Secure WiFi Access in Schools and Educational Institutions. WPA2 / 802.1X and Captive Portal based Access Security

Transcription

1 Secure WiFi Access in Schools and Educational Institutions WPA2 / 802.1X and Captive Portal based Access Security Cloudessa, Inc. Palo Alto, CA July 2013

2 Overview The accelerated use of technology in the educational system has driven a widespread deployment of WiFi networks. The increased availability of network access in schools poses a unique set of access security challenges. WiFi networks must: Secure institutionally owned tablets and devices Host and secure student, faculty and guest bring your own device (BYOD) notebooks and phones Limit access to authorized users Protect user credentials Control access to network resources Manage bandwidth A comprehensive WiFi access infrastructure is an essential requirement for every school system and college campus network deployment. The infrastructure must ensure that only authorized users gain access to network resources, while maintaining a record of network activity to ensure accountability. Credentials must be validated for each user or device that attempts to connect to the network, and the appropriate level of authorization must be allocated for each user. Students, faculty, staff and visitors or guests each have different requirements and limitations, and each group should be prioritized based on the needs of the institution. Faculty and staff need immediate access to institutional records, exams and grades. Resources such as printers and external internet access should be readily available. Students require access to internal network resources, but unrestricted external internet access could impact productivity and affect network performance. Guests and visitors should have managed access, with uses and privileges defined. When architecting WiFi deployments, many school systems choose to set up different networks with different Service Set Identifiers (SSIDs) within the network. This allows network segments to be isolated: a highly secure network for faculty and staff; a restricted network for students; and an internet portal for guests and visitors. 2/9

3 Practical Considerations WPA2/802.1X (strong security) and Captive Portal (browser-based security) can provide secure and flexible access control for a diverse user base. Many institutions have an existing store of user names, passwords and other information to secure network access for faculty, staff and students. To simplify WiFi user authentication, an existing Active Directory, LDAP or SQL user database can be leveraged for authentication. A Google Apps user store can also now be used to establish user validation. Within a complex educational network environment, it is important to not only provide authentication services to limit who can access the network, but also to control what users access once they have been authenticated. For example, you can assign different users to specific VLANs. Strong port-based security ensures that individuals cannot access sensitive materials without a need for the information. The prioritization and delivery of data across the WiFi network is another important consideration when designing a network infrastructure. Within a large college or university, it may be necessary to allocate network bandwidth based on the institution s operational needs. Several complications exist within the current educational network framework: Different departments or schools within a large district may use different user stores or credentials, or need to enforce different access rights and security requirements. Many networks are built over time, and a variety of access gateways and WiFi access points (APs) from different vendors deployed in the network. Enforcing a consistent set of access control policies across different gateways from different vendors can be challenging. Educational network administrators must also be aware of institutional accountability for network access. It is imperative that educational institutions have records detailing who is accessing their network and be able to identify the responsible parties is there were ever to be a question of copyright or intellectual property infringement or other questionable activity emanating from their network. RADIUS accounting logs provide appropriate network access details to enable institutions to meet accountability requirements. The Role of RADIUS and AAA Network Management Authenticating users to a network through WPA2, 802.1X or Captive Portal requires the use of a RADIUS server. The RADIUS server provides the means to centrally manage authentication, authorization and accounting (AAA). This combination of services is the key component to manage and secure WiFi deployments in educational institutions. A centralized RADIUS server accepts authentication requests from WiFi access points. User authentication is processed throughalocaluserstore,orthroughan external database. Authentication is accepted or rejected based on the validity of the provided credentials. Authorization to network resources is based on attributes returned by the RADIUS server for each user session. Access logs are generated and stored to detail who (or what device) has accessed the network. 3/9

