Use What You’ve Got! Wireless Authentication with existing Windows Servers
We work with school systems and Universities on a daily basis to create a wireless design that makes sense for them. Budget and funding is of course always part of that discussion as well as technical design. We often get asked questions around how to build server infrastructure to authenticate users to the school wireless network….and what are the related costs. Our first question back to them is “what server infrastructure do you have in place and are you using a directory database?” Most often than not the answer is that they have a Windows domain and they are using Server 2003 or 2008 with Active Directory. This is perfect as Active Directory provides for a fully functioning authentication system to support 802.1x authentications.
This saves money in 2 ways:
1) You can use your existing server infrastructure and licensing (don’t buy more)
2) You will save on operations costs by not having to manage two user data bases. Managing fewer servers is almost always better, managing one data base of users is definitely better.
What is 802.1X authentication?
802.1x authentication is an IEEE standard for authenticating wired and wireless clients on the network. The features of 802.1x are enhanced security, central user authentication, dynamic key management and accounting. What this means is that if you already have a Windows domain in place and you are using Active Directory you already have most of the pieces in place to provide for a highly secure wireless network for your users.
How do you implement 802.1X authentication on your School Wireless Network?
Server 2003 and 2008 have additional components or features that need to be installed in order for the full 802.1x functions to take place. These components are included with the Server OS and are not additional licensing or cost. In Server 2003 the additional components are the Certificate Authority and Internet Authentication Service (IAS). In Server 2008 the additional components are the Certificate Authority and Network Policy Service (NPS). Once these additional components are installed and configured in the server the pieces are in place to support 802.1x authentications.
IMPORTANT: You should purchase a wireless network solution that integrates natively with directory services...and only integrates once.
Many wireless manufacturers propose a standalone authentication appliance to act as the intermediary between the wireless controller and the Windows authentication servers. We recommend solutions to our clients that offer native integration with IAS/NPS and LDAP. Our solution uses the wireless controller as this intermediary and even includes diagnostics for testing successful authentication processes. We have even seen some solutions where each of the access points have to be recognized by the server as a validated authenticator whereas our solution requires the server only knows about the controller. Can you imagine having to enter in hundreds or even thousands of access points into the server manually?
The big takeaway here is that most likely you do not need to purchase anything additional in order to use 802.1x on your wireless network. Use what you have already in place and make sure you choose a wireless solution that does not require additional hardware or manual labor to make 802.1x work for you.