Cloudessa RADIUS in Enterprise WiFi Deployments

Driven by mobile and BYOD, the scale, complexity, and importance of enterprise WiFi networks is increasing dramatically. A well-architected, multifaceted access security infrastructure is an essential element of every enterprise WiFi deployment. This infrastructure typically must support the following functions:

  • Authentication, to ensure that only authorized users gain access to the network
  • User and device authorization, to configure the appropriate level of access and security for network clients
  • Security, to prevent attacks on user credentials and data

In addition, these new WiFi requirements should ideally integrate into the network’s existing access management systems and architecture, to ensure administrative simplicity.

Authentication Requirements

Enterprise scale WiFi deployments demand an authentication infrastructure capable of handling requests from a large number of users, accessing the network from geographically distributed locations, with different credentials, access rights, and security requirements, and via access gateways from a variety of vendors.

User and Device Authorization Requirements

In addition to a robust authentication infrastructure, enterprise WiFi networks typically must support different access levels, according to who (or what) is connecting. Employees, guests, and even IP-enabled devices must be able to gain access to the network, but each necessarily has different security requirements and access rights.

Security Requirements

Best practices for WiFi access to enterprise LAN applications mandate the use of WPA2 Enterprise and 802.1X-based security; in addition, WPA2 and 802.1X are considered essential for securing WiFi access in healthcare (HIPAA), financial services (SOX), and other regulated environments. Captive Portal with Sign-on Splash is often used to enable guest and customer access to networks.

Cloudessa RADIUS

With its ability to centrally manage user authentication, authorization, and accounting, a RADIUS server is an integral component of an enterprise WiFi network. Cloudessa RADIUS is uniquely capable of handling the security and manageability requirements on these networks, for the following reasons:

  • It supports industry-standard WiFi security, as well as lower-security guest access – Cloudessa RADIUS provides full support for the 802.1X security protocols that ensure authentication and session security, as well as captive portal solutions that permit customers or guests to access a restricted area of the network with less strong security requirements.
  • It’s simple to administer – Cloudessa RADIUS is a multi-vendor RADIUS solution that supports your existing network access gateways. In addition, it authenticates WiFi users against the user data stores already in place on your network, including Active Directory, LDAP, SQL or Google user stores – with no manual re-entry of data required.
  • It’s available as a public cloud service, or for installation on a virtual machine. Use or deploy Cloudessa RADIUS in the way that makes sense on your network:
    • Use the hosted Cloudessa RADIUS service in the public cloud, where you can take advantage of a shared multi-tenant infrastructure. You enjoy the cost savings and management simplicity of RADIUS-as-a-Service, while critical user data stays under your control.
    • Deploy Cloudessa RADIUS as a Virtual Appliance running on a distributed basis in a Private Cloud, Enterprise Data Center, or individual or regional locations. For enterprises who wish to keep RADIUS completely on-site and control service availability, this provides a cost-effective, WiFi-appropriate alternative to legacy RADIUS servers.
  • It’s built on the market-proven FreeRADIUS code base – Cloudessa RADIUS is a time-tested RADIUS solution, based on code that is already deployed on thousands of servers around the world.
  • It’s not just for WiFi – Cloudessa RADIUS is capable of authentication access requests not only from WiFi access points and gateways, but also VPNs, firewalls, and other access gateways. Use it to manage and secure all access to your network.

The following diagrams illustrate how Cloudessa RADIUS integrates into a typical WiFi network infrastructure.

Reference Architecture: Enterprise WiFi with WPA2 / 802.1x Security

Cloudessa RADIUS in Enterprise Deployments

This diagram illustrates how a multi-location enterprise can leverage the Cloudessa RADIUS service in the public cloud to authenticate and authorize WiFi users and devices via WPA2-Enterprise and 802.1X.

  • WiFi users connect to their local WiFi network via an 802.1X client; credential security during the exchange is protected by the use of EAP-TTLS or EAP-PEAP.
  • The WiFi access point (or other network gateway) communicates with Cloudessa RADIUS in the public cloud to determine whether the user is authorized to connect and, if so, how to configure the connection.
  • Cloudessa RADIUS authenticates the WiFi user against the enterprise’s existing user name and password database – for example, Active Directory, LDAP, or SQL – located in the enterprise data center; authentication against the Google Apps cloud-based user store, [and a native database] is also supported.
  • If Cloudessa RADIUS determines the user is authorized to connect, it configures the appropriate level of access for the user.
  • Once authenticated onto the network with appropriate access level, WiFi user’s data security is protected by WPA2-Enterprise.

Reference Architecture: Multi-homed Enterprise WiFi, secured via Cloudessa RADIUS Service

Cloudessa RADIUS in Enterprise Deployments

This diagram illustrates how an Enterprise can use Cloudessa RADIUS to enforce the configured security protocol according to which SSID a user or device associates with. Each WiFi access point is configured with multiple SSIDs, with each SSID having its own set of authorized users and devices, and mandated level of access security. This allows enterprises to segregate employee, operational, and customer / guest access.

  • Users (typically employees) who connect using the strong security of 802.1X plus EAP-TTLS or EAP-PEAP, are authenticated against the enterprise user data store, and are able to access the full range of network services and applications. (See above diagram for specifics.)
  • Customers or guests would typically connect via a captive portal solution.
    • The captive portal solution communicates with Cloudessa RADIUS to determine if the user is authorized to connect.
    • Once authenticated, the captive portal web server grants access to a limited number of services and applications available to guest network users.
  • IP-enabled devices would typically connect via PAP, and be authenticated against a LDAP or SQL database.