Location-Aware Authentication; How It Works; Example - Colubris Networks CN3000 Administrator's Manual

Chapter 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing the public access interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 6

Location-aware authentication

This feature enables you to control logins to the public access network based on the
wireless access point customer is associated with. Once authenticated, this feature is
also used to monitor and control roaming to other access points in the network.

How it works

When enabled, the location-aware feature causes the CN3000 to return location-
specific information for RADIUS-authenticated customers. This information is returned:
• when the customer logs in
• each time the customer roams to a new access point or switches SSIDs on the same
Note: Due to security constraints in 802.1x client software, customers cannot
automatically be re-authenticated when roaming to a new access point. Therefore,
location-aware information cannot be returned when these customer's roam.
Returned information
The CN3000 can return the following attributes in the RADIUS access request for all
customer authentications (whether initial login or re-authentication due to roaming).
• Called-station-ID (Standard RADIUS attribute)
• Colubris-specific attribute: SSID
• Colubris-specific attribute: GROUP
Note: When re-authenticating customers, the returned RADIUS attribute Service-Type
will be set to 8744 (decimal).
Called-Station-ID value
By default, this will be the MAC address of the wireless port the customer is associated
with. This is the MAC address of the wvlan0 interface in IEEE format as displayed by
Tools > System Tools > Interface info.
If required, the CN3000 can return other values for this attribute by setting the Called-
Station-Id content on the Security > Authentication > Advanced page. The other
available options are:
• SSID: SSID of the access point the customer is associated with.
• GROUP: Group name of the access point the customer is associated with. Group
Note: If the customer is connected via a wired connection, the value returned is the
MAC address of the CN3000's wireless/LAN port. To use the MAC address of the
Internet port, you must edit the config file and change the setting of radius-called-
station-id-port to WAN in the <ACCESS-CONTROLLER> section.
Colubris-specific attribute: SSID
The SSID of the access point the customer is associated with (wireless only).
Colubris-specific attribute: GROUP
The GROUP (if defined on the Security > Authentication > Advanced page) of the
access point the customer is associated with (wireless only).

Example

Consider the following topology for a fictional small hotel. The restaurant and lounge are
available to all hotel customers who subscribe to the wireless service. However, the
conference room is available only to a specific group of guests who book it in advance.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 125 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
access point (which causes the customer to be re-authenticated)
names are assigned on the Security > Authentication > Advanced page.