Deploying Secure 802.11 Wireless Networks with Microsoft Windows
Components of a RADIUS Infrastructure for Public Place Wireless Access
Public place wireless access consists of the organizational entities listed below and shown in Figure 13-1.
- WISP
The WISP is the organization that provides the wireless connection to the Internet for WISP users. A WISP deploys wireless access points (APs) and a network infrastructure in a public place and generates revenue by either charging wireless users directly (as customers of the WISP) or charging a benefactor of the wireless user. The benefactor of a wireless user is typically either a communications service provider (such as a phone company) or a private organization (such as a corporation). The WISP has existing agreements with wireless user benefactors and relies on the benefactor to authenticate and authorize the wireless connection of the wireless user.
- Service provider
The service provider provides various telecommunications services (such as mobile phone access) for its customers. To provide seamless wireless access with WISPs, the service provider enters into agreements with WISPs to provide wireless access to its customers in exchange for a fee. The service provider then offers this additional service to its customers for an additional monthly fee. The service provider s customer signs up for the service and receives credentials to identify them (such as a certificate). After configuration of the credentials, the customer can connect to the wireless network of the WISP without being a customer of the WISP. During the authentication exchange, the WISP forwards the credentials of the wireless user to the service provider, who authenticates and authorizes the connection attempt. The wireless user does not have to sign up with the WISP and gets seamless wireless connectivity to the Internet. This type of public wireless access is useful for individuals who spend a lot of time in public places such as coffee shops and want to remain connected to the Internet.
- Private organization
In a manner similar to a service provider, the WISP enters into an agreement with a private organization to provide Internet access to the private organization s employees for a fee. When the employee attempts to connect to the WISP s network, the employee uses the private organization s credentials for authentication. During the authentication exchange, the WISP forwards the credentials of the wireless user to the private organization, who authenticates and authorizes the connection attempt. The wireless user does not have to sign up with the WISP and gets seamless wireless connectivity to the Internet. This type of public wireless access is useful for private organization employees who travel often and want to get wireless access to the Internet and the private organization from airports, conference centers, or hotels.
From a RADIUS perspective, the relevant portions of infrastructure are the following:
A set of at least two RADIUS proxies that forwards RADIUS messages between the wireless APs of the WISP and the RADIUS servers of service providers or private organizations.
A set of at least two RADIUS servers at each service provider that provides authentication, authorization, and accounting for wireless connections initiated by customers of the service provider.
A set of at least two RADIUS servers or proxies in the perimeter network of each private organization that provides authentication, authorization, and accounting for wireless connections initiated by employees of the private organization.
If RADIUS proxies are used in the perimeter network of the private organization, a set of at least two RADIUS servers is deployed within the private network s intranet.
To provide authentication, authorization, and accounting for its own customers, the WISP can configure its RADIUS proxy computers to act as both a RADIUS proxy (for wireless clients that have benefactors) and a RADIUS server (for wireless clients that either have an existing account with the WISP or enroll with the WISP upon their initial connection).
To ensure the maximum security for RADIUS messages, it is recommended that you use Internet Protocol security (IPSec) with certificate authentication and Encapsulating Security Payload (ESP) to provide data confidentiality, data integrity, and data origin authentication for RADIUS traffic sent between all the RADIUS components. The most important RADIUS traffic to secure is that sent across the Internet. Windows 2000 and Windows Server 2003 support IPSec. To secure RADIUS traffic sent from wireless APs, the wireless APs must also support IPSec. If any of the RADIUS components are behind a Network Address Translator (NAT), you must use IPSec NAT traversal (NAT-T). Windows Server 2003 supports IPSec NAT-T.