Application Note User Groups
Application Note User Groups Table of Contents Background... 3 Description... 3 Benefits... 4 Theory of Operation... 4 Interaction with Other Features... 6 Configuration... 6 Application Example... 18 Tips and Recommendations... 19 Rev 081408 2
Application Note User Groups Background Wi-Fi networks today are no longer the basic hotspots of a few years ago; today they have taken their place as a peer with wired networks. As wireless networks have matured with greater levels of security and increased performance, we are seeing migration to a model where wireless is becoming the primary medium of connectivity at the edge of our networks due to the mobility it provides. As this migration continues to expand, we are seeing greater numbers of users connecting wirelessly to the network. This results in the need for greater segmentation and control of the wireless clients. Segmentation via the use of SSIDs is still the most common way to separate and classify users. Within the SSID, policies can be defined that offer a set of privileges to associated clients; these include time of day access, authentication requirements, data rates, VLAN mappings, etc. These policies are key in managing a large user base, however as the number of wireless clients requiring different rights grows, so does the number of SSIDs required. A method is needed to define user policies independent of the SSID so that SSID parameters can be used to set basic rights, like time of day access and authentication type, and other methods can be used within the SSID to further define individual rights, such as VLAN mapping, allowed data rates, QoS rules, etc. These user profile based policies are identified as User Groups and sit on top of the SSID. Description The Xirrus Wi-Fi Array offers User Group services to provide simplified user management for those environments where multiple client classification policies are required. Clients are mapped to specific User Group assignments dynamically through an external RADIUS server. Any standard RADIUS server can provide this function. User Groups can be defined with any or all of the following parameters/policies applied to client traffic: VLAN Mapping Filter Lists Qos Levels Roaming Services DHCP Pools Station Limits Traffic Limits Time on / Time off Days On / Days Off Web Page Redirection Rev 081408 3
Application Note User Groups Benefits User Groups greatly simplify the management of wireless clients and offers the following direct benefits: Simplify User Configuration One SSID can provide different levels of network access to specified groups of users. Using one SSID for multiple User Groups reduces the overhead on the wireless medium. Network Access Management Enables the administrator to define a group of users based on the level of network resources they would need to do their given job. It could also be used to segment network resources for security purposes. Up to 16 different user groups are supported per SSID. Level of Service The Array can offer different levels of service to each user when User Groups are implemented in combination with QoS, bandwidth controls, filter lists and WPR. By applying filter lists at the User Group level, administrators can be assured users are only accessing appropriate network resources. This gives administrators complete control over the end-users quality of experience. Policy Changes The administrator can make policy changes to one or a group of clients without having to make changes to existing SSIDs. Changes occur as required without impacting non-involved clients. Theory of Operation Wireless clients are mapped to User Groups based on information configured in the RADIUS server. The Wi-Fi Array s internal RADIUS server or an external RADIUS server can be used for this operation. When using an external RADIUS server, the mapping is done with the RADIUS filter-id (attribute 11). The filter-id is associated with the wireless client information in the RADIUS database. When the client is authenticated, this filter ID accompanies the authorization from the RADIUS server to the Wi-Fi Array. This information is used by the Array to map the client to the appropriate group; independent of the SSID the client has joined. This same process works even if Microsoft Active Directory information is used by the RADIUS service for client validation. Rev 081408 4
Application Note User Groups The following diagram demonstrates the process that occurs for wireless clients authenticating into a wireless network and mapped to a specific User Group. Figure 1: Client Authentication Process Rev 081408 5
