. faculty who be provided with a different class of access.
5)  Bandwidth policies can be applied ensuring users cannot monopolize or abuse the network.
6)  Allows network access to be restricted based on location. For example firewall policies can be dynamically applied to sessions to restrict outbound Internet access at specific locations.
7)  Allows administrators to eliminate account sharing by limiting the number of simultaneous times a user-id can be used to access the Hotspot. 

Paid Internet Access:
The final common application for Hotspot authentication is to provide paid access to the Internet. Hotspot authentication allows organizations to offer paid Internet access to subscribers be offering a block of time that users can use over multiple days or a block of time that can be utilized for one day only. Add itionally 
Hotspot authentication allows providers to offer tired services to users by providing bandwidth allocationsor different classes of service based on the purchased access package.

Paid Internet access typically employs a specialized back-end that the Hotspot users are re-directed to during the capture process which provides the account creation and billing integration. Existing users with account balances can enter their credentials in the portal and authenticate to the network which provides access for the time remaining on their account. New user’s sign up for new access and can select a 
package or amount of time which is charged to a credit card. Once billing has been performed the user is provided access for the purchased block of time.

Hotspot authentication is attractive for paid access applications as it requires no client or specialized software to be installed on the end user device. Hotspot authentication leverages the end users web browser to perform the secure payment transaction and authentication and leverages the features implemented on the RF Switch which can controls time restrictions and bandwidth allocation.

Hotspot Authentication Process:
Hotspot authentication requires no client software on the end user device and leverages the end users web browser to perform authentication. When a user initially associates to a Hotspot enabled WLAN, the user has limited network access until they open their web browser and authenticate.Prior to authentication the user is only provided limited access to the network allowing devices to obtain an IP address from DHCP, resolve hostnames using DNS and communicate with the Hotspot service. Once authentication has been performed, network access is determined based on any firewall rules statically applied to the Hotspot enabled WLAN, physical port or the Hotspot virtual IP interface. Dynamic firewall policies can also be applied to users if an advanced security license is installed on the RF Switch.

Figure 1.3 outlines the Hotspot authentication process that is performed on an RFS6000 or RFS7000 Switch:


1)  The user associates with the Hotspot WLAN. The RF Switch only permits access to DHCP, DNS and the Hotspot login page.
2)  The user opens their web browser and attempts to connect to an external web server
3)  The RF Switch intercepts the browser session and redirects the web browser to a login page hosted on the RF Switch or external web server
4)  The user enters and submits their credentials.
5)  The RF Switch performs authentication using the integrated RADIUS server, external RADIUS server or external LDAP server:
a)  If authentication fails the web browser is redirected to a failed page hosted on the RF Switch or external web server.
b)  If authentication succeeds authorization is performed. RADIUS accounting information is also forwarded if enabled.
6)  The RF switch verifies that the user is permitted to access the network based user account expiry settings and time-of-day or day-of-week policies applied to the user group:
a)  If authorization fails the web browser is redirected to a failed page hosted on the RF Switch or external web server.
b)  If authorization succeeds the web browser is redirected to a welcome page hosted on the RF Switch or external web server.
7)  The RF Switch evaluates and assigns a role based policy to the session:
a)  If no advanced security license is present on the RF Switch, a default -role is assigned to the Hotspot user.
b)  If an advanced security license is present but no roles match the session, a default-role is assigned to the Hotspot user.
c)  If an advanced security license is present and a role is matched, the role is assigned to the Hotspot user.
8)  The user is now permitted access to the network. The network access that is permitted will be 
determined based on any firewall rules assigned to the WLAN, physical ports, Hotspot virtual IP interface or user.

Hotspot Architectures:

Hotspot authentication can be deployed to provide authentication for various deployment scenarios. Common applications include providing Internet access to guest users and visitors at a site as well as providing authenticated access for un-managed devices such as students and faculty at a university.The specific Hotspot application will determine the physical and logical topology that will be deployed. For example guest access applications will require that the guest user devices are physically and logically separated from corporate devices using VLANs and firewalls. Private access on the other hand will not be 
concerned with physical and logical separation as the devices are typically trusted and will share the network with other trusted devices.The following section provides an overview of the Hotspot architectures supported by the Motorola RF Switch.

AP100 / AP300 / AP4131 Access Ports:

The first common Hotspot architecture is to deploy AP100, AP300 or AP4131 Access Ports with an RF Switch over a high-speed LAN. In this architecture all wireless user data traffic is tunneled from the AP to the RF Switch over an L2 or L3 network using WiSPe encapsulation. The RF Switches can be deployed in a centralized data center or wiring closet providing seamless integration into the wired network.With this architecture the Hotspot capture, redirection, authentication, authorization and traffic forwarding functions are all provided centrally on the RF Switch. Using this model guest user’s devices can be easily mapped to a guest VLAN in the data center or main wiring closet providing physical traffic separation.When multiple virtual IP interfaces are deployed on the RF Switch, logical separation between guest and internal networks can be provided using the integrated stateful inspection firewall


Adaptive Access Points (Extended WLANs):

The second common Hotspot architecture is to deploy AP5131 or AP7131 Adaptive Access Points with an RF Switch over a high-speed LAN or wide area network using extended WLANs. With extended WLANs all user data traffic is forwarded from the AP to the RF Switch over an L2 or L3 network using WiSPh encapsulation. The RF Switches may be deployed in a centralized data center or wiring closet at a site or centrally in a NOC supporting multiple remote sites.
With this architecture the Hotspot capture, redirection, authentication, authorization and traffic forwarding functions are all provided centrally on the RF Switch. Using this model guest user’s devices can be easily mapped to a guest VLAN in the data center, main wiring closet or NOC providing physical traffic separation. When multiple virtual IP interfaces are deployed on the RF Switch, logical separation between guest and internal networks can be provided using the integrated stateful inspection firewall.

Adaptive Access Points (Independent WLANs):

The third common Hotspot architecture is to deploy AP5131 or AP7131 Adaptive Access Points with an RF Switch over a high-speed LAN or wide area network using independent WLANs. With independent WLANs all user data traffic is forwarded locally from the AP to the wired network bypassing the RF Switch. In this model the RF Switch provides centralized management a control of the APs over an L2 or L3 network but no centralized forwarding. The RF Switches may be deployed in a centralized data center or wiring closet at a site or centrally in a NOC supporting multiple remote sites.

With this architecture the Hotspot capture, redirection, authentication, authorization and traffic forwarding functions are all provided locally on each individual AAP. Authentication and authorization may also be performed centrally on the RF Switch if desired. As the AAPs are managed by a centralized RF Switch, the configuration and management of the Hot enabled WLAN can be performed centrally on the RF Switch and applied to each AAP.The guest user devices are mapped to VLAN that’s local to the AAP requiring 802.1Q tagging to be enabled on the AAP and the upstream Ethernet device. Traffic separation is provided by the Ethernet infrastructure or integrated L3 stateful inspection firewall on each  AAP.

Nhãn: ,

0 nhận xét:

Post a Comment

Subscribe to: Post Comments (Atom)