4 Multi-School WiFi Deployment with Cloudessa Hosted RADIUS Service The following diagram illustrates a RADIUS-based architecture for a multi-building school district or campus. Cloud / Internet Cloud User Store Cloudessa RADIUS Service Google Apps Native DB School District Data Center Active Directory LDAP SQL Teachers / Staff Visitors Students and Guests SCHOOL #1 Teachers / Staff Visitors Students and Guests Teachers / Staff SCHOOL #2 Visitors Students and Guests SCHOOL #3 Cloudessa RADIUS is deployed for security at all access gateways. Multiple SSID Educational WiFi Deployment with WPA2, 802.1X and Captive Portal Browser-based Login Security Cloudessa RADIUS is used to enforce access restrictions based on the SSID that the user or device associates with, and the user identity. Each access point is configured with multiple SSIDs, and each SSID has a unique set of authorized users and devices and a mandated level of access security. This allows educational institutions to segregate students, faculty and other users. 4/9

5 Cloudessa RADIUS Service Cloudessa Captive Portal Cloud Service Cloud / Internet Wi-Fi Network Controller (optional) Private / Public Cloud Students Active Directory LDAP Wi-Fi AP Cloud User Store Security Protocol Multiple SSID s Google Apps Teachers / Operations / Visitors / Guests Staff SQL Custom Data Store School Data Center This diagram illustrates a security architecture within a WiFi network configured with multiple SSIDs for different users. Access authentication is provided through either WPA2 / 802.1X or Captive Portal. Teachers and staff connect with the strong security of 802.1X. The access point sends authentication requests to the RADIUS server, and the RADIUS server responds with access accept or reject and the appropriate information for the user session based on the user profile. Students connect through 802.1X, or through a browser-based captive portal. Network privileges are dynamically configured based on the user s profile. Guests, visitors or operations connect through the Captive Portal, with limited network access. Each user is assigned to an appropriate user group. Network access privileges for each user group are defined in the RADIUS server. When a user successfully authenticates, the RADIUS accept message and the appropriate authorization attributes are sent to the access gateway. Those attributes are used to allocate the level of access for that session. 5/9

6 Cloudessa RADIUS Cloudessa RADIUS is a low-cost, scalable cloud-based RADIUS solution, ideal for school districts and universities with varied existing infrastructures. Cloudessa RADIUS is a subscription-based service that eliminates the cost and complexity of deploying a local RADIUS server. Cloudessa enables IT administrators to secure the WiFi network without capital expense: reducing cost, effort and time. School IT administrators can choose to manage the Cloudessa RADIUS service themselves, or to further simplify and expedite deployment, Cloudessa Managed Service Provider (MSP) partners are available to assist IT organizations with the technical expertise to design, deploy and manage the RADIUS infrastructure. Cloudessa is simple to configure and administer. The interface is accessible and intuitive. There is no hardware or software cost, and no installation requirements. A simple interface, configuration wizards, complete documentation and expert support enable you to implement access security with a minimal investment of time and resources. Cloudessa can leverage your existing authentication infrastructure. For example, if you have existing user data in Active Directory, LDAP, SQL, or Google Apps, you can re-use these resources for network access security without duplicating user information. Sensitive user information remains under IT control. 6/9

7 Cloudessa supports both industry standard WPA X based security, as well as Captive Portal browser-based authentication. Cloudessa is built on the FreeRADIUS code base. FreeRADIUS provides a proven market solution that is deployed in thousands of educational networks, including some of the largest Universities in the world. Cloudessa RADIUS is not just for WiFi. It can also authenticate users accessing the network from VPNs, firewalls and other access gateways in addition to WiFi APs. The RADIUS server can return user specific and session specific authorization attributes, including VLAN assignment and bandwidth allocation. For example, network traffic for faculty and staff can be prioritized over student activity to Facebook or Twitter. Virtual RADIUS Servers With Cloudessa RADIUS, administrators can create multiple virtual RADIUS servers with a single Cloudessa subscription. Each virtual RADIUS server can be configured to meet the needs of a specific functional or organizational unit. Different security and access levels can be established for each virtual RADIUS server. Virtual RADIUS functionality is powerful within a school district or large educational institution to enable a single centralized access security platform, accommodating the needs of each school or department. Enabling centralized management of resources simplifies administration across physical boundaries. Google Support Cloudessa RADIUS simplifies administration by allowing users to authenticate with Google Apps. If individuals have an existing user name and password to access Google Apps, the user can authenticate using the same credentials. Simply configure the Cloudessa RADIUS server for Google Apps authentication, and each time a user attempts to access the network, the RADIUS server validates the credential against Google Apps. The Google Chromebook can be used to securely access the network. Google Chrome OS includes an 802.1X client that simplifies the process of securely passing user credentials to the RADIUS server for authentication. Chromebook also supports Captive Portal browser based login. 7/9

