Tag Archives: ADTRAN

In Appreciation of White Box Guest Access

“Guest Access” means different things to different people, and organizations. Certainly if you’re a traveler using hotel or conference Wi-Fi, you have a general set of expectations and desires. If you’re a company or a school, the guest wireless service you provide is likely shaped by organizational policy. And for many of us, the guest environment also tends to act a s a catch-all for client devices that don’t fit on our secure WLANs- a place for “free passes” and MAC exceptions. But the devil is in the details, and I have found finding the right guest access feature set can be difficult.

What you WANT may not be what you can HAVE

Having designed a number of guest environments for large and small networks, I’m always astounded to engage a WLAN vendor on the topic and to find how far their guest offering is from what I’m looking for (more on that in a bit). Worse, seldom do I hear “what are your requirements?” as it tends to be more like “this is what we think everyone should want and accept”.

Simplicity? Fat chance… 

Guest access can also have a lot of moving parts, depending on how it’s implemented. Overall functionality tends to be broken up and scattered across access points, controllers, RADIUS servers, credential stores, web servers, and sometimes switches. It all has to click, or you have problems. And for me, despite the typical complexity of guest services, I still find myself frustrated at features that are not included.

What worked for my environments

Years ago, for my big honkin’ 3,000 AP environment (and our small branches alike), we arrived at a desired feature set that went more or less like this:

  • Our guest SSID would equal a single dedicated guest VLAN
  • 24-hour individual self-sponsoring is a must
  • Alternatively, ANYONE authorized to use our wired or secure wireless network could sponsor a guest
  • For self-sponsoring, a ten-digit mobile number capable of accepting a text must be provided and within seconds a password would be sent
  • For large events, a shared account could be generated
  • All accounts were time limited with role-granularity
  • The system would have easily configurable firewall rules and (generous) rate limiting capabilities
  • On the admin side, we could add MAC exceptions and login-bypass
  • The system would provide NAT to preserve public IP addresses
  • Reporting would be easy, as would user quarantine (rarely used)
  • ALL OF THIS WOULD HAPPEN UNDER ONE HOOD-VIA A SINGLE INTERFACE
  • A programmer would not be needed to stitch it all together
  • Ideally, it would have vendor support (for a number of reasons, open source not desirable)

Going back those several years, our WLAN vendor (Cisco) didn’t come close to being able provide what we wanted. In their defense, nor did any other market leaders at the time. We heard that Colubris Networks had a gateway that might fit the bill, but they had just been bought by HP and try as we might, we couldn’t locate anyone that could talk with us about what we were looking for.

Then we found Bluesocket (now Adtran) and their BSC Controllers. When I first contacted Bluesocket, we came to the mutual realization that they could do about 75% of what I wanted. They weren’t really initially open to developing the self-sponsored texting and “anyone authorized can sponsor a guest” features. So… we thanked each other for our time, and I kept searching. Then a week or so later Bluesocket called back, and said they were game for a bit of development, and saw the value in what would become a feature set that they were able to market to others. They were able to do everything I was looking for in a single, kick-ass box in a matter of hours.

What Bluesocket was able to deliver after actually listening to our requirements has been in play for us for lots of years. We’ve served thousands and thousands of guests with it, along with using it as a mechanism for supporting wonky devices like Google Glass (turn head, spit) that weren’t built with enterprise security support, and so can’t be on the WLANs we’d rather they used.

It’s been absolutely great, and I know of at least three other schools that pursued the same guest access model after experiencing ours.

Looking forward

Our old Bluesocket boxes are getting, well… old. They are appliances, and Adtran seemingly has no desire to virtualize what we need into an OVA or the like. In fact, on newer Adtran wireless products, what we appreciate about the BSC has been moved to Adtran APs that we’ll never buy, so the research for a suitable replacement starts again.

The thing is, we absolutely love what we get out of our aging guest solution, and in a perfect world, I’ll find a similar third-party, one-box bolt-on for our big Cisco WLAN. (I will give Cisco another chance to catch me up on how their native guest access services have improved, but I also know that my requirements are firm). I have also inquired to Adtran one last time about the possibility of somehow preserving this wonderful magic, but the silence thus far is pretty telling.

