Access Control

Wireless LAN Wireless LAN • Provide wireless network across your campus that has the following characteristics: – Authentication – only allow your users – Roaming – allow users to start up in one section of your network, then move to another location – Easy to deploy and manage

Simple Campus wide wireless solution

Border

Authentication Gateway (aka Captive Portal)

Lightweight • Hotspot (wireless) • Small wired Lan (/24)

Campus Wide CP (wireless + wired) • Have to be custom build

A Wireless Captive Portal

Commercial Solutions • Aruba – http://www.arubanetworks.com • Cisco Wireless LAN Controllers – http://www.cisco.com/en/US/products/hw/wireless/ • Bradford Networks – http://www.bradfordnetworks.com/ • Cisco NAC Appliance (Clean Access) – http://www.cisco.com/en/US/products/ps6128/ • Enterasys – http://www.enterasys.com • Mikrotik – http://www.mikrotik.com/

Open Source Solutions • CoovaChilli (morphed from Chillispot) – http://coova.org/wiki/index.php/CoovaChilli – Uses RADIUS for access and accounting. – CoovaAP openWRT-based .

Open Source Solutions

• WiFi Dog – http://dev.wifidog.org/ • Sweetspot – http://sweetspot.sourceforge.net/ • Captivator-gw – http://net.doit.wisc.edu/~dwcarder/captivator/ • Paper, Koht-Arsa, K. “Architectural design for large-scale campus-wide captive portal”

Open Source Solutions cont. • – http://m0n0.ch/wall/ – Embedded appliance solution built on FreeBSD. – Entire configuration is stored in an xml file. – Sample Captive Portal Configuration Screen: http://m0n0.ch/wall/images/screens/services_captiveportal.png – Supported on low-end PC hardware, such as Soekris and ALIX platforms.

Open Source Solutions cont.

• Pfsense (forked from m0n0wall) – http://pfsense.org/ – Can be installed on higher end PC hardware. – RADIUS authentication. – RADIUS accounting. – Limit the number of connections to the portal itself per client IP.

Open Source Solutions cont.

– http://www.zeroshell.net/eng/ – Have protection against spoofed IP/MAC address – Can protect CP against clients DoS attack – Support SSO (Shibboleth SAML 2.0) – Limit access base on RADIUS accounting

Network Access Control (NAC) • Netreg – Automated network registration system – Use DHCP to register clients hardware (MAC) address before they can gain full network access. – If registered, it receives fully functional TCP/IP information – If not, bogus TCP/IP information with limit access to – Some clients may learn about your network configuration – Look at your switches/’s bridge and/or IP ARP tables and compare them to NetReg’s registered hardware (MAC) addresses

Network Access Control (NAC) cont.

– Use managed switch feature that bind port to DHCP lease. • Packetfence – Automated network registration system – Use managed switches to assign users to the correct VLAN – Use 802.1X to authenticate users – Scale to large network – Your campus must completely operate with manage switches.

Enterprise Identity Management • Processes and Documentation of users. – Now you must deal with this. – What to use as the back-end user store? • LDAP • Active Directory • Kerberos • Other? – Will this play nice with future use? • email, student/staff information, resource access, ...

What to Do? • Review the options presented here, both commercial and Open Source. • Review the various projects associated to understand how this all ties together. • Devise a plan for your user identities, their storage and the processes around them. • For sites under 3-4,000 users you might consider , m0n0wall or Zeroshell.

Questions?