An ever-changing environment such as the Internet Access Gateways segment makes it necessary to provide numerous login options. The login options for the Surf-LAN captive portal are varied: they range from accounts in popular social media portals, autologon on an IP/MAC basis to connecting to a hotel system (PMS), for instance to have charges automatically allocated to the room invoice, via SMS or through external authentication. This article looks in detail at external authentication, introduces the associated components and discusses potential purposes of use. It is the first in a blog series intended to present different methods of external authentication. We begin with the topic of RADIUS.
External Authentication (hereinafter: ExtAuth) can be used for the Surf LAN side (IACBOX Guest) as well as the Office LAN side (IACBOX Administration). The protocols used for ExtAuth include LDAP, Microsoft AD, RADIUS, iPass and MySQL.
In this article we will take a closer look at RADIUS, a protocol that is used for AAA purposes (Authentication, Authorisation and Accounting). It is a client/server protocol and represents a centralised method of managing user information.
But let's first clarify the terminology: Authentication refers to the process used by a RADIUS server to verify user information before granting access. Authorisation, on the other hand, refers to the level or extent of access that is subsequently granted after successful verification. In this particular case we are looking exclusively at "access granted" or "access denied" and therefore at authentication. Accounting serves to record the details of the user session, such as how much data was transferred or how long the session lasted.
The IACBOX needs an access password (Shared Secret) to access the Radius server as a Radius client (IACBOX) before a RADIUS query can be started for the purpose of authentication. Other data such as hostname and port (standard is 1812) are also required for IACBOX configuration.
Access information is required in order to process an access request. This information is sent from the RADIUS client (running on the IACBOX) to the RADIUS server. The server cross-checks the data against its database before the result (access-accept or access-reject) is sent back to the client (IACBOX).
If the result is positive ("access-accept"), the system generates a ticket that is used to get the IACBOX Surf-LAN guest online. The ticket's properties are based on a template defined in advance in Ticket/Templates.
The ExtAuth Radius is set up in the Modules/Authentication menu (correct licensing and service activation are prerequisites). Surf-LAN usage can be set up using "Client Authentication" by lodging the corresponding ticket template. The checkbox "Use for WebAdmin" needs to be set if RADIUS is to be used after logging on to the Office-LAN page (administrative) - unused fields will be greyed out automatically.
This method of authentication could potentially be used for all login methods for centralised ease of administration of registered users (employees, pupils, students, clients, patients, insured persons and, in a corporate environment, with the keyword BYOD) or to connect various locations to a central login server. Network access providers use RADIUS to manage DSL/dial-up connections; a connection in this area is also conceivable.
This should not be confused with a connection via PMS (Property Management System). These systems are used in the hotel and catering industry. The interfaces provided are product-specific and are covered by the PMS module of the IACBOX. If an option to fall back on a well-defined protocol of the ExtAuth module exists, it should be exploited in most cases as these are widespread industry standards.
Examples of other supported ExtAuth protocols: MySQL/PostgreSQL DBMS, Active Directory (Microsoft Domain Controller) & LDAP. This will be the topic of a future article dedicated to the subject.
Are you interested in wireless Internet access for guests, staff or things for your enterprise, or do you provide network solutions for clients? Drop a few lines to share your opinion with us: firstname.lastname@example.org
At Asteas, we see it as our task to shape wireless Internet access in networks efficient and legally conformant for the supplier, efficient and comfortable for the user and secure for both.
For more information, visit our website www.asteas.com or contact us here.