Security

I created thsi topic as there is no actual documentation for this or at least not that i find... and well any ideas are welcome! to make it work better and also example of usage....Maybe we can all work toguether to make it work :)

 

Anyways

I got a trial for 30 days and i was able to make it work.... but im sure that not the best practice....

 

What i did was creating a captive portal and a redirection to the internal webserver... after you succesful log in with the captive portal you get in a role in which you just can see that webserver through an specific port and thats it.

And well it works but i dont think this is how we should deploy this....

I cant find documentation of this.... anywhere....

Id ont know if someone got a better idea on how to deploy this in a way that is easier to the client?

 

At this point,  this is how im working(im just testing not production network) and i find it useful not too much in the corporates(unless you introduce health checkers).  But it seems to be useful for university and schools for a more secure network using WPA2 enterprise with EAP PEAP.  Instead of using WPA PSK2...  this is cheaper than buying the whole BYOD solution i think.

 

Anyways this is how it works for now for me:

 

User Side

1-Client will need to connect to an open Wireless network which is named quickconnect

2-Student log in there and he will get a captive portal page, which it will redirect him to the clearpassquickconnnect

3-He download the program

4-he configure it with the assistant, IT department will need to give him a user and password.

5-He provide the user and pass to the program, the thing autoconfigure and voila he is able to connect to the network without being ina domamin.

 

 

IT Side after the QuickConnect is configured

1-For each new student he will need to add a user in the active directory(i think its preferred having a separate DC for this)

2-Provide that user and pass to the student.

2-Well thats all he needs to do....

 

Advantage i see for the IT department

1-More secured Network

2-Less work to do, as he just need to provide a user and password, he does not need to touch students windows, android neither mac laptops or ipads.....

 

Anyways feedbacks are welcome and if someone is having trouble setting up the webserver for this you can post a message here i can help with that, at least...

 

Cheers

Carlos

 

When you login to quickconnect, there is a help link. Right click on it and you should be able to view the PDF.

Yeah i saw it and read it already... i already see that you can distribute this via usb, or other methods...

But when im distributing via a porta... what is the recommendation?

For now in my testing lab i got a Quickconnect captive porta, OPEN which it redirect to that webserver, and you got no other access than that web server and the specific port...

Then the user after teh provisioning has to click login in the 802.1x network, yeah its working but i don tknow if its the best practice diong that like having a SSID just for the provisioning in a open system with captive portal... its just the way i think i could do it and well i dotn know what is the best practice if i wanted to distribuite it via web...

What i want is that the admin just tell the user, here is your user and pass so you can join to our secure wirelses network.  Then he use that to autoconfigure and coonect... the admin does not need to touch user laptop...

 

Anyways you think that way is okay? or you think its insecure and it should be done some other way?

You can do either:

1. Host a captive portal page to ONLY serve up the quick connect executable to users.

2. Host a captive portal page to authenticate users AND put a link on either the login page or the welcome page to the quick connect executable.

Thanks Collin

I just wanted to know im in the correct path :)  and well its kind of hard to know when you don find any documentation of it, i hope you guys release documentation about best practice of it soon.

For now on my lab i got it in your option number 2 :)

I ill start showing  the clients that... i can even show them with the rap2 when i visit them how it works :)

Hello there cjoseph!

 

I want to put a link onto the welcome page of the captive portal. But whenever i try to download the executalbe, the web browser simply redirects me to the captive portal again. I guess Ive done something wrong to the roles. Can you tell me what I need to do?

 

The webpage of QuickConnect is accessable from the internet, so there is no firewall included.

 

Best regards,

Johan

You must permit http access to the ip address of the webserver of the Quickconnect executable in the user's "logon" role.

 

Hmm, strange....

I did before permit any source of any service to de ip address of the webserver, and it failed. But when i only permitted http as a service it succeded?

Very well, its working now.

 

Thanks alot! :)

Johan