Who the Hell is Using My Wi-Fi?
Despite our incessant spewage about smart antenna arrays, dynamic beamforming and maximal ratio combining, there's more to Wi-Fi and networking than RF (but don't ever say this to our founders). There's security, user roles and access policy and a load of other fancy techniques usually associated with island vendors.
We talk to a lot of hotels, schools, hospitals, warehouses and other types of enterprises who want sophisticated Wi-Fi/network management but want it radically simplified. User identify or so-called "identity management" is one of those things.
How can you know if users are who they say they are on your network? Here are some simple ways to manage user identity in a more simplified fashion (we're Wi-Fi simpletons):
Layer 2 Firewalling Virtual Private Network (VPN)
in this case, you can put users into roles based on how they connect to the WLAN. For example, a Guest SSID is offered which is quite restricted and only guests connect. Since all guests are treated equally, there’s no need for further subdivision of guests into sub-groups. For internal use, a corp SSID is commonly offered for employee use only. Once again, in nearly every installation we've seen, the wireless LAN employee access follows the wired network security mechanism - meaning -once an employee connects, they get access to everything on the internal network. This is a necessary limitation since it can be extremely confusing to employees if they access something on one network but not the other. Consistency is key.
Identity management by WLAN is very popular, because it’s easy to understand and straightforward to troubleshoot and manage. Different user groups are on different IP networks, so existing firewalls and infrastructure can continue without any changes. If reducing complexity or management overhead is what you’re looking for, this is probably the right approach for you.
NAC is becoming a very popular approach with offerings from companies such as Bradford Networks. NAC is a great tool that works on both wired and wireless networks and offers client scanning (for anti-virus software, patches, etc.) and automatic quarantine and remediation. This is in addition to identity management for controlling network access. NAC is a great choice for any organization, but in particular those that may have non-IT controlled devices connecting to the network or need to control access identically and seamlessly across wired and wireless LANs.
This is based around the concept of multiple types of users (employees and guests) accessing the same WLAN SSID. In this case, both groups connect to the wireless LAN the same way (Captive Portal, PSK, etc.) and share the same Layer 2 IP network/VLAN.
The problem here is, by the time the wireless traffic gets to a firewall on the wired network, the firewall has no way of determining which user should get which type of network access. To get around this, you would need a firewall built into the WLAN that can validate users after authentication and do the firewalling itself. If the thought of multiple SSIDs is anathema and you must have a single SSID for everyone, guests and employees alike, this is the solution for you. It is also the most complex choice on this list.
By requiring the wireless hardware to firewall traffic, IT gets stuck with two different firewall solutions (wireless vs. wired). Each must have their policies synchronized somehow so that users access is consistent – with different vendors the only real way to do this would be by hand, a tedious and time consuming process. Security also suffers since there is usually just one authentication type per SSID. That means all users (visitors and employees) use Captive Portal (with no encryption) or they all use a PSK (with all of the issues of giving this out to visitors) or 802.1X which is very complex to require of visitors. Troubleshooting can also suffer since, from a network management point of view, guests and employees look the same on the wireless network – they are in the same VLAN and therefore difficult to tell apart.
This was a common technique used in the early days of wireless (which lacked strong WPA2 security). In this case you can have a shared SSID for guests and employees – but require employees to launch a VPN from the wireless. This lets you get away with just one, simple, SSID but it has the disadvantage of placing users on the same VLAN and requiring employees to connect to the wireless differently than on the wired network. This can be a big negative for the IT helpdesk that must field these calls.
Of course there are some other, less common, techniques available but this is a reasonably representative list. Each method has its own advantages and disadvantages. So which one should you use? Our motto: when it doubt, keep it simple. You'll be happier.
Comments