Which brings me to Meraki. The features I need for my guest environment are pretty much included in the WLAN side of the Meraki product line, and we use it with great success in our Meraki-enabled branch sites. But… to bolt the Meraki capability up to my Cisco WLAN in a way that would replace Bluesocket, I’d need the guest features made available in the Meraki MX security appliances and not just in the AP feature set. I’m hoping to get Meraki’s ear on this anyway, because guest access needs also do tend to pop up on the wired side occasionally, too. Right now, wired guest needs are a gap in the MX.

If Meraki can accommodate, a big MX would snap in nicely where my Bluesocket sits now for guest access. If not, I’ll have to consider things like pfSense, Packetfence and other one-offs that I’d rather not get into after being happy with a commercial solution. Or, I’ll have to rethink our requirements, which would really suck, as they really are what we consider requirements, not just nice-to-haves.

There will obviously be more to follow to this evolution.  I am curious if anyone else is facing a similar situation, and how you might be approaching it.

(Please- I’d love your comments, just don’t blast me with pointless “you should switch to vendor X for your WLAN!” type feedback.) 

SMS Authentication- A Nice, Easy Way To Do WLAN Guest Auth

For wireless guest access, there are all kinds of ways to skin the cat. In a perfect world, Hotspot 2.0 will take care of authentication and encryption, and all would be sunny to everyone’s satisfaction. But, that ain’t happening for a while (if ever). It’s becoming more popular to tie guest access to social media “credentials” (a bit of a joke to call ’em that), as there’s usually some marketing hook behind that, and some networks really don’t care WHO you are, like really.

But when you need to have some level of accountability on your guest network for whatever reason, using SMS-based authentication is not a bad option. You can front it with a WPA2 PSK or leave it open (everyone has different use cases, business drivers, and policy), but for answering the challenge of “make it easy on ’em but still let us have some bit of real, verifiable information to tie to a person”, SMS-based auth is hard to beat. 

Years ago, I set off on a quest to find a wireless guest solution that was easy to support, easy for users to self-provision through, and that met our organizational requirement that guest sessions not just be tied to some bogus email account (the joey@asscrack.com thing is funny only so many times in a row) but to use 10-digit cell number as the “User ID”. Though we were a Cisco WLAN back then, Cisco couldn’t come close to fulfilling our simple requirements. Rumor was that Coloubris had a gateway that might work, but this was around when HP bought them and we literally couldn’t find a human being walking the earth that could tell us anything meaningful about that gateway. Then there was Bluesocket (now ADTRAN). When I first approached them with my needs, they- like Cisco- couldn’t do self-provision SMS based with. And like Cisco, they tried telling me that if I was willing to change my requirements, they could provide a solution. But when I pushed back, Bluesocket was willing to do a little bit of development and was able to provide something that really was ahead of it’s time (we’re talking like 2006 here):

Image

 

Sure, it’s not so impressive today given that there are now lots of other guest portals that do SMS, but it still works very well, and is what we continue to use at my University because it does just work. Unfortunately, you have to invest in a full-blown Bluesocket appliance to get the functionality, but even that’s not all bad.  The appliance works well as DHCP, firewalling, NAT, rate limiting, quarantine, MAC exception home for odd stuff that fits nowhere else and a handful of other guest-relevant functions, but also has (and is over-priced based on) lots of Bluesocket-specific WLAN stuff you’ll never use if you don’t have Bluesocket APs. And the appliance hardware is pretty dated. But… on balance, this has been dynamite- and is the only off-the-shelf 3rd party gateway kind of thing  that I’m aware of that you could bolt on to anyone’s WLAN and make work if you didn’t like what your native solution does for guest access (Sorry Cisco, you still don’t get easy guest access as far as I can tell).

