Secure WiFi Access in Schools and Educational Institutions. WPA2 / 802.1X and Captive Portal based Access Security



Similar documents
Cloudessa AAA and Captive Portal Cloud Service

NCSU SSO. Case Study

BYOD: BRING YOUR OWN DEVICE.

NXC5500/2500. Application Note. Captive Portal with QR Code. Version 4.20 Edition 2, 02/2015. Copyright 2015 ZyXEL Communications Corporation

ARCHITECT S GUIDE: Mobile Security Using TNC Technology

What is Driving BYOD Adoption? SOLUTION CARD WHITE PAPER

solution brief ID Manager Leverage the Cloud to Simplify and Automate Enterprise Guest Management

TECHNICAL WHITEPAPER. Author: Tom Kistner, Chief Software Architect. Table of Contents

Evolving Network Security with the Alcatel-Lucent Access Guardian

Frequently Asked Questions Aerohive ID Manager

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

Wireless Services. The Top Questions to Help You Choose the Right Wireless Solution for Your Business.

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Copyright 2013, 3CX Ltd.

Mobile Device Management Version 8. Last updated:

Design and Implementation Guide. Apple iphone Compatibility

IdentiFi and Eduroam Roaming Wireless Service Integration CONFIGURATION GUIDE

An Overview of Samsung KNOX Active Directory and Group Policy Features

Wi-Fi Security. More Control, Less Complexity. Private Pre-Shared Key

Managed WiFi. Choosing the Right Managed WiFi Solution for your Organization. Get Started Now: to learn more.

data sheet Ruckus Smart Access Management Service moving smart wi-fi into the cloud

VLANs. Application Note

Filtering and Identifying Web Activity by User Name

data sheet Ruckus Smart Access Management Service MOVING SMART WI-FI INTO THE CLOUD FEATURES AND BENEFITS

AAA & Captive Portal Cloud Service TM and Virtual Appliance

Meru MobileFLEX Architecture

HP Identity Driven Manager Software Series Overview

ADDING STRONGER AUTHENTICATION for VPN Access Control

CTERA Cloud Storage Platform Architecture

SA Series SSL VPN Virtual Appliances

Cisco Outdoor Wireless Mesh Enables Alternative Broadband Access

Where are Organizations Today? The Cloud. The Current and Future State of IT When, Where, and How To Leverage the Cloud. The Cloud and the Players

Palo Alto Networks User-ID Services. Unified Visitor Management

How To Support Bring Your Own Device (Byod)

Appendix C Pricing Index DIR Contract Number DIR-TSO-2724

Penn State Wireless 2.0 and Related Services for Network Administrators

SSL VPN Technical Primer

Meru MobileFLEX Architecture

NETGEAR /ValuePoint Networks Interoperability Report

An Enterprise Approach to Mobile File Access and Sharing

Robust security is a requirement for many companies deploying a wireless network. However, creating a secure wireless network has often been

White Paper. What is an Identity Provider, and Why Should My Organization Become One?

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

Mobile Secure Desktop Maximum Scalability, Security and Availability for View with F5 Networks HOW-TO GUIDE

Symantec Mobile Management Suite

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.

HP ProCurve Identity Driven Manager 3.0

CTERA Enterprise File Services Platform Architecture for HP Helion Content Depot

The Technical Differential: Why Service Providers Choose VMware for Cloud-Hosted Desktops as a Service

LANDesk White Paper. LANDesk Management Suite for Lenovo Secure Managed Client

XPress Cloud Connecting People, Cloud, and Things

Securing Wireless LANs with LDAP

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

Why a Server Infrastructure Refresh Now and Why Dell?

Relay2 Enterprise Cloud Controller Datasheet

Okta Identity Management for Portals Built on Salesforce.com. An Architecture Review. Okta Inc. 301 Brannan Street San Francisco, CA 94107

Virtuelle WLAN Controller Alcatel Lucent Wireless LAN Instant AP

Avaya Identity Engines Portfolio

The Advantages of Security as a Service versus On-Premise Security

Aerohive Private PSK. solution brief

owncloud Architecture Overview

Mobile Printing for Business Made Easy

Network Virtualization Network Admission Control Deployment Guide

next generation privilege identity management

MERAKI WHITE PAPER Cloud + Wireless LAN = Easier + Affordable

WiFiLAN Cloud. Wifi soft Solutions

Monitoring & Measuring: Wi-Fi as a Service

White Paper: Managing Security on Mobile Phones

Systems Manager Cloud Based Mobile Device Management

Server Software Installation Guide

Deploying the ShoreTel IP Telephony Solution with a Meru Networks Wireless LAN

APPENDIX 3 LOT 3: WIRELESS NETWORK

Propalms TSE Deployment Guide

APPENDIX B1 - FUNCTIONALITY AND INTEGRATION REQUIREMENTS RESPONSE FORM FOR A COUNTY HOSTED SOLUTION

Deployment Guide Sept-2014 rev. a. Array Networks Deployment Guide: AG Series and DesktopDirect with VMware Horizon View 5.2

