User manual ALCATEL-LUCENT OMNIACCESS AOS-W SYSTEM REFERENCE

[. . . ] OmniAccess Reference TM AOS-W System Reference OmniAccess Reference: AOS-W System Reference Copyright Copyright © 2005 Alcatel Internetworking, Inc. Specifications in this manual are subject to change without notice. Originated in the USA. Trademarks AOS-W, OmniAccess 4304, OmniAccess 4308, OmniAccess Wireless LAN, OmniAccess 6000, OmniAccess AP60, OmniAccess AP61, and OmniAccess AP 70 are trademarks of Alcatel Internetworking, Inc. in the United States and certain other countries. [. . . ] However, for legacy support it may be done manually through the CLI. This must contain all the elements shown in the example below. (Alcatel) (config) #aaa stateful-authentication dot1x ap-config foo ap-ipaddr 192. 168. 150. 1 radius-server-name rad2-radius-server key fooword Role Mapping SSID Role Mapping 1 Enter the user-rule sub-mode in the CLI. (Alcatel) (config) #aaa derivation-rules user (Alcatel) (user-rule) # 2 Specify the rule for assigning a role based on the client SSID (Alcatel) (user-rule) #set role condition essid equals foo set-value foo-user Encryption Type Role Mapping 1 Enter the user-rule sub-mode in the CLI. (Alcatel) (config) #aaa derivation-rules user (Alcatel) (user-rule) # 2 Specify the rule for assigning a role based on the client SSID (Alcatel) (user-rule) #set role condition encryption-type equals open set-value foo-user Authentication Server Configuration 361 OmniAccess Reference: AOS-W System Reference Notes on Advanced AAA Features The Advanced AAA feature pack for AOS-W unlocks a number of extended authentication and authorization features for enterprise and service provider networks. With the Advanced AAA feature pack, the standard AOS-W authentication features are augmented with the following: Per-SSID selection of authentication server for wireless networks Domain and realm selection of authentication server Dynamic authorization and authentication API using RFC 3576 The Problem Most enterprise networks have a single authentication infrastructure, typically based on directory services such as Microsoft Active Directory or Novell NDS. For these enterprise networks, the standard authentication capabilities of AOS-W are sufficient because all users on the system can be found in the same authentication database. However, a number of occasions arise where multiple distinct authentication infrastructures must be supported. For example, when two companies merge it often takes months or even years for the IT infrastructure to consolidate, meaning that user identity is often contained in multiple different user databases. For these networks, the ability to support multiple authentication systems is critical. For service providers, there also exists a requirement for multiple authentication systems. Service providers often provide wholesale access service for many different companies ­ for example, a virtual hotspot service provider that resells service for three different national ISPs. Service providers also typically offer roaming agreements with other service providers, whereby customers of one service provider are able to connect to the networks of other service providers using their own access credentials. For these service providers, the ability to authenticate against multiple databases is essential. Finally, some enterprise networks also require the ability to provide fine-grained authorization (meaning what a user is permitted to do on the network) control on a per-user basis, where that authorization may change dynamically during a session. For example, an enterprise may wish to enable guest access to the network, but have the ability to shut off guest access to a given user as soon as that user checks out with the front lobby receptionist. In this situation, the lobby receptionist would log the user out through visitor log software, which would then dynamically instruct the Alcatel grid controller to disconnect the user. For this application, a standard API (Application Programming Interface) is required to interface the grid controller to a number of different software packages. 362 Part 031652-00 May 2005 Chapter 16 The AOS-W Solution All the problems outlined above are solved using the Advanced AAA feature pack for Alcatel AOS-W. The feature pack is a collection of authenticationand authorization-related enhancements conveniently packaged together. The feature pack includes the following solutions: Per-SSID Selection of Authentication Server In wireless networks, the SSID (Service Set Identifier) is used to differentiate between different types of services. For example, corporate users may connect to an SSID labeled "Corp" while guest users may connect to "Guest". Each SSID may support different authentication and encryption schemes, and may provide access to different wired networks as well. The per-SSID selection of authentication server feature in AOS-W permits one or more authentication servers to be mapped to each SSID configured in the system. All users connecting to one SSID will be authenticated against one set of servers, while all users connecting to second SSID will be authenticated against a different set of servers. One application for this in enterprise networks is the ability to set up test networks or migration networks, where users must be supported on an existing authentication database while new authentication databases are set up on alternate SSIDs. [. . . ] An SSID is also referred to as a Network Name because essentially it is a name that identifies a wireless network. Glossary 923 OmniAccess Reference: AOS-W System Reference SSL* Commonly used encryption scheme used by many online retail and banking sites to protect the financial integrity of transactions. When an SSL session begins, the server sends its public key to the browser. The browser then sends a randomly generated secret key back to the server in order to have a secret key exchange for that session Subnetwork or Subnet* Found in larger networks, these smaller networks are used to simplify addressing between numerous computers. Subnets connect to the central network through a router, hub or gateway. [. . . ]