cancel
Showing results for 
Search instead for 
Did you mean: 

SSL Bandwidth

SOLVED
absinthedjesus_
Occasional Contributor

SSL Bandwidth

Hi

I am wanting to deploy SSL as an authentication machanism at a remote site for the WIFI. The VPN will however be at head office. When a user authenticates and the session is active, how long does that sessions tay active? How often during the session does the client machine talk to the SA device, and when it does, how chatty is the VPN.

I know that the VPN assigns an IP address with which I can then gain access to the gateway and the network, but how does the VPN know that the session is still live, and how much bandwidth would it consume.

ie: potential 300 users on SSL VPN (WIFI), and many other wired hosts across a 100mb wireless link???

Any stats anyone?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Jickfoo_
Super Contributor

Re: SSL Bandwidth

You can configure idle time-outs for the role/realm your users are utilizing.

The VPN session traffic itself is not chatty. You have the option to ignore "background traffic" as part of the idle counters. Overall the idle timeout feature does work. It can distinguish background noise from user initiated traffic.

Bandwidth consumption depends solely on how much the users are requesting. If you have 300 concurrent users attaching through Wi-Fi at say 54 Mbps, I would assume that your 100Mbps line will be oversubscribed. (maybe not, they certainly will not all be initiating at the same time, but it is definitely a potential bottleneck.)

Personally, I wouldn't use SSLVPN for Wi-Fi authentication and encryption. What type of WiFi are you using ? Get a small Juniper UAC box, use PEAP for authentication and WPA2 for encryption. You can even do host checking.

Low on funds ? You can do PEAP with Microsoft IAS (free), and most WiFi products will support WPA2. This can seamlessly authenticate users to their Windows ID. It works well.

Good Luck..
Justin

View solution in original post

3 REPLIES 3
Jickfoo_
Super Contributor

Re: SSL Bandwidth

You can configure idle time-outs for the role/realm your users are utilizing.

The VPN session traffic itself is not chatty. You have the option to ignore "background traffic" as part of the idle counters. Overall the idle timeout feature does work. It can distinguish background noise from user initiated traffic.

Bandwidth consumption depends solely on how much the users are requesting. If you have 300 concurrent users attaching through Wi-Fi at say 54 Mbps, I would assume that your 100Mbps line will be oversubscribed. (maybe not, they certainly will not all be initiating at the same time, but it is definitely a potential bottleneck.)

Personally, I wouldn't use SSLVPN for Wi-Fi authentication and encryption. What type of WiFi are you using ? Get a small Juniper UAC box, use PEAP for authentication and WPA2 for encryption. You can even do host checking.

Low on funds ? You can do PEAP with Microsoft IAS (free), and most WiFi products will support WPA2. This can seamlessly authenticate users to their Windows ID. It works well.

Good Luck..
Justin

absinthedjesus_
Occasional Contributor

Re: SSL Bandwidth

Hi Justin

Thanks for the information. We use SSL authenticating to an external server DB, with Aruba handling the WIFI. Once a session is initiated with the SSL and an ip is assigned, how does the session work? Is all traffic then passing through the Juniper and back, kinda using the Juniper as a proxy for everything, or is there a periodic lookup by the Juniper to see if the session is still valid? As an authentication mechanism, Ldap or Radius are preferred, so they have to integrate. The WIFI solution had to be a 'fiddle' free solution.My concern is that having the Juniper on one end of the WAN, and the WIFI users at the other end, that the WAN link will become saturated with all juniper traffic, and normal network users will suffer.

Thanks again

Message Edited by absinthedjesus on 08-25-2008 03:45 PM
Jickfoo_
Super Contributor

Re: SSL Bandwidth

Yes, The SSLVPN will become the default gateway for all traffic. So if you have a SSLVPN in Chicago and your users log in to the wireless from Atlanta, then login to the SSLVPN traffic in Chicago, all traffic initiated from Atlanta (even traffic destined for Atlanta) must first go to Chicago, through the SSLVPN, then back to Atlanta.

I wouldnt use a VPN for WiFi authentication services. Do PEAP, through IAS and ask your Aruba rep about HREAP like services. (HREAP allows local jump off from the access point instead of trunking all the traffic back to the controller) HREAP is a Cisco term but Aruba does something similar.

Message Edited by Jickfoo on 08-25-2008 09:31 PM