The PortalGuard All-In-One Authentication Solution-set: A Comparison Guide of Two-Factor Capabilities vs. the Competition

Three Ways to Integrate Active Directory with Your SaaS Applications OKTA WHITE PAPER. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107

Eduroam wireless network Windows Vista

Kaseya IT Automation Framework

OPENIAM ACCESS MANAGER. Web Access Management made Easy

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

Service Virtualization

The Challenge. The Solution. Achieve Greater Employee Productivity & Collaboration...while Protecting Critical Business Data

Vyatta Network OS for Network Virtualization

Cellular Data Offload. And Extending Wi-Fi Coverage. With Devicescape Easy WiFi

MS Series: Ethernet Power Study

MobileIron for ios. Our Mobile IT Platform: Purpose-Built for Next Gen Mobility. MobileIron Platform: Accelerating ios Adoption in the Enterprise

What s New in VMware vsphere 5.1 VMware vcenter Server

GlobalProtect Overview

How to Configure Guest Management on the DWC-1000

Transcription:

Secure WiFi Access in Schools and Educational Institutions WPA2 / 802.1X and Captive Portal based Access Security Cloudessa, Inc. Palo Alto, CA July 2013

Overview The accelerated use of technology in the educational system has driven a widespread deployment of WiFi networks. The increased availability of network access in schools poses a unique set of access security challenges. WiFi networks must: Secure institutionally owned tablets and devices Host and secure student, faculty and guest bring your own device (BYOD) notebooks and phones Limit access to authorized users Protect user credentials Control access to network resources Manage bandwidth A comprehensive WiFi access infrastructure is an essential requirement for every school system and college campus network deployment. The infrastructure must ensure that only authorized users gain access to network resources, while maintaining a record of network activity to ensure accountability. Credentials must be validated for each user or device that attempts to connect to the network, and the appropriate level of authorization must be allocated for each user. Students, faculty, staff and visitors or guests each have different requirements and limitations, and each group should be prioritized based on the needs of the institution. Faculty and staff need immediate access to institutional records, exams and grades. Resources such as printers and external internet access should be readily available. Students require access to internal network resources, but unrestricted external internet access could impact productivity and affect network performance. Guests and visitors should have managed access, with uses and privileges defined. When architecting WiFi deployments, many school systems choose to set up different networks with different Service Set Identifiers (SSIDs) within the network. This allows network segments to be isolated: a highly secure network for faculty and staff; a restricted network for students; and an internet portal for guests and visitors. 2/9

Practical Considerations WPA2/802.1X (strong security) and Captive Portal (browser-based security) can provide secure and flexible access control for a diverse user base. Many institutions have an existing store of user names, passwords and other information to secure network access for faculty, staff and students. To simplify WiFi user authentication, an existing Active Directory, LDAP or SQL user database can be leveraged for authentication. A Google Apps user store can also now be used to establish user validation. Within a complex educational network environment, it is important to not only provide authentication services to limit who can access the network, but also to control what users access once they have been authenticated. For example, you can assign different users to specific VLANs. Strong port-based security ensures that individuals cannot access sensitive materials without a need for the information. The prioritization and delivery of data across the WiFi network is another important consideration when designing a network infrastructure. Within a large college or university, it may be necessary to allocate network bandwidth based on the institution s operational needs. Several complications exist within the current educational network framework: Different departments or schools within a large district may use different user stores or credentials, or need to enforce different access rights and security requirements. Many networks are built over time, and a variety of access gateways and WiFi access points (APs) from different vendors deployed in the network. Enforcing a consistent set of access control policies across different gateways from different vendors can be challenging. Educational network administrators must also be aware of institutional accountability for network access. It is imperative that educational institutions have records detailing who is accessing their network and be able to identify the responsible parties is there were ever to be a question of copyright or intellectual property infringement or other questionable activity emanating from their network. RADIUS accounting logs provide appropriate network access details to enable institutions to meet accountability requirements. The Role of RADIUS and AAA Network Management Authenticating users to a network through WPA2, 802.1X or Captive Portal requires the use of a RADIUS server. The RADIUS server provides the means to centrally manage authentication, authorization and accounting (AAA). This combination of services is the key component to manage and secure WiFi deployments in educational institutions. A centralized RADIUS server accepts authentication requests from WiFi access points. User authentication is processed throughalocaluserstore,orthroughan external database. Authentication is accepted or rejected based on the validity of the provided credentials. Authorization to network resources is based on attributes returned by the RADIUS server for each user session. Access logs are generated and stored to detail who (or what device) has accessed the network. 3/9