Application Note User Groups Interaction with Other Features The Wi-Fi Array has many advanced features and management capabilities. This section identifies those features with dependencies associated with User Groups. SSIDs are always required for basic Wi-Fi connectivity and should be configured first. User Groups logically sit above SSIDs allowing a group to span SSIDs or to have multiple groups within one SSID. Network administrators can set traffic limits on an SSID level or a User Group level. Traffic limits can be used to restrict data traffic based on the day of the week, time of day, or amount of traffic. If traffic limits are specified at both the User Group and SSID levels, the more restrictive of the traffic limits will be in effect. VLANs can be defined within a User Group and should be configured prior to the groups. User Groups use static group mappings to VLANs on the Array. Caution should be taken not to classify the same user to be dynamically assigned to a VLAN and as a member of a User Group. The Array will drop the dynamic VLAN passed in the Radius Access-Accept if the Filter-ID attribute is present. Filter lists are optional when using User Groups, but using them allows the control of a User Group down to the protocol and port level. DHCP pools are optional when using User Groups, but allow the administrator to control the assigning of IP addresses at the group level. Roaming control at layer 3 is optional with User Groups, but allows the administrator the control by User Group. Configuration The configuration of User Groups in a Wi-Fi Array network requires setup of several components in the network, including a RADIUS server and switches with VLANs. The configuration of the Array can be preformed via the Web Management Interface (WMI) or Command Line Interface (CLI). User Group Configuration Using the Web Management Interface (WMI) 1. SSIDs should be configured prior to setting up User Groups. From the SSIDs/SSID Management screen in WMI, create the SSIDs that will be supported on the wireless network, in this example the SSID xirrus. As with all WMI configurations, when finished on a screen, click Apply and then Save to save the changes. Rev 081408 6
Application Note User Groups 2. VLANs should be configured prior to setting up User Groups, typically one for each group type. From VLANs/VLAN Management screen, configure VLANs. In this example, VLANs Student=169, Staff=170, and Guest=171 are created. 3. The RADIUS Server configuration on the Array should next be made. From the Security/External Radius screen, configure the IP address, Port Number, and shared secrets of the RADIUS server. Rev 081408 7
Application Note User Groups 4. Next configure the User Groups on the Array. From the Groups/Group Management screen, configure the different groups based on user profile. Group names are case sensitive and can contain up to 32 alphanumeric characters, however cannot include spaces. The RADIUS ID field should match the Filter-ID setting on the RADIUS server. 5. The next steps provide an example configuration of a Microsoft IAS server configured to work in conjunction with User Groups on the Wi-Fi Array. Actual configuration may vary based on specific implementation requirements. 6. Configure the RADIUS client on the IAS server. The client in this case is the Array and a secret must be provided. This allows the Array to communicate to the IAS server on behalf of the clients authenticating through the Array. Rev 081408 8
Application Note User Groups 7. Configure the Array object on the IAS server. 8. Create users on the IAS server. In this example, we have created Student1, Staff1 and Guest1. Rev 081408 9
Application Note User Groups 9. Create Groups on the IAS server by right clicking on Users / New / Groups / Create Students / Staff. Guest is already part of the Active Directory groups. 10. Add users to Groups by double clicking the Student group and adding Student1 to this group. Do the same for the Staff and Guest groups adding user Staff1 and Guest1. Rev 081408 10
Application Note User Groups 11. Next configure client settings on the IAS server for authentication utilizing Groups. Create a Profile name that will be unique for this Group authentication. In this example, the name is Student1, the SSID is Xirrus, and User Group is Student. Rev 081408 11
Application Note User Groups 12. Under Security Settings for the Student profile, configure the security parameters of the wireless connection. In this example, we set WPA2-Enterprise with AES-CCMP, PEAP, MS-CHAP-V2. Insert the following credentials: User Name is Student1 and Domain is HomeLab1.net. The Roaming Identify generally must match the User Name field, so enter Student1 in this box. Rev 081408 12
