2

My school runs our WiFi network on Aruba Controllers, some of the access points are Aruba-branded and is managed. Others are D-Link branded, and need configuration one by one if needed.

We run our authentication on Captive Portal now, and is now seeing quite some slow down, we have integration with Active Directory. But it's strictly just for login and password information, and our record is small, so we can migrate to another directory or database server anytime.

Our options are limited, as there are no lots of options out there as I know of.

So, here's two ways to go. One is to stick with Captive Portal and possibly start inspecting where the slow down is. Another is to migrate out database to possibly AD with Radius and use that as our Radius server for WPA2-Enterprise.

One of my concern is overall session and bandwidth, as we have a single 3600 controller, and a little about 1500 potential users (hopefully), with WPA2-Enterprise, they will be online all the time.

Which is more preferable in a educational environment?

Valerio Minetti
  • 333
  • 2
  • 7
Shane Hsu
  • 131
  • 1
  • 3
  • 10
  • You do know that AD can integrate with Radius? As in: you can drive the (windows integrated) Radius functionality from AD. http://kb.cyberoam.com/default.asp?id=2407 – TomTom Aug 28 '13 at 07:18
  • Yes I do know that, something remote or whatever. We've actually got it working before. – Shane Hsu Aug 28 '13 at 11:32

2 Answers2

4

RADIUS is faster (typically), doesn't rely on the device having a browser and allowing itself to be hijacked by the captive portal, and is generally much cleaner (you get to eliminate the web server and other logic around the portal). The only time it's not preferred is when every user doesn't have an individual username and password, in my opinion.

If the controller is capable of handling the current user load with unprotected traffic it's not a bad bet that it would be able to handle encrypting it too, though it wouldn't be a bad plan to check the designed user maximum for your particular controller.

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92
  • From what I understand, RADIUS is just a way to authenticate user. So whether I choose to use Captive Portal or WPA2-Enterprise, I can use RADIUS as my authentication database. My problem is to know which is going to be preferable in a public (educational) environment. I have my concern about WPA2 listed in my question as it might raises the total user count. – Shane Hsu Aug 29 '13 at 16:03
  • 1
    WPA2 with a radius backend will almost always be faster than a captive portal, and is more secure because it allows you to encrypt the traffic at layer 2. – Falcon Momot Aug 29 '13 at 20:50
  • Yes I understand that, but my concern as stated above in my question is that users that authenticate through WPA2-Enterprise are connected all the time when the WiFi is turned on. Users who log in through Captive Portal are not. Is that going to become a big problem? – Shane Hsu Aug 30 '13 at 11:37
  • I doubt it. However, that depends entirely upon whether or not you have enough bandwidth. The controller is extremely unlikely to be the bottleneck. – Falcon Momot Aug 30 '13 at 17:37
  • I see. Thanks for the help. We're investigating a lot of things from switches to architecture. But due to a power outage, it's not our biggest concern right now. Thanks a lot! – Shane Hsu Aug 31 '13 at 07:22
1

And since you're speaking of Aruba controllers and (way better for testing) new ESSID, have a look at

https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus#Howtodeployeduroamon-siteoroncampus-Aruba

It assiduously lists all the steps you have to follow throughout the controller configuration interface in order to create a new 802.1x wireless network.

vautee
  • 470
  • 3
  • 11