Multi-School WiFi Deployment with Cloudessa Hosted RADIUS Service The following diagram illustrates a RADIUS-based architecture for a multi-building school district or campus. Cloud / Internet Cloud User Store Cloudessa RADIUS Service Google Apps Native DB School District Data Center Active Directory LDAP SQL Teachers / Staff Visitors Students and Guests SCHOOL #1 Teachers / Staff Visitors Students and Guests Teachers / Staff SCHOOL #2 Visitors Students and Guests SCHOOL #3 Cloudessa RADIUS is deployed for security at all access gateways. Multiple SSID Educational WiFi Deployment with WPA2, 802.1X and Captive Portal Browser-based Login Security Cloudessa RADIUS is used to enforce access restrictions based on the SSID that the user or device associates with, and the user identity. Each access point is configured with multiple SSIDs, and each SSID has a unique set of authorized users and devices and a mandated level of access security. This allows educational institutions to segregate students, faculty and other users. 4/9

Cloudessa RADIUS Service Cloudessa Captive Portal Cloud Service Cloud / Internet Wi-Fi Network Controller (optional) Private / Public Cloud Students Active Directory LDAP Wi-Fi AP Cloud User Store Security Protocol Multiple SSID s Google Apps Teachers / Operations / Visitors / Guests Staff SQL Custom Data Store School Data Center This diagram illustrates a security architecture within a WiFi network configured with multiple SSIDs for different users. Access authentication is provided through either WPA2 / 802.1X or Captive Portal. Teachers and staff connect with the strong security of 802.1X. The access point sends authentication requests to the RADIUS server, and the RADIUS server responds with access accept or reject and the appropriate information for the user session based on the user profile. Students connect through 802.1X, or through a browser-based captive portal. Network privileges are dynamically configured based on the user s profile. Guests, visitors or operations connect through the Captive Portal, with limited network access. Each user is assigned to an appropriate user group. Network access privileges for each user group are defined in the RADIUS server. When a user successfully authenticates, the RADIUS accept message and the appropriate authorization attributes are sent to the access gateway. Those attributes are used to allocate the level of access for that session. 5/9

Cloudessa RADIUS Cloudessa RADIUS is a low-cost, scalable cloud-based RADIUS solution, ideal for school districts and universities with varied existing infrastructures. Cloudessa RADIUS is a subscription-based service that eliminates the cost and complexity of deploying a local RADIUS server. Cloudessa enables IT administrators to secure the WiFi network without capital expense: reducing cost, effort and time. School IT administrators can choose to manage the Cloudessa RADIUS service themselves, or to further simplify and expedite deployment, Cloudessa Managed Service Provider (MSP) partners are available to assist IT organizations with the technical expertise to design, deploy and manage the RADIUS infrastructure. Cloudessa is simple to configure and administer. The interface is accessible and intuitive. There is no hardware or software cost, and no installation requirements. A simple interface, configuration wizards, complete documentation and expert support enable you to implement access security with a minimal investment of time and resources. Cloudessa can leverage your existing authentication infrastructure. For example, if you have existing user data in Active Directory, LDAP, SQL, or Google Apps, you can re-use these resources for network access security without duplicating user information. Sensitive user information remains under IT control. 6/9