Then there’s Meraki’s version. The SMS auth groove is new to Meraki, and they still have some development to do on it before I’ll sing it’s praises too loudly, but it works good. I’m about to deploy it in a unique situation, and am pretty pleased with it’s slick integration to Twilio as the SMS provider, and that I pay nothing extra to Meraki for exactly the SMS auth feature I want:

Image

 

No extra appliance needed, no additional fees, and it works so, so nicely with the rest of the magic in the Meraki cloud-managed wireless solution.  Where it is feature-thin, I can work around until they tighten it up (and I did make my wish last week, so I’m assuming the elves on Mount Meraki are almost done already). It only works with Twilio as the SMS service, but that’s OK as Twilio is cheaper than cheap, and each texted password costs you a penny. (We use Message Media for the Bluesocket, is more expensive and less snappy in my experience).

Anyhow- If you’ve never gone the SMS path for guest access, I can vouch for it’s effectiveness. Though I personally have no use for social media logins, I understand the appeal in certain markets (but would never use my own accounts for guest access- I’d rather go without). SMS is just another option to consider. Combine it with Personal PSK, and I think users and admins would both win, at least in my wireless world.

Pssst- If you have a Dashboard, Meraki is easy to try- and you get 25 free Twiio interactions so you can feel what the experience is like for texting the auto-generated password from your own easy-to-customize splash page before signing up for a Twilio account.

(I find Twilio almost as much fun to say as LaserFiche, by the way)

Bluesocket Lives, Evolves Into Managed WLAN Services Offering Under ADTRAN

Back in the day, Bluesocket was THE commercial captive portal for wireless networks. As WLAN in general gained broader acceptance and the market widened, Bluesocket also started providing access points and morphed their captive portal appliance into a controller (like the WLAN big guns were starting to use with thin APs.) As this was playing out, Cisco, Aruba, and at the time Meru, were largely dominating the market and Bluesocket  didn’t generate a lot of buzz anymore. But- nor were they “over”.

My Own Bluesocket History

I have covered Bluesocket through the years for my column in Network Computing, like when the company introduced their initial controller offering, and then their virtual controller option. Network Computing also covered ADTRAN’s acquisition of Bluesocket in a piece done by colleague Steve Wexler.

On the personal front, I helped pre-ADTRAN Bluesocket develop a new guest access feature set that perfectly fit the needs of my University when our native Cisco wireless guest option was anemic by comparison. To this day we still  use the Bluesocket portal for guests, and though it may be a bit dated, it still has amazing administrative flexibility and works great for letting guests self-sponsor or be sponsored based on cell phone number as user name. (I made more than one plea for both Bluesocket and ADTRAN to spin this off as a separate product but they didn’t bite.)

Bluesocket also donated controllers that I took to Haiti on a humanitarian IT visit  that serve as the functional heart of two networks on University of Haiti campuses that me and my fellow volunteers created.

You could say I have a bit of a soft spot for Bluesocket given my history with the company and their products.  But after the ADTRAN acquisition, the already small player in the WLAN space seemed to get even quieter. But wait…

With their latest announcement, ADTRAN’s Bluesocket may be on to bigger things.

Following similar recent announcements by Meraki and PowerCloud, Bluesocket is throwing their hat into into the cloud-managed hosted WLAN ring.

ADTRAN calls their new offering ProCloud, and it hopes to empower channel partners, integrators, and service providers with the ability to provide hosted enterprise-grade WLAN offerings to customers built on established the Bluesocket vWLAN magic-in-the middle.

Also announced are ProStart (installation, service, and training for customers that can’t do their own wireless for whatever reason)  and ProCare (customer-selectable maintenance support options.)

See ADTRAN’s page on ProCloud,     and Business Wire press release.

Wireless is certainly a competitive landscape to begin with, and the expanding managed WLAN pot is starting to simmer with interesting players jumping in.  Though I get that ADTRAN and competitors see the hosted WLAN thing as an easy service-add for partners that don’t yet really offer wireless, I hope those who follow this path all don’t lose site of the fact that “easy wireless” doesn’t  automatically equal “good wireless” and that proper design and policy are still the cornerstones of successful WLAN.

I wish ADTRAN and my old Bluesocket friends best of luck in their new venture, and I’m sure I’m not the only one who will be following how managed wireless services will impact our industry.