In Appreciation of White Box Guest Access

“Guest Access” means different things to different people, and organizations. Certainly if you’re a traveler using hotel or conference Wi-Fi, you have a general set of expectations and desires. If you’re a company or a school, the guest wireless service you provide is likely shaped by organizational policy. And for many of us, the guest environment also tends to act a s a catch-all for client devices that don’t fit on our secure WLANs- a place for “free passes” and MAC exceptions. But the devil is in the details, and I have found finding the right guest access feature set can be difficult.

What you WANT may not be what you can HAVE

Having designed a number of guest environments for large and small networks, I’m always astounded to engage a WLAN vendor on the topic and to find how far their guest offering is from what I’m looking for (more on that in a bit). Worse, seldom do I hear “what are your requirements?” as it tends to be more like “this is what we think everyone should want and accept”.

Simplicity? Fat chance… 

Guest access can also have a lot of moving parts, depending on how it’s implemented. Overall functionality tends to be broken up and scattered across access points, controllers, RADIUS servers, credential stores, web servers, and sometimes switches. It all has to click, or you have problems. And for me, despite the typical complexity of guest services, I still find myself frustrated at features that are not included.

What worked for my environments

Years ago, for my big honkin’ 3,000 AP environment (and our small branches alike), we arrived at a desired feature set that went more or less like this:

  • Our guest SSID would equal a single dedicated guest VLAN
  • 24-hour individual self-sponsoring is a must
  • Alternatively, ANYONE authorized to use our wired or secure wireless network could sponsor a guest
  • For self-sponsoring, a ten-digit mobile number capable of accepting a text must be provided and within seconds a password would be sent
  • For large events, a shared account could be generated
  • All accounts were time limited with role-granularity
  • The system would have easily configurable firewall rules and (generous) rate limiting capabilities
  • On the admin side, we could add MAC exceptions and login-bypass
  • The system would provide NAT to preserve public IP addresses
  • Reporting would be easy, as would user quarantine (rarely used)
  • ALL OF THIS WOULD HAPPEN UNDER ONE HOOD-VIA A SINGLE INTERFACE
  • A programmer would not be needed to stitch it all together
  • Ideally, it would have vendor support (for a number of reasons, open source not desirable)

Going back those several years, our WLAN vendor (Cisco) didn’t come close to being able provide what we wanted. In their defense, nor did any other market leaders at the time. We heard that Colubris Networks had a gateway that might fit the bill, but they had just been bought by HP and try as we might, we couldn’t locate anyone that could talk with us about what we were looking for.

Then we found Bluesocket (now Adtran) and their BSC Controllers. When I first contacted Bluesocket, we came to the mutual realization that they could do about 75% of what I wanted. They weren’t really initially open to developing the self-sponsored texting and “anyone authorized can sponsor a guest” features. So… we thanked each other for our time, and I kept searching. Then a week or so later Bluesocket called back, and said they were game for a bit of development, and saw the value in what would become a feature set that they were able to market to others. They were able to do everything I was looking for in a single, kick-ass box in a matter of hours.

What Bluesocket was able to deliver after actually listening to our requirements has been in play for us for lots of years. We’ve served thousands and thousands of guests with it, along with using it as a mechanism for supporting wonky devices like Google Glass (turn head, spit) that weren’t built with enterprise security support, and so can’t be on the WLANs we’d rather they used.

It’s been absolutely great, and I know of at least three other schools that pursued the same guest access model after experiencing ours.

Looking forward

Our old Bluesocket boxes are getting, well… old. They are appliances, and Adtran seemingly has no desire to virtualize what we need into an OVA or the like. In fact, on newer Adtran wireless products, what we appreciate about the BSC has been moved to Adtran APs that we’ll never buy, so the research for a suitable replacement starts again.

The thing is, we absolutely love what we get out of our aging guest solution, and in a perfect world, I’ll find a similar third-party, one-box bolt-on for our big Cisco WLAN. (I will give Cisco another chance to catch me up on how their native guest access services have improved, but I also know that my requirements are firm). I have also inquired to Adtran one last time about the possibility of somehow preserving this wonderful magic, but the silence thus far is pretty telling.

Which brings me to Meraki. The features I need for my guest environment are pretty much included in the WLAN side of the Meraki product line, and we use it with great success in our Meraki-enabled branch sites. But… to bolt the Meraki capability up to my Cisco WLAN in a way that would replace Bluesocket, I’d need the guest features made available in the Meraki MX security appliances and not just in the AP feature set. I’m hoping to get Meraki’s ear on this anyway, because guest access needs also do tend to pop up on the wired side occasionally, too. Right now, wired guest needs are a gap in the MX.

If Meraki can accommodate, a big MX would snap in nicely where my Bluesocket sits now for guest access. If not, I’ll have to consider things like pfSense, Packetfence and other one-offs that I’d rather not get into after being happy with a commercial solution. Or, I’ll have to rethink our requirements, which would really suck, as they really are what we consider requirements, not just nice-to-haves.

