Captive portal architecture- internal or external?

0

I am interested in captive portal architecture. Initially my understanding was that places such as airports and internet cafes would have all the RADIUS and AAA infrastructure on the local side of the firewall. After looking at WISP (wireless internet service provider) models, my initial ideas seemed wrong. Even if a company offers several different public wifi hotspots, would they still potentially keep the AAA server, captive portal web server and RADIUS internals on the local side of the firewall?

If they kept the RADIUS and AAA servers centralised, would they connect to this via a VPN from the firewall and have a non-VPN out onto the internet for after the users have been authenticated?

I am just trying to understand a general architecture for public wifi.

Shalom

Posted 2011-12-30T11:59:35.467

Reputation: 1

Answers

0

Here's an example

enter image description here

It makes sense to centralise the AAA service if you are providing infrastructure for multiple hotspots (e.g. independent site-operators each of whome receive income from a business providing the hot-spot equipment and back-end service) - apart from anything else, you want customers to register once and then be able to use any of your hotspots without separate re-registration. A centralised (or regional) AAA service is likely to be easier to manage than a fully decentralised system.

Obviously, it is important that the hotspot gateway is able to communicate with the AAA-server securely over a public network. RADIUS is a commonly used AAA protocol but while a RADIUS client encrypts passwords to be transmitted to RADIUS server, there are concerns about the strength of RADIUS. A VPN between RADIUS client and server is one way to provide some additional security.

User traffic would be unaffected by a VPN used for RADIUS.

RedGrittyBrick

Posted 2011-12-30T11:59:35.467

Reputation: 70 632

Hi, thanks for that! Just one small question, your last statement: "User traffic would be unaffected by a VPN used for RADIUS", are you saying that once a user starts to use the internet this would also go through the VPN, to the provider's server and THEN onto the internet? I guess this would allow easier monitoring and billing, rather than access the internet from the firewall but have to constantly send RADIUS packets from the user to the provider (so that the provider can bill accordingly)? – Shalom – 2011-12-30T14:15:39.890

@Shalom: No, I'm saying the opposite of that. Only traffic addressed to the AAA server would be routed into the VPN tunnel. – RedGrittyBrick – 2011-12-30T14:20:36.303

so in order to keep track of the internet usage it would be normal (and acceptable) for the AP to transmit RADIUS protocol messages back through the VPN to the AAA server? – Shalom – 2011-12-30T14:39:39.070

Asked: 2011-12-30T11:59:35.467

Viewed: 994 times

Active: 2011-12-30T13:28:40.517