LDAP This!
When schools install Wi-Fi they often come across a nasty surprise: securely authenticating users isn't so easy (sorry in advance for the following book but it's worth the read... especially if you're a school).
It's pretty simple: schools want a wireless LAN that's easy to set up, works with any device and is supported natively by the client's operating system.They also want to implement an open SSID using a captive portal function for authentication but also want a secure SSID for faculty as well as students.
The problem is that many schools (K-12 and higher ed) use an LDAP (Lightweight Directory Access Protocol) directory server, such as Apple Open Directory, OpenLDAP, or MS-Active Directory to authenticate users.
Today's "best practice" is to encrypt all over-the-air traffic and to authenticate each device and user. 802.11i (WPA2) with AES is the choice dejour for authenticating users against the existing directory server since that's where the information sits.
But WPA2 doesn't offer full support for LDAP. WPA2 includes 802.1x and EAP-PEAP (extensible authentication protocol) support for authenticating users with a backend server (such as RADIUS). However, WPA2 with PEAP requires a RADIUS server and few schools have one (especially K-12) - or WANT one.
Truth be told, RADIUS servers CAN talk to an LDAP domain server using PEAP but only if that LDAP server uses Microsoft's Active Directory (you see, PEAP only hashes passwords ina format that only MS AD understands). Well that just plain sucks.
Once impregnated with some (other vendor's) Wi-Fi system, schools figure out (cuz these vendors don't tell them) that they now must find and use some RADIUS server.
Luckily for schools, this problem has been solved with new technology called Dynamic PSK. Dynamic PSK gives schools an ultra-easy way to encrypt traffic while requiring user authentication via Captive Portal talking to an LDAP server. Here's how it works:
First, the user connects to the network (wired or wireless) and points their browser to an
activation or authentication Web page.
The user is prompted to enter his/her credentials, which are checked
against the LDAP directory server.
If successful, the user is sent to a new Web page that lists the wireless LANs they may connect to, the security type (e.g. WPA or WPA2) and a unique PSK (Pre-Shared Key) that is bound to the users specific device once they connect to the WLAN.
If the device is a Windows machine, they can choose to download a script that will automatically configure their wireless card for them (it installs the unique PSK and the requisite SSID). Or they can simply cut and paste the information.
This unique key is stored in a central database (the Ruckus ZoneDirector internal database). Each key will only work for the device it was issued to and can include an expiration date after which the key will no longer work. Keys are easily managed or revoked on an individual basis. This is quite different from a normal PSK network in which each device shares the same encryption key.
Schools dig this.
This is great but is there somewhere where we can find a step-by-step guide on configuring this setup?
Posted by: Haxim | July 08, 2009 at 09:29 AM
I'm just setting up my first Zone Director box in almost exactly the setup you describe. So far I love it! I particularly like the Layer3/4/IP filtering which means I can grant access only to specific resources within my LAN for certain SSIDs.
Unfortunately we have some added complications in that the students logging on with their own virus-filled laptops to get access to the web (only!) also need to manually set up proxy settings.
It would be nice if the automatic configuration script generated by your captive portal could be tweaked to include a proxy setting for IE and Firefox so they don't need to do it manually. It would be even better if it could remove the setting when they lose their connection, but I guess that would require a task to run continually in the background.
Sadly they will still need to authenticate against the proxy when they open their browser, but we don't want to kid them into thinking life is easy do we?
Posted by: Sam Prince | August 13, 2009 at 08:39 AM