Network Access Control in Wi-Fi (Wireless) Controller based solution

This article throws light into the possible ways of controlling the network access for a wireless user, types of authentication for wireless users, if the wireless users could be sub-grouped and policies enforced per sub-group, about port based controlling and user based controlling of sub-groups, if secure guest access can be provided through a captive portal, if the Quality Of Service can be enforced, bandwidth limitation could be done per user, if the wireless controller can be integrated with the existing NAC device of the company etc.

Why is Network Access Control exciting for Wireless connectivity and Access?

¤ When you are able to control which resource to be made available to which user in a wired network, why not extend it to the wireless network too?

¤ If certain services are critical – like internet access or enterprise management suite access, give it to only a few people and keep it away from everyone else.

¤ Allow guests to access only a certain service – like internet access to ensure that guests are given a productivity tool and security is ensured as they can’t get into the network with their guest access.

¤ Ensure the quality of access for wireless users – give priority to voice and video packets as they are time sensitive and limit the wireless bandwidth that can be availed per user.

Authentication methodology in wireless networks:

Much of what can be done to control the network access depends on how the users of a wireless network are authenticated. There are two ways in which this can be done – certain wireless controllers have a built in database to store user name, passwords, mac-addresses and such key information. When a user is trying to connect to the wireless network, he is taken to a secure captive portal where he needs to enter his user name and password. His mac-address and IP address may or may not be checked. So, based on his user credentials entered, he is allocated in to one of the pre-defined groups, each with certain network access parameters. In case there is a centralized authentication system in the organization like an LDAP server or a Radius server, most of the wireless controllers available in the market would be able to integrate with the database available with them. IEEE 802.1x based authentication is recommended for wireless networks.

Network Access Control in Wireless networks:

Based on the authentication of the wireless user, he could be allocated to a wireless sub-group. Each such group could have their own policies of network access levels. For example, all the users of a certain group will have access to SAP, Internet, etc. But the users of a certain group would have access to SAP only and the users of a certain group would have access to internet only. These settings can be done with certain wireless controllers, and some wireless controllers also support integration with an existing NAC device which already contains such rules for wired access.

Port based Access Control Vs User based Access Control:

Certain wireless solutions do the sub-grouping based on ports or mac addresses and then apply the policies based on which VLAN they are restricted to. This method has a limitation where in user needs to authenticate using the same device in to the network. But users today use multiple devices like desktops, laptops, PDA’s and even mobile phones to access the network. Some controllers support user based access wherein which ever device the user uses to access, he gets the same network access levels. (In this case, the user name and password is being verified to give the wireless access from any device). Which is better is something that the administrator needs to decide on but the second option looks more flexible and easy to implement as it is less rigid.

Secure Guest Access through Captive portal:

Suppose an important guest just walks in, and you need to give him internet access, it is not practical to add an entry in the LDAP device and create policies for the guests as they may need only one time access. Certain controllers allow a separate sub-group to be created for guests with restricted access policies pre-defined (like giving only internet access). So, when the guest arrives, you just give him a user name and password and let him login as a guest to enjoy internet access alone. This guest account can be set to expire in a day, if the guest would be staying only for a day to ensure that it cannot be misused.

Setting the Quality of Service and bandwidth limitations:

It is important to decide which services are available to which user and it is also equally important to ensure that the user is able to enjoy a certain level of quality in the service with wireless access. Certain controllers automatically detect the protocol of the data packets (Like SIP etc.) and prioritise those packets to be sent earlier than the other data packets that are in-queue to be sent. This ensures that time sensitive applications like voice, video etc. can be effectively utilized over the wireless network as well. There are some controllers which enables you to set such QOS parameters based on the VLAN in which the device is connected to. There is one problem with this approach: Certain users can use the laptop for both voice and data communications. So, having one level of priority for all the packets coming out of the laptop may not be the best approach.

Since wireless network is a shared medium, it is important to control the maximum bandwidth that can be utilized by every user. Most of the wireless networks are choked not because of a lot of users accessing the network simultaneously but rather because a few users are downloading huge files. Certain controllers allow this to be done.

Can a Wireless controller be integrated to an existing NAC device?

Yes. Certain controllers can be integrated to an existing NAC device to apply the policies for wireless users. They can also be integrated to existing authentication servers, as mentioned before.

excITingIP.com

You could stay up to date with the latest computer networking technologies by subscribing to this blog using your email address in the sidebar box mentioned as “Get email updates when new articles are published”

One thought on “Network Access Control in Wi-Fi (Wireless) Controller based solution

  1. 1989 tiananmen square » Blog Archive » Ubuntu: Stop nm-applet from authenticating with the keyring

    […] Network Access Control in Wi-Fi (Wireless) Controller based solution […]

Comments are closed.