Additional Intranet Wireless Deployment Configurations; Internet Access For Business Partners; Using Guest Access; Using Validated Access - Extreme Networks Summit WM Technical Reference Manual

Creating the Windows Security Infrastructure

Additional Intranet Wireless Deployment Configurations

The section describes the following additional intranet wireless deployment configurations:

Internet access for business partners

●
Using a third-party CA
●
Cross-forest authentication
●
Using RADIUS proxies to scale authentications
●
Internet Access for Business Partners
The following is the behavior of most wireless APs in use today with respect to the receipt of RADIUS
Access-Accept and Access-Reject messages:
When the wireless AP receives an Access-Accept message, the connection is allowed
●
When the wireless AP receives an Access-Reject message, the connection is denied
●
To allow a business partner, vendor, or other non-employee to gain access to a separate network using
the same wireless infrastructure that allows employees to access to the organization intranet, the
connection request must result in an Access-Accept message from the RADIUS server. To get an Access-
Accept message from the RADIUS server, you must either use guest access or the business partner,
vendor, or other non-employee must have a valid account and certificates.

Using Guest Access

Guest access occurs when wireless clients are connected without sending a user identity. The wireless
client does not provide a user name or credentials to the wireless AP. Therefore, the wireless AP does
not include user identity (the User-Name attribute) or credential attributes in the Access-Request
message. When the IAS server receives an Access-Request message that contains no user identity or
credentials attributes, it verifies whether unauthenticated access is enabled for the remote access policy
that matches the connection attempt. If a user identity attribute is not included, the IAS server uses the
Guest account to obtain user account dial-in properties and group membership. If a user identity
attribute is included but credential attributes are not, the IAS server uses the indicated account to obtain
user account dial-in properties and group membership.
Restricted network access for guest access clients is supported on wireless APs by using IP filtering or
VLANs. To specify a virtual LAN identifier for unauthenticated access, configure the Tunnel-Type and
Tunnel-Pvt-Group-ID attributes on the advanced properties of the appropriate remote access policy.
For more information about unauthenticated and guest access with IAS, see Windows 2000 Server Help
or Windows Server 2003 Help and Support.

Using Validated Access

For validated access for business partners, vendors, or other non-employees, you must create computer
and user accounts and issue certificates for each business partner, vendor, or other non-employee. Next,
create groups with these accounts as members so that you can manage access using group-based remote
access policies. For example, create a WirelessInternetUsers that contains global groups of business
partner, vendor, or other non-employee user and computer accounts.
54
Summit WM Technical Reference Guide, Software Version 5.1