Specifications
Authentication Server Configuration 365
Chapter 16
number of different services to be provided. All users can connect to the
network using the same method, and the domain name supplied when the
user authenticates will be used to determine which ISP has authentication data
for that user. This method has the additional benefit of applying to wired
networks as well as wireless networks.
Dynamic Authorization and Authentication API using RFC 3576
RFC 3576 is an IETF standard that defines how the RADIUS protocol may be
extended to provide dynamic authorization of user activity in addition to basic
authentication. Alcatel AOS-W implements this standard as an API
(Application Programming Interface) that allows fine-grained control of users
by the authentication server. This control of users includes disconnection
from the network, role re-assignment, and dynamic updates of user policies.
One application for this API is in providing guest access. Nearly all corporate
locations receive visitors, in the form of meeting attendees, vendors,
customers, training class attendees, and so on. These visitors are increasingly
equipped with mobile computing devices such as laptops, and often request or
require access to their home office network or to the Internet. Corporate IT
managers wish to be flexible in providing such access, but at the same time
want to minimize the risk of unauthorized access because of concerns over
legal liability. The ideal goal is to provide customized guest access, allowing
only those services required by each individual visitor and only for the exact
period of time the access is actually required.
One of Alcatel’s financial services customers has implemented this customized
access approach using the RFC 3576 API. The company has visitor log
software running at computers used by lobby receptionists. Each visitor to the
office is issued an electronically-printed visitor badge that must be worn in the
building. When the software prints the visitor badge, it dynamically provisions
a RADIUS server with a temporary username and password, and prints this
information on the visitor’s badge. The visitor can access either the wireless
network through a guest SSID, or the wired network through any conference
room or public area Ethernet jack. The visitor enters the username and
password provided through a Web-based captive portal page, and is granted
restricted access to the Internet. When the visitor leaves the office, the visitor
badge must be returned to the lobby receptionist. The lobby receptionist logs
the time the visitor left, and the visitor log software dynamically deletes the
user from the RADIUS server. As soon as this happens, the RADIUS server
signals the Alcatel grid controller using the RFC 3576 API and causes the user
to be disconnected from the network.