I've got question from our customer, that have WLAN environment and they want implement the UAC.
the question are:
- how is the process of authentication from the first time joint the SSID?
- can we automatic assign for which VLAN from the user that authenticate?
- is it possible to assign the user that authenticate to UAC that was unauthorize to a quarantine VLAN?
thanks in advance.
First of all, I should say that I am not a major expert on UAC but, I am very familiar with WLAN authentication and I have a good idea how that would integrate with UAC.
The WLAN authentication for UAC would be little changed from a regular 802.1x authentication process for WLAN. The Infranet Controller in UAC contains a RADIUS server, which performs the function of 'authentication server' in the traditional 802.1x process (the AP is the authenticator and the wireless device runs the supplicant).
So, from first association, the process (at a very high level and very approximately) goes like this...
1. Wireless client associates and supplicant sends a message asking the authenticator to start the auth process.
2. Authenticator sends a request to the Authentication Server.
3. Authentication server sends back a message to the Authenticator asking the supplicant to authenticate. This includes the public key of the authentication server. The authenticator converts it from a RADIUS packet to an EAPOL packet and sends it to the supplicant.
4. The supplicant sends back the user's credentials encrypted with the authentication server's public key in an EAPOL packet.
5. The authenticator puts the EAP message into a RADIUS packet and sends it to the authentication server.
6. The authentication server decides whether the credentials are good or not. If good, it builds an Access-Accept message which may contain attributes to tell the authenticator how to handle this user (e.g. the VLAN on which the user should be placed). The authenticator and supplicant use this information to generate a shared key to encrypt the data over the wireless. If bad, the authentication server sends back an Access-Reject and the port remains blocked.
The mechanism used to identify the VLAN on which the user is placed is *usually* based on the three reply attributes Tunnel-Private-Group-ID (the VLAN tag), Tunnel-Type (6) and Tunnel-Medium-Type (13) although some vendors have in the past used VSAs for this purpose.
The behaviour in the case of an unauthorised user is normally handled by the authenticator (the access point or switch). Some have a default fallback mechanism that allows a quarantine (or guest) VLAN. Others don't. But it's not really a function of UAC.
Now, if you want to use the enhanced features of UAC, then you'll need to use EAP-TTLS/EAP-JUAC as your authentication methods. Everything else stays the same.