Secure WiFi in Multi-Location Organizations

More and more retail stores, hotels, and public institutions consider WiFi hotspot access to be a critical network function. Whether it’s implemented to enable employee access to LAN applications, foster customer engagement, or support guest Internet access, WiFi access is critical to these organizations’ ability to run their business.

Requirements

To successfully deploy WiFi access, a multi-location organization must architect a solution that satisfies the following requirements:

  • Network Availability Within Budget – Many newer multi-location organizations install WiFi-only networks; no Ethernet cable is run. In these cases, the organization must consider the reliability of each location’s connection to centralized resources, and architect a WiFi infrastructure that meets requirements for network availability and reliability, while adhering to budget constraints.
  • Flexible Security – A common scenario on multi-location WiFi networks is that different users have different access security requirements. Employees need 802.1X-based access – the industry standard for WiFi security – while customers/guests are well-served by the use of a captive portal system with sign-on splash. A multi-location organization must ensure that its WiFi infrastructure supports access by employees and guests, and configures the appropriate level of security for each.
  • Centralized Management, Distributed Deployment – Most multi-location organizations choose not to staff each branch location with IT personnel. Because of this, a WiFi infrastructure that can be centrally maintained from the headquarters location is essential.
  • Seamless integration with a back-end data store, whether it be Active Directory, a simple SQL database or a self-registration or third-party guest management system. For administrative simplicity, the organization must ensure that its existing database of usernames and passwords can be extended to WiFi access as well.

Cloudessa RADIUS – Flexible and Efficient Centralized and Distributed Access Security

One core element of a successful WiFi network installation is a RADIUS server such as Cloudessa RADIUS. RADIUS is the standard for securing access to WiFi networks, and manages the authentication, authorization, and accounting of all network access. Cloudessa RADIUS is an ideal solution for managing and securing WiFi access in multi-location organizations for the following reasons:

  • Use Cloudessa RADIUS in the public cloud, or deploy on a distributed basis in a private cloud – Access to the RADIUS authentication infrastructure is essential. Depending on the reliability of the connection between its branch locations and centralized resources, a multi-location organization can choose to deploy Cloudessa RADIUS in any of the following ways:
    • In locations where the organization has mandated redundant Internet connections, primary access via a high-speed wired connection, with cellular data for secondary access, Cloudessa RADIUS-as-a-Service can be used to very cost-effectively manage and secure WiFi access.
    • In locations where Internet connectivity is not as reliable, or it is cost prohibitive to have redundant connections, organizations can deploy the Cloudessa RADIUS Appliance in a distributed fashion across their network to authenticate network access on either a per location or regional basis.
  • Support flexible security requirements, to easily enable access by employees and guests/customers.
    • In scenarios where strong security is required – for example, employee access – Cloudessa RADIUS supports access via 802.1X and WPA2-Enterprise.
    • In scenarios where security is less of an issue – for example, for access by guests/customers – Cloudessa RADIUS integrates with access points enabled with screen redirect / captive portal support such as those from Meraki, Cisco, Ruckus, and Aruba, and Captive Portal software, either built-in or external which provides the user sign-on interface and content delivery mechanisms.
  • Accounting – Cloudessa RADIUS logs all authentication and accounting activity; these log files can be aggregated with other network and user store information to create dynamic session tables, creating a comprehensive record of employee and customer/ guest network usage.
  • Compatible with a wide variety of back-end data stores – Cloudessa RADIUS can validate credentials against a wide array of user stores, including Active Directory, a native MySQL database, external stores such as LDAP or SQL databases, or cloud-based user stores such as Google Apps. A powerful API is also available to automate the interaction with third party self-registration or user / guest management systems.
  • Cost effective – Cloudessa’s usage-based pricing slashes authentication infrastructure costs, only charging organizations for the level of service they need.
    • When licensed on a hosted service basis, Cloudessa RADIUS eliminates infrastructure expense and administrative hassle of on-premises RADIUS server.
    • The Cloudessa RADIUS Virtual Appliance is running on a shared virtual machine and licensed on a usage basis makes distributed RADIUS affordable from a cost perspective and practical from a centralized management and ease of deployment perspective.

The diagrams below illustrate how a multi-location organization can use Cloudessa RADIUS either as a centrally managed public cloud service (RADIUS-as-a-Service) or on a distributed basis with the Cloudessa RADIUS Virtual Appliance deployed within the private cloud.

Reference Architecture: Centralized Cloudessa RADIUS-as-a-Service with Redundant Internet Access

multi-location-retail

This diagram illustrates the use of Cloudessa RADIUS-as-a-Service on a multi-location network where a cellular data network provides redundancy and ensures network availability and access to Cloudessa RADIUS-as-a-Service

  • Employees connect to the network via 802.1X, and are authenticated against the organization’s existing data store, for example Active Directory.
  • Customers/guests access the network via a captive portal system.
  • IP-enabled devices connect to the network via PAP, and are authenticated against a SQL or LDAP database.

Reference Architecture: Cloudessa RADIUS Virtual Appliance Deployed on Distributed Basis Within Private Cloud

Cloudessa RADIUS Virtual Appliance

This diagram illustrates the deployment of Cloudessa RADIUS in a distributed fashion. The Cloudessa RADIUS Virtual Appliance is deployed on a virtual machine running in each branch location. When a WiFi user connects to the network, he is authenticated over the private network against the authentication database in the data center.