CATEGORII DOCUMENTE |
Asp | Autocad | C | Dot net | Excel | Fox pro | Html | Java |
Linux | Mathcad | Photoshop | Php | Sql | Visual studio | Windows | Xml |
The following example describes how the components of a
When a new user connects and establishes an account, the following four basic stages occur:
The user discovers the network at a Wi-Fi hotspot
The user authenticates as guest
The client is provisioned and the user establishes an account
The user is authenticated using the new account credentials
In the next section we will look at these stages in more detail.
When a user arrives at the Wi-Fi hotspot with a portable computer running Windows XP Home Edition with SP2, Windows XP Tablet PC Edition with SP2, or Windows XP Professional with SP2, the computer comes within range of the access point beacon.
Wireless auto configuration on the client computer detects the beacon information from the access point, which is enabled with broadcast Secure Set Identifier (SSID). The SSID is equivalent to the network name.
The user is informed by Windows XP that a wireless network is available. In this example, the user is employed by a business partner of the enterprise, and is provided by the enterprise with a promotion code to use for account establishment. The user proceeds by clicking Connect.
Wireless Auto Configuration uses 802.1X and PEAP guest authentication to connect to the enterprise perimeter network through the access point, automatically passing a null user name and a blank password to the IAS proxy, which forwards the message to the IAS server. The access point is connected to a VLAN-aware gateway device that allows traffic from the client to pass through the Network Resource VLAN, but blocks the client from access to the Internet VLAN.
The IAS server is the PEAP authenticator and
Server authentication is performed when the IAS server verifies its identity to the client computer using a certificate that contains the Server Authentication purpose in Enhanced Key Usage (EKU) extensions. This certificate is issued by a public trusted root CA that the client computer trusts.
The IAS server authenticates and authorizes the customer as guest. In the Access-Challenge message that the IAS server sends to the client is a URL PEAP-TLV message. The URL PEAP-TLV contains the URL of the provisioning server. This URL provides the client with the location of the XML master file.
The client computer receives an IP address lease from the DHCP server. The address is from a public IP address range configured in a scope on the DHCP server. In addition to the IP address, the client receives DHCP options, such as DNS server IP address.
The XML master file on the provisioning server contains pointers to the XML subfiles. The client downloads the XML master file and subfiles. When the XML sign-up schema is downloaded, the sign-up wizard is started on the client to allow the user to create an account.
Using the sign-up wizard on the client computer, the user steps through the process of signing up for an account. The customer enters the promotion code as well as personal data such as name, employer, and job title. The data entered by the user is converted into an XML document.
The XML document containing the user's sign-up data is sent to the XML-forwarder Web application on the provisioning server.
The XML-forwarder Web application on the provisioning server sends the XML document to the account processing application on the account processing server.
The account processing application checks the promotion code entered by the user against the promotion code database on the SQL server. If the promotion code is valid, the account processing Web application continues processing the user's data.
The account processing Web application reads the domain and security group information from the promotion code database on the SQL server. The account processing application creates a user account in Active Directory and adds the account to the security group. The application also enters the new user name in the promotion code database.
An XML document containing the new account credentials is sent from the account processing server to the XML-forwarder application on the provisioning server; the XML-forwarder application passes the XML document to the client computer. The client computer uses the credentials to configure wireless auto configuration and 802.1X under the name of the enterprise.
Wireless auto configuration restarts the association to the SSID for the enterprise WLAN.
Wireless auto configuration finds the correct 802.11 profile which was downloaded with the other network information. Wireless auto configuration re-associates with the access point using the correct profile.
802.1X restarts the authentication process using PEAP-MS-CHAP v2 and the new account credentials.
As the client starts the authentication process with
PEAP-MS-CHAP v2 authentication, a
In the second stage of PEAP-MS-CHAP v2 authentication, the IAS server authenticates and authorizes the connection request against the new account in the Active Directory user accounts database. The IAS server sends an Access-Accept message to the access point. Included in the Access-Accept message are attributes that specify which VLAN the customer can access.
The access point instructs the gateway device to assign the client to the Internet VLAN rather than the Network Resource VLAN.
The gateway device switches the client to the Internet VLAN, and the customer is provided with access to the Internet.
Politica de confidentialitate | Termeni si conditii de utilizare |
Vizualizari: 910
Importanta:
Termeni si conditii de utilizare | Contact
© SCRIGROUP 2024 . All rights reserved