RADIUS/AAA & Captive Portal Technical Overview


Cloudessa "AAA & Captive Portal Cloud Service"

Welcome to the Cloudessa© cloud based Authentication, Authorization, and Accounting (AAA) and Captive Portal solution platform.

Cloudessa supports building complex WiFi Captive Portals for hotspots such as retail, hospitality and guest access, as well authenticating enterprise users using 802.1X and RADIUS based protocols. It supports a variety of backend authentication sources, such as Google Apps, Active Directory, SAML providers, and social network sign–ins, including Facebook and Twitter, and Payment Processors such as PayPal.

Cloudessa is a 100% cloud service compatible with enterprise WiFi AP’s and Controllers from leading network hardware vendors.

Cloudessa is available either as a public cloud Service, or as a Virtual Appliance for installation in an enterprise or private data center, so you can deploy Cloudessa in the way that is appropriate for your business..

  • Use the hosted Cloudessa Service in the public cloud, where you can take advantage of a shared multi–tenant infrastructure.
  • Deploy Cloudessa as a Virtual Appliance, running in a private cloud or enterprise data center if you need to maintain service completely on–site and control service availability. Cloudessa VA runs on major private cloud platforms such as VMWare and Xen.

Why choose Cloudessa?

Driven by mobile workers and BYOD, the scale, complexity, and importance of enterprise WiFi and VPN networks is increasing dramatically.

A well–architected, multifaceted access security infrastructure is an essential element of every enterprise WiFi, VPN, and other remote access gateway deployment. This infrastructure typically must support the following functions:

  • Authentication, to ensure that only authorized users gain access to the network
  • Authorization, to configure the appropriate level of network resource access for a particular user or device for a particular session.
  • Accounting, to document who access the network, when.
  • Security, to prevent attacks on user credentials and data

In addition, these new WiFi requirements should ideally reuse existing user stores and integrate into the network’s existing access management systems and architecture for securing VPN’s and other access gateways to ensure a consistent level of security regardless of how users are accessing your network.

WiFi hotspots provide unique set of business growth opportunities to engage consumers and guests of your business. A strong Captive Portal solution integrated into your business logic provides an opportunity to win new customers and keep new customers happy.

Cloudessa is the first cloud solution that enables you to both:

  • Provide strong network access security for the employees and contractors of your business
  • Grow your business by engaging your customers with advanced hotspot and captive portal solutions integrated with your business logic

Cloudessa enables you to achieve these goals while keeping the security of your network intact. Cloudessa supports the industry standard means of using separate WiFi SSIDs or network VLANs to separate your internal business network from customer engagement and hotspot network.

Key Features

The following are key features of Cloudessa discussed throughout this manual

  • Multiple Virtual RADIUS/802.1X servers, each running on a separate authentication and accounting port. You can create a Virtual RADIUS server with a single click of a mouse.
  • Multiple Captive Portals, each running on a separate URLs. You can create a Virtual RADIUS server with a single click of a mouse.
  • Captive Portal support based on industry standard UAM as well as Meraki EXCAP protocol and are compatible with major enterprise WiFi hardware such as Cisco, Meraki, Ruckus, Aruba, Motorola and others.
  • For RADIUS/802.1X, a comprehensive variety of protocols are supported including PAP, CHAP, MS–CHAP, SIP, PEAP, EAP–TTLS, EAP–TLS and MAC– based authentication
  • For Captive Portals, SAML authentication is supported, including such vendors as Ping Identity, Okta, OneLogin and Microsoft ADFS
  • For Captive Portals, social network OAuth logins are supported, including Facebook, Twitter, and LinkedIn, as well as PayPal login for payment integration
  • Accounting and Billing. Cloudessa includes build–in integration with PayPal, as well as a capability to add custom modules to integrate with other Payment Processors.
  • Accounting Logs of user and admin actions
  • Two–factor authentication using Google Authenticator
  • Authentication against External user stores, including Active Directory, LDAP, SQL Databases, Google Apps, as well as customer–provided Web Service APIs
  • JSON–based Web Services API
  • Powerful Captive Portal building tools and widgets
  • Three methods to use Google Apps for authentication: Captive Portal, PAP/EAP–TTLS and EAP–TLS with digital certificates.

The following figure illustrates how a multi–location enterprise can leverage the Cloudessa RADIUS functionality service in the public cloud to authenticate and authorize WiFi users and devices.

 

Figure 1: Example Deployment – Cloudessa RADIUS / AAA Cloud Service
Example Deployment - Cloudessa RADIUS / AAA Cloud Service


Figure 2: Example Deployment – Cloudessa AAA & Captive Portal Cloud Service
Cloudessa Captive portal


Authentication Options

When assessing your WiFi and VPN network security requirements, it is important to examine what is the right level of security for your deployment, and how do you want to enforce the access security.

Cloudessa RADIUS provides the flexibility to deploy both WPA2 / 802.1X compliant or Captive Portal browser based access security.

Best practice for WiFi and VPN access to enterprise LAN applications mandates the use of WiFi Protected Access 2 Enterprise (WPA2) and 802.1X–based security; in addition, WPA2 and 802.1X are considered essential for securing WiFi access in healthcare (HIPAA), financial services (SOX), and other regulated environments.

If the primary use of the WiFi network is to access cloud or external resources, (for instance in a hotspot or for student / customer / guest internet access) or if a users session will be protected via a VPN tunnel, and there is little risk of sensitive data being compromised, then a browser based login via a Captive Portal is a viable option.

Pages: 1 2 3 4 5 6 7