Deploying Secure 802.11 Wireless Networks with Microsoft Windows

Chapter 13

RADIUS Infrastructure for Public Place Deployment

Wireless access to the Internet in public places such as airports, coffee shops, and other locations is another segment of wireless connectivity that is growing quickly. Laptop and notebook computer owners use a wireless Internet service provider (WISP) to connect to the Internet. Once on the Internet, wireless users can access public Web sites or use a virtual private network (VPN) technology to create a secure connection to their employer s network across the Internet.

The infrastructure required by the WISP to provide connectivity to the Internet spans a wide range of network services, including the following:

• Dynamic Host Configuration Protocol (DHCP)

  A DHCP infrastructure assigns unique Internet Protocol (IP) addresses and other configuration settings.

• Domain Name System (DNS)

  A DNS infrastructure provides name resolution services to allow wireless clients to use names (such as www.example.com) rather than IP addresses (such as 131.107.90.234), to connect to Internet resources.

• World Wide Web

  Web sites allow users to view information stored on a Web server and respond to information requested by the Web server. In many WISP deployments, a series of Web pages for user identification, enrollment, and billing is the mechanism by which a new customer obtains connectivity to the Internet.

• Certification Authority (CA)

  A CA is needed in the WISP s network infrastructure only if the customers of the WISP are required to use Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) and certificates for authenticated connections. In most cases, WISPs will use Protected EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) and passwords for authenticated connections.

• Remote Authentication Dial-In User Service (RADIUS)

  RADIUS is used as the industry standard protocol to provide authentication, authorization, and accounting for wireless connections.

Figure 13-1 shows the set of components for a public place deployment.

Figure 13-1. Components of a public place deployment.

At the time of the publication of this book, the configuration of DHCP, DNS, Web, and CA infrastructure for WISPs was not standardized. Because there are too many ways to configure these components to provide public wireless access to the Internet, and industry practices for their setup are evolving, they are not described in this chapter.

As an example, Figure 13-1 shows the use of a computer acting as a DHCP server, DNS server, and CA that is connected to an alternate subnet. Wireless clients that do not have valid credentials use this alternate subnet. Using unauthenticated access, the new wireless user is allowed access only to the alternate subnet through which the wireless client can obtain an IP address, perform a signup process using Web pages, and even obtain a certificate. When the signup process is complete, the user is prompted to reauthenticate, at which time the wireless client uses the recently obtained credentials for an authenticated connection to gain access to the Internet.

Although the use of many network services on the WISP perimeter network is not standardized, the RADIUS infrastructure consisting of RADIUS proxies and servers works the same regardless of the other elements of the WISP s network service infrastructure. Therefore, this chapter describes only the RADIUS portion of a WISP s network and assumes the use of Internet Authentication Service (IAS).

NOTE Microsoft is investigating the development of new wireless client components to better support the WISP scenario. For more information, see Appendix B, Wireless ISPs and Windows Provisioning Services.