Any and all ideas and feedback for Smoothwall

Radius authentication change

For our BYOD system, we authenticate on to the wireless access points using WPA2 Enterprise. The APs point to Microsoft NPS for RADIUS authentication.
This means we can control who can authenticate on to the APs at the point of entry. We are strict about who can do this, by way of Active Directory group membership, which users are added to once they have signed a T&C.

I know the Smoothwall has some RADIUS authentication support, but this will authenticate anyone with a valid AD account. Whilst we could control what web filtering the client receives (and could use the AD group to block all web traffic to those not in the allowed group), this would not be appropriate as it would overload the APs.

Our Access Points currently load balance up to around 30 clients per AP, but we only have the capacity across the site to cater for just 6th Form and staff. We simply don't have enough APs to cope with potentially 2100 students attempting to connect.

Unfortunately our Access Points (Ubiquiti Unifi) does not support RADIUS accounting nor do they support RADIUS based VLANs. I have inspected the packets in Wireshark and can confirm that there is no usable data, beyond the initial authentication.

As we are limited to the number of available SSIDs in our APs, I do not have the capacity to split out Staff and Students in to separate SSIDs and don't really want to either.

Ideally, I would like to point the access points at the Smoothwall for RADIUS auth. How the Smoothwall then handles the request is exactly what this RFC is about!

Ideally, it would be possible to define what constitutes valid authentication (so if you're not in a particular group in AD, you fail auth).

If that's simply not possible, then it would be nice for the Smoothwall to effectively act as a pass-through RADIUS authentication client; Forwarding the WPA2 Enterprise authentication request from the APs - through the Smoothwall - to Microsoft NPS (and back again). This way, hopefully the Smoothwall would be able to 'see' the user authentication information. Although, I'm not sure if this is possible either (encryption) - although the Smoothwall would know the shared secret.

For our BYOD system, we authenticate on to the wireless access points using WPA2 Enterprise. The APs point to Microsoft NPS for RADIUS authentication.
This means we can control who can authenticate on to the APs at the point of entry. We are strict about who can do this, by way of Active Directory group membership, which users are added to once they have signed a T&C.

I know the Smoothwall has some RADIUS authentication support, but this will authenticate anyone with a valid AD account. Whilst we could control what web filtering the client receives (and could use the AD group to block all web traffic to those not in the allowed group), this would not be appropriate as it would overload the APs.

Our Access Points currently load balance up to around 30 clients per AP, but we only have the capacity across the site to cater for just 6th Form and staff. We simply don't have enough APs to cope with potentially 2100 students attempting to connect.

Unfortunately our Access Points (Ubiquiti Unifi) does not support RADIUS accounting nor do they support RADIUS based VLANs. I have inspected the packets in Wireshark and can confirm that there is no usable data, beyond the initial authentication.

As we are limited to the number of available SSIDs in our APs, I do not have the capacity to split out Staff and Students in to separate SSIDs and don't really want to either.

I would like to point the access points at the Smoothwall for RADIUS auth. How the Smoothwall then handles the request is exactly what this RFC is about!

Ideally, it would be possible to define what constitutes valid authentication (so if you're not in a particular group in AD, you fail auth).

If that's simply not possible, then it would be nice for the Smoothwall to effectively act as a pass-through RADIUS authentication client; Forwarding the WPA2 Enterprise authentication request from the APs - through the Smoothwall - to Microsoft NPS (and back again). This way, hopefully the Smoothwall would be able to 'see' the user authentication information. Although, I'm not sure if this is possible either (encryption) - although the Smoothwall would know the shared secret.

Without either of these methods implemented, there's just simply no workaround I can think of which would allow more granular BYOD policies for my users. At the moment everyone is getting a Student Plus type policy, but it's not ideal.

12 votes
Vote
Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)
You have left! (?) (thinking…)
Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

1 comment

Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)
Submitting...

Feedback and Knowledge Base