Cloudessa supports both industry standard WPA2 802.1X based security, as well as Captive Portal browser-based authentication. Cloudessa is built on the FreeRADIUS code base. FreeRADIUS provides a proven market solution that is deployed in thousands of educational networks, including some of the largest Universities in the world. Cloudessa RADIUS is not just for WiFi. It can also authenticate users accessing the network from VPNs, firewalls and other access gateways in addition to WiFi APs. The RADIUS server can return user specific and session specific authorization attributes, including VLAN assignment and bandwidth allocation. For example, network traffic for faculty and staff can be prioritized over student activity to Facebook or Twitter. Virtual RADIUS Servers With Cloudessa RADIUS, administrators can create multiple virtual RADIUS servers with a single Cloudessa subscription. Each virtual RADIUS server can be configured to meet the needs of a specific functional or organizational unit. Different security and access levels can be established for each virtual RADIUS server. Virtual RADIUS functionality is powerful within a school district or large educational institution to enable a single centralized access security platform, accommodating the needs of each school or department. Enabling centralized management of resources simplifies administration across physical boundaries. Google Support Cloudessa RADIUS simplifies administration by allowing users to authenticate with Google Apps. If individuals have an existing user name and password to access Google Apps, the user can authenticate using the same credentials. Simply configure the Cloudessa RADIUS server for Google Apps authentication, and each time a user attempts to access the network, the RADIUS server validates the credential against Google Apps. The Google Chromebook can be used to securely access the network. Google Chrome OS includes an 802.1X client that simplifies the process of securely passing user credentials to the RADIUS server for authentication. Chromebook also supports Captive Portal browser based login. 7/9

Eduroam - Secure Roaming Internet Access for Educational Institutions According to the eduroam Policy Service Definition for SA3, Task 2: "eduroam" (EDUcation ROAMing) allows users from participating academic institutions secure Internet access at any eduroam-enabled institution. The architecture that enables this is based on a number of technologies and agreements, which together provide the eduroam user experience: open your laptop and be online. The basic principle underpinning the security of eduroam is that the authentication of a user is carried out at his/her home institution using the institution s specific authentication method. The authorization required to allow access to local network resources is carried out by the visited network. The European eduroam service provides this facility as a confederated service, built hierarchically. At the top level sits the confederation level service, which primarily provides the confederation infrastructure required to grant network access to all participating members of the eduroam service at any time. This confederation service is built upon the national roaming services, operated by the national roaming operators (NROs) (in most cases, NRENs). National roaming services make use of other entities, for example, campuses and regional facilities. A hierarchical system of Remote Authentication Dial-In User Service (RADIUS) servers is used to transport the authentication request of a user from the visited institution to his/her home institution, as well as the authentication response. Typically, every institution deploys a RADIUS server, which, in turn, is connected to a local user database. This RADIUS server is connected to a central, national RADIUS server, which, in turn, is connected to a regional or global RADIUS server. 1 Cloudessa RADIUS is fully compatible with the eduroam service, and can be deployed by institutions participating in the eduroam network as the "home" or "edge" RADIUS server, authenticating users against a local user database. Cloudessa RADIUS as-a-service enables institutions to quickly and easily participate in the eduroam network, without the hassle, capital cost, and on-going maintenance expense of deploying an onpremises RADIUS infrastructure. 1 eduroam Policy Service Definition for SA3, Task 2. M. Milinovi ć, Srce / CARNet, Stefan Winter, RESTENA and members of the SA3 T2 group; Date of Issue: 26/07/12 Document Code: GN3-12-192 8/9

Strong WiFi Security on a School Department Budget with RADIUS-as-a-Service Cloudessa RADIUS offers the following advantages: Flexible consumptive licensing cuts costs vs. legacy RADIUS server cost. Capital expenditures and IT workload are reduced. RADIUS-as-a-service eliminates the burden of purchasing and maintaining hardware and software. IT operational expenses are reduced, with increased value for existing clients. IT can focus on high value activities instead of maintenance of infrastructure. Cloudessa Managed Service Partners are available to provide expert deployment assistance and can be engaged to fully manage, on an on-going basis, the Cloudessa RADIUS based access security infrastructure. Summary Educational institutions require a comprehensive security platform to enforce security across networks in an environment of increasing risk and liability. Network access must also be transparent and available to all users. Cloudessa managed RADIUS service enables educational institutions to quickly and easily deploy costeffective WiFi access security. As a subscription service, there are no hardware or software costs involved with deploying Cloudessa RADIUS. Your IT department can deploy and manage the service, or you can work with a WiFi reseller or Cloudessa MSP to have the service deployed and managed for you. Cloudessa offers a flexible and supportable solution. Cloudessa RADIUS supports virtually any WiFi AP or access gateway, and any backend user store. The solution is instantly scalable to handle any number of users in a centralized security environment, or in a geographically distributed organization. For additional details regarding securing WiFi deployments with Cloudessa RADIUS' or to learn more about our Educational Discount Program, please contact us at sales@cloudess.com. To try Cloudessa RADIUS, please visit www.cloudessa.com - your first 10 users are free. Cloudessa, Inc. 2225 East Bayshore Road, Suite 200 Palo Alto, CA, 94303 Call Us: P Email Us: sales@cloudessa.com support@cloudessa.com 9/9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information