I am a network admin at a high school in South Africa, running on a Microsoft network. We have approximately 150 PCs around the campus, of which at least 130 are wired to the network. The remaining are staff laptops. All IP addresses are assigned using a DHCP server.
Currently, our wi-fi access is limited to a few locations where those staff are located. We're using WPA with a long key which is not made available to students. To my knowledge, this key is safe.
It would make more sense, however, to use RADIUS authentication but I have some questions about how it works in practice.
- Will machines that are added to the domain authenticate automatically to the wi-fi network? Or is it user-based? Can it be both?
- Will devices like a PSP / iPod touch / Blackberry / etc / be able to connect to the WiFi network if it uses RADIUS authentication? I would want this to happen.
I do have WAPs that support RADIUS authentication. I would just need to turn the RADIUS functionality on from a MS 2003 Server.
Given the mobile-device requirement, would using a captive-portal be better? I know from experience in airports that it can be done (if the device has a browser).
Which brings me to questions regarding Captive portals:
- Can I limit the captive portal to Wi-Fi connected devices only? I don't particularly want to have to set up MAC address exceptions for all existing network machines (in my understanding, it just increases the opportunity for MAC address spoofing).
- How is this done? Do I have a separate address range for WiFi access devices and then will the captive portal route between the two networks? It is important to emphasise that the WAPs share a physical network with other machines that are not to be captive-portalled.
Your experience and insight will be appreciated!
Philip
Edit: In order to get a little more clarity on whether a Captive Portal is even feasible, I've asked this question.
Best Answer
User authentification for Wifi use 802.1x protocol.
To connect devices need a WPA supplicant such as SecureW2
Depending of the supplicant you use you will or not will be able to use do a SSO with the windows domain login/password.
iPhone and iPod touch have built in WPA supplicant. I don't know for PSP/BB. SecureW2 has a Windows Mobile version.
I'm sure that you could enable a captive portal for WiFi only without having to create to IP Network. You just need to put wireless access in a vlan and wired access in another vlan then put the portal between both vlan. This is like a transparent firewall.
802.1x need to have a supplicant on computers. If computers that need to use the Wifi are known you just have to setup the supplicant on them and it's a great solution. If you want to make your wireless access accessible by visitor or things like that it could be a nightmare because they need the supplicant etc..
A captive portal is a bit less secure and need user to authenticate manually each time they connect. It can be a bit borring.
A good solution from my point of view is too have both. A 802.1x access that give you the same as if you were wired on the lan and a captive portal that give you access to less things (access to internet port 80, limited access to local lan, ...)