Table of Contents
Advertisement
Chapter 6: Authentication Using External Servers
An Overview of External User Authentication
In external server user authentication, an external server contains rules (attributes and
values linked by logical operators) that are checked sequentially as defined. If a rule
evaluates as true, the authenticating user is assigned the BSC role specified in the rule
and checking ends. If no rule is true in RADIUS, LDAP/Active Directory, External NTLM,
or Transparent 802.1x authentication, then the user is assigned the role you have
specified as the Default role. For Transparent NTLM Windows authentication, you have a
choice of default options.
External server authentication is most useful when you already have a large
authentication database and don't want to manually add each user to the BSC user
database. Furthermore, you can create attributes on the external server that map directly
to BSC roles. For example, you can create a RADIUS attribute called JobType with values
of Engineer, Technician, and Accountant that correspond to equivalent roles in the BSC. A
user presenting a JobType RADIUS attribute with a value of Engineering is assigned the
Engineering role in the BSC.
In general, the external authentication will proceed as follows:
The wireless device associates with an access point on the managed network and
1.
obtains an IP address from the BlueSecure Controller.
The BlueSecure Controller adds the device MAC address and IP address to its active
2.
connections table and assigns the device to the unregistered role. The unregistered
role allows DNS traffic from the managed network to transit the BSC firewall and
reach the protected network.
3.
The user launches a web browser on the wireless device. The wireless device web
browser uses DNS to resolve the hostname portion of the home page to an IP
address. The wireless device web browser uses HTTP to access a web page.
The BlueSecure Controller intercepts the HTTP traffic and redirects the wireless device
4.
web browser to the BlueSecure Controller user login page. The user of the wireless
device is prompted to login as a registered user with a username and password.
The BlueSecure Controller authenticates the user of the wireless device against an
5.
external authentication server using the user-supplied credentials.
The BSC places the wireless device into a role once the user is successfully
6.
authenticated. The wireless device web browser is then able to access and display
the contents of the requested web page.
7.
The BlueSecure Controller can use internal log files or RADIUS to provide accounting
of the wireless device's activities.
See "Testing an External Authentication Server" on page 6-34 for information about
testing a newly configured external authentication server.
RADIUS Authentication
The BlueSecure Controller works with any standard RADIUS server.
The BlueSecure Controller must be configured on the RADIUS server as a network access
server (NAS) with a shared secret before the RADIUS server will communicate with the
BlueSecure Controller. RADIUS authentication can use the IANA assigned port of 1812
or the well known port of 1645.
Roles are automatically assigned based upon the attributes configured on the RADIUS
server. The dynamic role assignment logic operates on a first match basis. If there is no
match, the user will be assigned to the default role. The default role can also be used
when dynamic role assignment is not configured.
6-2
Advertisement
Table of Contents