Application Note User Groups 13. The certificate being used in this example is a certificate called Homelab Test Certificate. See the Xirrus Tech Tip Xirrus Wi-Fi Array Configuration Guide WPA-EAP-PEAP with Microsoft IAS (TT-1002) for a description of how to generate a certificate. This document provides details on how to configure the IAS server, Active Directory, and additional services. 14. The next steps provide an example configuration of a Windows XP station. Actual configuration may vary based on specific implementation requirements and the operating system used. Rev 081408 13
Application Note User Groups 15. View Available Wireless Networks by right-clicking wireless icon in Windows. 16. Go to the Change the order of preferred networks menu. 17. Select the SSID the station will be connecting to and change the properties for that SSID. 18. Configure authentication: a. Enable IEEE 802.1x authentication b. Set EAP type to PEAP c. Ensure Authenticate as computer when computer information is available is not selected (unless the computer username/password are the same used to authenticate to the User Group) Rev 081408 14
Application Note User Groups 19. Set the PEAP Properties: a. The station should NOT validate the server certificate b. Authentication Method should be Secured password Rev 081408 15
Application Note User Groups 20. Associate a client to verify proper user group assignment. In this example, the end user Station1 should acquire an IP address on VLAN-169 in the 192.168.10.0/24 network. Verify the station is assigned to the correct egress VLAN/User Group in the Stations table. User Group Configuration Using the Command Line Interface (CLI) 1. SSIDs should be configured prior to setting up User Groups. From configuration mode in the CLI, type ssid, then add ssidname enable encryption wpa-both. Type save to save the configuration. 2. Next configure VLANs. From configuration mode in the CLI, type vlans then add vlan-name number vlan#. In this example, configure VLANs Student=169, Staff=170, and Guest=171. 3. Configure the RADIUS server next. From configuration mode in the CLI, type radius-server, then external, then primary, then ip ip-address. Set the secret next by typing secret secret. 4. Next configure the User Groups themselves. From configuration mode in the CLI, type groups then add user-group-name vlan vlan-name radius-id radius-id-name on. In this example, the User Group name, VLAN name, and RADIUS ID are all the same: Student. Repeat for the remaining groups. Rev 081408 16
Application Note User Groups 5. Configuration of an external RADIUS server is required to operate User Groups. Refer to Steps 5-13 of the WMI configuration for an example RADIUS server configuration. 6. Once associated, verify stations are assigned to the correct User Group by typing show associated-stations. Rev 081408 17
Application Note User Groups Application Example Following is an example of how User Groups might be implemented in an academic environment. The Student User Group represents the students, and provides access only to student resources and the Internet. The Staff User Group represents school staff and provides access to all resources on the network and the Internet. The Guest User Group represents guests and contractors and provides access only to the Internet. In addition, these users are rate limited to 2000pps. Rev 081408 18
Application Note User Groups Tips and Recommendations When is it recommended to use User Groups? User Groups should be implemented when multiple types of user profiles exist that can share the same encryption type, but have the need for different network resources due to a security policy. When is it recommended not to use User Groups? It is not recommend to use User Groups when using dynamic VLANs. The User Group s VLAN setting will override the Dynamic VLAN settings. How do I configure SSIDs with User Groups? The number of SSIDs can be reduced when implementing User Groups. From the example in the Application Example section, 3 potentially different SSIDs can be collapsed into 2: one SSID for Students and Staff with WPA2 encryption and authentication, and one SSID for Guests and contractors that is open and authenticated through a web page. What policies should I define at the SSID level? This depends on how the SSID is going to be used. Example polices to configure at the SSID level include: Radio bands 11a/b/g/n 802.1x Authentication Encryption Type: WPA2/WPA/WEP RADIUS Server What policies should I define at the User Group level? Polices at the Group level will generally be very specific to the profiles of the user types. An example for a Student Group: Traffic limits per station Time of day access Days of the week access Web Page Redirect using authentication and agreeing to acceptable use policy Where can I find more information about RADIUS? RFC 2865 Remote Authentication Dial In User Service (RADIUS) Xirrus TechTip TT-1002 provides details on how to setup and configure a Microsoft IAS RADIUS Server. Rev 081408 19