8 Eduroam - Secure Roaming Internet Access for Educational Institutions According to the eduroam Policy Service Definition for SA3, Task 2: "eduroam" (EDUcation ROAMing) allows users from participating academic institutions secure Internet access at any eduroam-enabled institution. The architecture that enables this is based on a number of technologies and agreements, which together provide the eduroam user experience: open your laptop and be online. The basic principle underpinning the security of eduroam is that the authentication of a user is carried out at his/her home institution using the institution s specific authentication method. The authorization required to allow access to local network resources is carried out by the visited network. The European eduroam service provides this facility as a confederated service, built hierarchically. At the top level sits the confederation level service, which primarily provides the confederation infrastructure required to grant network access to all participating members of the eduroam service at any time. This confederation service is built upon the national roaming services, operated by the national roaming operators (NROs) (in most cases, NRENs). National roaming services make use of other entities, for example, campuses and regional facilities. A hierarchical system of Remote Authentication Dial-In User Service (RADIUS) servers is used to transport the authentication request of a user from the visited institution to his/her home institution, as well as the authentication response. Typically, every institution deploys a RADIUS server, which, in turn, is connected to a local user database. This RADIUS server is connected to a central, national RADIUS server, which, in turn, is connected to a regional or global RADIUS server. 1 Cloudessa RADIUS is fully compatible with the eduroam service, and can be deployed by institutions participating in the eduroam network as the "home" or "edge" RADIUS server, authenticating users against a local user database. Cloudessa RADIUS as-a-service enables institutions to quickly and easily participate in the eduroam network, without the hassle, capital cost, and on-going maintenance expense of deploying an onpremises RADIUS infrastructure. 1 eduroam Policy Service Definition for SA3, Task 2. M. Milinovi ć, Srce / CARNet, Stefan Winter, RESTENA and members of the SA3 T2 group; Date of Issue: 26/07/12 Document Code: GN /9

9 Strong WiFi Security on a School Department Budget with RADIUS-as-a-Service Cloudessa RADIUS offers the following advantages: Flexible consumptive licensing cuts costs vs. legacy RADIUS server cost. Capital expenditures and IT workload are reduced. RADIUS-as-a-service eliminates the burden of purchasing and maintaining hardware and software. IT operational expenses are reduced, with increased value for existing clients. IT can focus on high value activities instead of maintenance of infrastructure. Cloudessa Managed Service Partners are available to provide expert deployment assistance and can be engaged to fully manage, on an on-going basis, the Cloudessa RADIUS based access security infrastructure. Summary Educational institutions require a comprehensive security platform to enforce security across networks in an environment of increasing risk and liability. Network access must also be transparent and available to all users. Cloudessa managed RADIUS service enables educational institutions to quickly and easily deploy costeffective WiFi access security. As a subscription service, there are no hardware or software costs involved with deploying Cloudessa RADIUS. Your IT department can deploy and manage the service, or you can work with a WiFi reseller or Cloudessa MSP to have the service deployed and managed for you. Cloudessa offers a flexible and supportable solution. Cloudessa RADIUS supports virtually any WiFi AP or access gateway, and any backend user store. The solution is instantly scalable to handle any number of users in a centralized security environment, or in a geographically distributed organization. For additional details regarding securing WiFi deployments with Cloudessa RADIUS' or to learn more about our Educational Discount Program, please contact us at sales@cloudess.com. To try Cloudessa RADIUS, please visit - your first 10 users are free. Cloudessa, Inc East Bayshore Road, Suite 200 Palo Alto, CA, Call Us: P Us: sales@cloudessa.com support@cloudessa.com 9/9