Wireless VLANs Managed by RAD-Series RADIUS Server

VLANs are powerful networking tools that are especially applicable to wireless and hybrid networks. Combined with the RAD-Series RADIUS Server, they are an easy and effective way of managing access to key enterprise resources.

What is a VLAN?

A VLAN is a switched network that is logically rather than physically segmented. VLANs enable workstations and other devices to have a virtual association, independent of geographic location or physical attachment to the network. These groupings can be based upon organizational unit, application, role, or any other logical grouping.

Why use a VLAN?

VLANs deliver many benefits to the network administrator.

§ Security is increased by segregating groups of users. Each group has access to only those resources that are appropriate for its projects and responsibilities within the organization.

§ Network management is made easier by allowing changes to projects, roles, and group memberships. This does not require any changes to the physical topology of the network.

§ VLANs reduce costs through the efficient sharing of network resources. Groups of users can be logically separated on shared equipment instead of physically separated on redundant equipment.

Why use VLANs with a wireless network?

The case for using VLANs in a wireless network is even stronger than for wired networks. Because there are no physical boundaries in wireless networks, logical boundaries must be built to protect sensitive data while enabling access to role-based network resources.

VLANs multiply the benefits that make wireless networking so attractive to enterprises. Wireless networks are flexible and easy to set up because there are no wires to pull. VLANs are flexible and easy to establish because they are not dependent upon a physical point of attachment to the network. Wireless networks reduce expenses by eliminating some of the physical infrastructure. VLANs further reduce expenses through the efficient sharing of network resources.

Example Wireless VLAN

Taking a look at the needs of a small software engineering company will help illustrate the power of VLANs in a wireless network. This engineering company has identified four groups that it wants to segregate on its wireless network through the establishment of VLANs:

§ Sales – the company’s executives and sales managers need access to sensitive account and sales information. When the regional sales managers visit the home office, the wireless network makes it possible for them to update account information and participate in sales meetings.

§ Network Administrator – the network administrator has privileged access to all computer systems and network devices. The wireless network facilitates the administrator’s work no matter where he is in the building.

§ Engineering – the software developers and QA engineers need access to the testbed machines. They are often working collaboratively in groups made possible by the wireless NICs in their laptops.

§ Guests – the company often hosts meetings with vendors and customers. During their visits, guests are given Internet access through the wireless network.

Each of these groups is assigned a VLAN that provides access to only the appropriate resources for that group.

Completing the VLAN picture with the RAD-Series RADIUS Server

The final and critical step in implementing wireless VLANs is the authentication and assignment of users to the correct VLAN using the RAD-Series RADIUS Server. The benefits of wireless VLANs are greatly diminished without the ease and flexibility of the central management afforded by the RAD-Series RADIUS server. At the time the user is authenticated, the RADIUS server assigns the user to the correct VLAN based upon the user’s profile or a policy involving the user’s role, group membership, or any other attribute. The RADIUS server can further improve security by requiring stronger forms of authentication for VLANs with access to the most critical resources.

The RAD-Series RADIUS Server can be configured to assign a user to a VLAN by adding the following three Reply-Items to the user’s profile:

Tunnel-Type=VLAN

Tunnel-Medium-Type=IEEE-802

Tunnel-Private-Group-Id="vlan-number"

where "vlan-number" is the number of the user’s VLAN.

Changing VLAN membership is as easy as changing the VLAN number in the user profile. It will then take effect the next time the user authenticates anywhere on the wireless network.

Defining RADIUS Attributes to Create Groups and Services

RADIUS Attribute-Value Pairs are the building blocks of RADIUS. They identify users, specify network components, configure services, and report session details. The RADIUS RFCs define a set of standard attributes such as User-Name, User-Password, NAS-Identifier, Session-Timeout, and Acct-Output-Octets. In addition to the standard RADIUS attributes, RADIUS can be extended with Vendor Specific Attributes (VSAs) to support proprietary features. What service providers and enterprises may not realize is that VSAs are not just for hardware vendors and networking software developers. VSAs can be used by service providers to create new services and by enterprises to gain better control of their networks.

What would I do with a Vendor Specific Attribute if I had one?

Service providers can use their own RADIUS attributes to define multiple levels of service with each at a different price point and each serving a different market segment. Platinum, Gold, and Standard service levels with their associated pricing plans will appeal to different users. By moving past the “one size fits all” approach new markets can be entered and new profits realized.

Another approach to expand the service provider’s sales reach is to sell services ala Carte. RADIUS attributes can be defined for each service component making it possible to enable and sell them independently of each other. RADIUS attributes can be created to access services such as e-mail, priority support areas, special downloads, and to grant toll free access.

In the enterprise, RADIUS attributes can be used to define departments, group memberships, and roles in the organization. For example, only the accounting department should have access to the financial system and only the engineers to the lab environment. Members of the outside sales team are entitled to toll-free remote access while on the road. Only system administrators are permitted access to network administrative consoles.

Vendor Specific Attributes – where do I get mine?

Step One in defining your own VSAs is to get an enterprise number for your organization. These numbers are managed by the Internet Assigned Numbers Authority (IANA) and serve to uniquely identify your VSAs as belonging to your organization. The current list of assigned numbers can be found at

http://www.iana.org/assignments/enterprise-numbers

If your organization does not already have a number than you can apply for a free enterprise number at

http://www.iana.org/cgi-bin/enterprise.pl

Step Two is to configure your organization as a definer of VSAs in the RAD-Series RADIUS Server vendors file. An Internet Service Provider, NewISP has just received an enterprise number of 123456. NewISP will modify its vendors file to add:

#
# New ISP, Inc.
#

NewISP.attr NewISP.value 123456 NewISP

Where:

NewISP.attr will be used to define NewISP’s VSAs in the dictionary

NewISP.value will be used to define values to assign to NewISP’s VSAs

123456 is NewISP’s enterprise number

NewISP is the label specifying support for NewISP VSAs

Step Three is to define in the RADIUS dictionary the VSAs and any special values that they can take. NewISP has decided that it needs a VSA to store the subscribed service plan in each user’s profile. They have defined three levels that are referred to as Platinum, Gold, and Silver. NewISP will modify its RADIUS dictionary to add:

#
# New ISP VSAs
#
NewISP.attr Service-Level 1 Integer (0,0,0)

#
# New ISP Service Levels
#
NewISP.value Service-Level Platinum 1
NewISP.value Service-Level Gold 2
NewISP.value Service-Level Silver 3

Where:

Service-Level is the name of New ISP’s VSA

Integer indicates that the VSA is of type integer

(0,0,0) are the pruning rules indicating that Service-Level is not returned in any RADIUS responses

Platinum
Gold
Silver are the values defined for Service-Level

Step Four is to apply the new RADIUS attributes to the user profiles. For example in the users file:

jsmith Password = JohnsPASSWORD

NewISP:Service-Level = Platinum

Tbrown Password = TomsPassworD

NewISP:Service-Level = Silver

Now that I have my VSAs how do I make them go to work for me?

The power behind these organizational VSAs is the business rules associated with them. These rules are commonly called policy and can be implemented using the RAD-Series RADIUS Server Policy Engine. In our next blog entry, we will discuss how to write the RADIUS policies associated with these Vendor Specific Attributes