The Smoothwall makes use of RADIUS accounting to allow users to connect their own wireless devices to the network, known as “bring your own device” (BYOD), and authenticate unobtrusively. This has the added advantage of not having to install additional software on the users’ device.
The Smoothwall links your organization's directory service to its RADIUS server. As a network administrator, you can configure your wireless network infrastructure to authenticate users using the RADIUS server so that users can use their directory service accounts as wireless device logon details.
RADIUS requests
The following RADIUS requests can be processed by the Smoothwall Filter and Firewall, depending on the BYOD network implementation:
Accounting | A request to inform that the user has connected to or disconnected from the wireless network. Typically, this is sent by the network access server (NAS) acting as the RADIUS client. The Smoothwall Filter and Firewall uses this request to physically log the user on or off the network. |
Authentication | A request to confirm that the supplied user credentials are valid, and that the user is authorized to connect to the wireless network. Typically, this is sent by the network access server acting as the RADIUS client. The Smoothwall Filter and Firewall can only receive requests via an Extensible Authentication Protocol (EAP) tunnel, with a Microsoft Challenge-Handshake Authentication Protocol (MSCHAP). |
You can define groups to explicitly allow or reject the authorization requests.
The following RADIUS attributes are used within account requests:
Filter-ID | This is an optional attribute, used to supply the authentication group of the user. Typically, the group assignment is used by the Smoothwall when there's no directory service configured to use for group mapping. |
Framed-IP-Address | This contains the IP address of the client that has been authorized to connect to the wireless network. This attribute is essential to the BYOD service. |
Interim-Update | This is a status update received from the network access server, advising of the status of the client’s session. If the Smoothwall doesn't receive this at least once an hour, it assumes the session has ended and logs the client out. |
Authentication for BYOD
If authentication services are provided through the Smoothwall, you might find that some devices can't automatically accept the Smoothwall’s certificate when users try to authenticate onto the wireless network. You can download the Smoothwall’s certificate, and make it available in a way supported by those affected devices.
To help prevent BYOD users being presented with Man-in-the-Middle (MITM) warning pages, you can use the HTTPS Interception page, located on the Smoothwall, to advise users to download and install a certificate, see Stopping the MITM Attack Warning When My Users are Using BYOD.
Prerequisites
Irrespective of the type of BYOD setup, before you configure the Smoothwall you must have the following information:
- The IP addresses for the wireless access points.
- The IP addresses for any external RADIUS servers.
- The shared secrets for the RADIUS servers and clients.
Additionally, the NAS must be able to act as a DHCP server to provision the wireless device with an IP address.
When Smoothwall is the RADIUS Authentication Server
If the Smoothwall is acting as the RADIUS server for authentication, the following must be considered:
- Users’ wireless devices must support WPA Enterprise with Protected Extensible Authentication Protocol (PEAP), and Microsoft Challenge-Handshake Authentication Protocol (MSCHAP) version 2.
- If a web filtering policy is applied to users, you must configure the Smoothwall Filter to use core authentication, see Creating authentication policies.
- Active Directory must be used to authenticate users to the wireless network.
Note: If the Smoothwall is the authentication server, no other directory services are supported. This includes the legacy method of using Active Directory.
When Basic Network Access Servers are Used
If the network access server is unable to authenticate the user, or act as a DHCP server to provision the wireless device with an IP address, the following must be considered:
- You must enable DHCP on the Smoothwall and configure a valid DHCP subnet, see our help topic, Turning on the DHCP service.
- All network access servers must be in the same subnet as the Smoothwall. Network switches can be used, but there must not be any routers between them. Again, the Smoothwall must be the DHCP server for that subnet.
- The Smoothwall must act as the RADIUS authentication and accounting server.
Note: To use DHCP, you need a Unified Threat Management license.
Network Access Servers
Refer to your documentation for the network access server you're using for a detailed description of how to configure the access points.
The following should be considered:
- The wireless network added to or modified in the network access server must use WPA2 with 802.1X.
- The wireless network type might be referred to as WPA2-Enterprise, WPA2-RADIUS, or WPA2 with a separate option for RADIUS accounting. WPA2 is the most secure. To support older hardware, WPA1 is also supported. Some network access servers might support WPA1 and WPA2 simultaneously.
- Some network access servers need you to enter the Smoothwall’s details twice, if the Smoothwall is the RADIUS server for both authentication and accounting.