RADIUSdesk

logo
Trace:

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
technical:ppsk-1ssid-2networks [2023/03/09 15:10]
admin [The RADIUS side] 		technical:ppsk-1ssid-2networks [2024/02/05 18:49] (current)
admin [Introduction]
Line 1: Line 1:
 ====== Private PSK 1 SSID Two Networks ====== ====== Private PSK 1 SSID Two Networks ======
 ===== Introduction ===== ===== Introduction =====
 +<WRAP center round alert 100%>
 +  * Please note that of Feb 2024 this component is under active development to make it even more feature rich and easy to use.
 +  * Do check back here in order to find out when the development is completed and ready for production.
 +</WRAP>
 +
 +
   * This is our first use case and a very simple implementation.   * This is our first use case and a very simple implementation.
   * With this implementation we will:   * With this implementation we will:
Line 14: Line 20:
 ===== The AP side ===== ===== The AP side =====
   * We will start with the configuration of the Access Point in AP Desk.   * We will start with the configuration of the Access Point in AP Desk.
-  * Select a cloud to work in and to to **Networks** -> **AP Profiles**. Click on the **Add** button. +  * Select a cloud to work in and go to **Networks** -> **AP Profiles**. Click on the **Add** button. 
-  * Here we create an AP Profiles called **Campus PSK**.+  * Here we create an AP Profile called **Campus PSK**.
 {{:technical:psk:ap_profile_new.png?nolink|}} {{:technical:psk:ap_profile_new.png?nolink|}}
   * After we created it we will edit it.   * After we created it we will edit it.
Line 72: Line 78:
         * A Profile used for user registration. This Profile will reply with Tunnel-Password 12345678.         * A Profile used for user registration. This Profile will reply with Tunnel-Password 12345678.
         * A Login Page with User Registration Enabled and //Auto-add device after authentication// checked.         * A Login Page with User Registration Enabled and //Auto-add device after authentication// checked.
-        * +
 ==== RADIUS related workflow ==== ==== RADIUS related workflow ====
  
Line 78: Line 84:
   * With User Registration enabled; they can register.   * With User Registration enabled; they can register.
   * The User Registration will be configured as such that after the user register and log in, the device they logged in with will be automatically associated with them.   * The User Registration will be configured as such that after the user register and log in, the device they logged in with will be automatically associated with them.
-  * Should the user wish to associate any other devices they just will be redirected to the captive portal where they can use the existing username and password they already registered with to log in.+  * Should the user wish to associate any other devices they will be redirected to the captive portal where they can use the existing username and password they already registered with to log in.
   * Those devices will be also automatically associated with them.   * Those devices will be also automatically associated with them.
   * Once they disconnect and connect again to the WiFi network they will now be directly on the LAN.   * Once they disconnect and connect again to the WiFi network they will now be directly on the LAN.
Line 94: Line 100:
   * Then edit it after you added it.   * Then edit it after you added it.
   * The following section is very important to specify the Type   * The following section is very important to specify the Type
-  * We specify Type as **Private PSK**.+  * We specify Type as **Private PSK**.
   * We also specify a default VLAN and default key (This matches the values we specified earlier with the SSID)   * We also specify a default VLAN and default key (This matches the values we specified earlier with the SSID)
-  * Then we also opt for the logging of MAC Addresses.+  * Then we also opt for the logging of MAC Addresses. (This is handy for IOT devices and Printers)
   * These are MAC Addresses which are not known to RADIUS and which will be directed to VLAN5 (Our Captive Portal)   * These are MAC Addresses which are not known to RADIUS and which will be directed to VLAN5 (Our Captive Portal)
 {{:technical:psk:ap_profile_radius_type.png?nolink|}} {{:technical:psk:ap_profile_radius_type.png?nolink|}}
   * Save everything and try to connect to the SSID.   * Save everything and try to connect to the SSID.
   * If everything works correct you should be redirected to the Captive Portal's Login Page.   * If everything works correct you should be redirected to the Captive Portal's Login Page.
 +
 +==== Profile for Registered Users ====
 +  * RADIUSdesk has an option that allow for users to register through the captive portal login page.
 +  * The registered user has to belong the a realm and have a profile.
 +  * We will now create the profile. 
 +  * Our profile will be very simple and just reply with the Tunnel-Password (PSK) which we will make *12345678*.
 +  * Navigate to RADIUS -> Profiles. Click on **Add**.
 +  * We create one called **CampusPSK-Student**.
 +  * Keep the defaults (no limits imposed) and click **Save**.
 +  * You will see that the system created a Profile Component and associated it with the profile.
 +  * In our case its called **SimpleAdd_59**.
 +  * Edit the Profile Component called **SimpleAdd_59** and add a Reply attribute of Tunnel-Password := 12345678.  
 +{{:technical:ap_profile_user_reg_profile.png?nolink|}}
 +  * Now everything is in place for us to configure user registration in the login page.
 +
 +==== Enable User Registration ====
 +  * Go to Login and select the login page that you use for the captive portal.
 +  * Edit its settings and enable user registration.
 +  * Make sure you also selected **Auto-add device after authentication**.
 +  * Save it.
 +  * Everything is now ready to test.
 +
 +===== Final Testing =====
 +  * Connect to the Captive Portal.
 +  * You Login Page should look similar to the one below.
 +{{:technical:psk:ppsk_login.jpeg?nolink&400|}}
 +  * After you register and logged in you can confirm that the user's MAC Address has been associated with them.
 +  * Ask the user to leave the WiFi network and connect again.
 +  * The user should now be connected directly onto the LAN through the WiFi.
 +  * Here we see under Activity Monitor that the user is connected using PPSK (Our NAS Identifier uses a convention with **ppsk** in the value.
 +{{:technical:ap_profile_user_ppsk_nas.png?nolink|}}
 +
 +===== Devices Without Browsers =====
 +  * The Captive Portal works well for adding devices what has a browser.
 +  * Some devices however needs access to the WiFi network but they do not have any screen to pop up a browser.
 +  * These include sensors, WiFi Cameras and Printers.
 +  * For these we have a handy applet that can be launched from Users -> Permanent Users.
 +  * The **Devices Without Owners** applet will list all the MAC Addresses which connected to the SSID and were assigned to the default VLAN.
 +{{:technical:psk:ap_profile_devices_no_owners.png?nolink|}}
 +  * We also give an indication when last it was seen on the network which makes it even more easy to locate.
 +  * On top of that we offer the opportunity to give them an alias in case you need to tag those devices first. 
 +  * Then you can attach them to a permanent user.
 +  * Our recommendation is to have a dedicated special Permanent User for a class of devices. e.g. su-printers for printers and su-cameras (su is short for special user).
 +
 +===== Banning Devices =====
 +  * You might ask, since all the users will have a common PSK, will it be possible to stop a specific device from gaining access to the network **without** forcing all the other devices to change the PSK they are configured with.
 +  * Yes it is possible.
 +  * Simply navigate to the BYOD applet and select the device(es) you want to stop the select the Enable / Disable button to complete the action. 
 +
 +
 +
 +
 +
 +
 +
 +
  
  
Last modified: 2023/03/09 15:10