There will obviously be more to follow to this evolution.  I am curious if anyone else is facing a similar situation, and how you might be approaching it.

(Please- I’d love your comments, just don’t blast me with pointless “you should switch to vendor X for your WLAN!” type feedback.) 

14 thoughts on “In Appreciation of White Box Guest Access

  1. jimvajda

    Without having direct experience with it myself, it appears that Aruba ClearPass can provide a lot of this functionality. I can’t say how well/if it works in a Cisco WLAN though. Have you evaluated that? I’d be curious of what you think of it.

    Reply
    1. wirednot Post author

      Thanks for the note. I know that ClearPass does come up often, and cannot do NAT on its own, and so isn’t a snap-in or full white box replacement. I’d have to revisit ClearPass with an Aruba SE, as its been a while, to find anything else missing from my list. I have looked at it before, and though impressive, it felt like overkill in some ways and deficient in others by fuzzy memory. May well end up taking another look…

      Reply
  2. bkvu

    I’m curious what you don’t like about Cloudpath’s ES product. He didn’t impress you at WFD 6? 🙂 Clearpass schmerpass, first look at the sticker. That alone should stop you from wanting a single feature from the product. Granted you’re 4+x our scale, but I doubt it becomes any more palatable.

    Reply
    1. wirednot Post author

      Bob,

      I’m a Cloudpath customer for supplicant config (wizard, not ES as we’re not TLS yet). To say I don’t like ES is to put words in my mouth. At the same time, ES is still “out of band” as opposed to being the snap-in NAT box thing I’m describing.

      Lee

      Reply
      1. bkvu

        Yeah, poor choice of words. I wasn’t looking for subjective, but rather what you answered regarding any shortcomings on your list.

    1. wirednot Post author

      Hey Dave-
      I’m just learning about PacketFence. I’m still unclear on whether it sits out of band or can be “the box in the middle” doing the actual NAT/routing for the guest VLAN?

      -Lee

      Reply
  3. wirednot Post author

    You’re getting me all exciterated here. I know it’s a subjective question, but how linuxy/programmerish do you have to be with PacketFence?

    -Lee

    Reply
    1. Mr_Fogg97

      So you need some basic skills. Install the packetfence package on a supported distro of linux. Other than just need to do basic sysadmin work to keep it going (Log file maint.) Little bit of config file editing, which is less and less each version. Trunking any vlans direct into the box (depending on setup). Really not that bad. Most is done through the web anymore.

      Dave

      Reply
      1. wirednot Post author

        Good stuff, Dave. The information is appreciated. This is a journey that’s just beginning, but I will start getting to know the PacketFence docs and case studies.

        -Lee

    1. wirednot Post author

      Alan- my cheeky colleague: yes Linux is your friend. If you have the time and your role demands it… I do a fair amount with it when appropriate, but my days are packed with other duties. We’re purposefully not building home-growns anymore as a rule. So run and tell dat.

      Reply
  4. Zach Jennings

    Ok, so coming from West Chester University of PA (full disclosure, been with Aruba Networks for 3 years working with ClearPass [Avenda eTIPS and Amigopod combined]) I ran into a similar issue. We had used Bluesocket for a long time with a mix of HP, Cisco, and Aruba access points, as well as Aruba’s built-in guest portal. This took a lot of man hours to manage. We had to create AD accounts for contractors and conferences. It was a huge pain.

    I implemented Amigopod as a guest solution at WCUPA about 5 years ago. It was an absolute success! It reduced help desk calls, made setup for conferences much easier (the help desk people handled it!), and was branded the way the marketing/pr department wanted it to look. Also, it’s not a cloud based solution. So, even if the internet goes down, guests could still get on and access the university website for things like events and the campus map.

    First and foremost, any access control box that acts in a gateway design is NOT true security (this is Zach the security conscious talking, not Zach that Aruba guy). You can infect other computers on the L2 network. There are a lot of companies out there that try to convince people that ease of installation should trump security. I think that story needs to go away after the likes of Home Depot, Target, Staples, etc, having network security breaches.

    Next thing I would point out is that ClearPass is vendor agnostic! We have many customers who don’t have any Aruba equipment at all. So, no problems there integrating with Cisco wired/wireless. What about wired guest access? We can do that too! Yes, on Cisco switches without any costly upgrades.

    I’m sure you guys have some kick ass firewalls, and the Security Admin probably wants all that guest traffic going through them for L7 inspection and filtering. Any kind of NAT that is not done by a FW specifically designed for NAT pooling is going to run out of ports at a busy campus such as yours. Design for the future. More guests and more devices per guest. Have they turned up wireless at the football stadium? At WCUPA, we turned up outdoor wifi and were shocked by the number of guests jumping on the wireless network.

    Reply

Tell me what YOU think.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s