Ap-2500 Authentication Methods; Authentication Overview - Proxim Orinoco AP-2500 User Manual

ORiN

AP-2500 Authentication Methods

This chapter discusses the authentication methods used by the AP-2500.
•

Authentication Overview

• Internal Authentication
• Internal Authentication with RADIUS
• External Authentication
The AP-2500 is a versatile Access Point for hotspot locations that supports multiple authentication methods. The unit
includes all of the features necessary for a user to set up a hotspot quickly and easily without requiring servers or
advanced Web design skills. The AP-2500 also integrates into existing billing or authentication solutions (for example,
if you already have a RADIUS server on your network that performs authentication and accounting tasks).
Authentication Overview
Providing Internet access to customers represents a new revenue generator or value-add service for public locations
such as coffee shops, bookstores, and hotels. In a traditional Access Point model, the network authenticates users for
security reasons (to prevent unauthorized users from accessing the system). But a public gateway Access Point (such
as the AP-2500) takes this a step further and provides authentication services for paying subscribers. When a user
enters a coffee shop with an 802.11-compatible laptop and launches his Web browser, he is immediately directed to a
subscriber login page. If currently a customer, the subscriber enters his user name and password to gain access. If not
a current subscriber, the user can select an access plan and pay for connectivity by credit card before gaining access
to the Internet.
The AP-2500 supports multiple authentication techniques to suit a range of users. If you're new to the hotspot market,
you can enable the AP to use its Internal Web Server and login page. This method is easy to setup but provides less
customization options than the more complicated techniques that involve other servers on your network, such as a
RADIUS server or an External Web Server.
The AP-2500 supports the following authentication methods:
• No Authentication
The AP's Authentication, Authorization, and Accounting (AAA) services are disabled. Subscribers can access
the Internet through the AP-2500 without being authenticated first. This is the AP's default setting.
• Internal Authentication
The AP provides all authentication services using its Internal Web Server (IWS), including an internal login
page. It also maintains a list of customers in its Authorized Subscribers Table. You can configure the AP to
support credit card billing for new subscribers in this configuration. More advanced users can also create a
portal page, which appears to customers before the login screen. The portal page resides on an external Web
server on the hotspot's network and provides additional customization and access to free content (also known
as a "walled garden").
• Internal Authentication with RADIUS
In this configuration, the AP still provides all of the services described above, but it also communicates with a
RADIUS server on the network to determine if a user is valid. The RADIUS server maintains a list of
subscribers and their attributes (such as the maximum bandwidth allowed for a specific customer) that it
communicates back to the AP-2500. The RADIUS server can also perform accounting functions to record a
user's login activity to facilitate billing.
• External Authentication
In this configuration, the authentication procedure is handled outside of the AP by an External Web Server
(EWS). The AP is notified by an external server when a user has been authenticated using XML (Extensible
3
43