Thursday, July 15, 2021

802.1x Authentification for off-site location - best setup considering security and resiliency?

Hi all,

I work at a small university, and have recently been charged with setting up Wi-Fi for a student residence building located away from our main campus. This is the first time that we have to set up network access in a location other than our main site (so, no direct access to our Domain Controllers), so I'm trying to figure out the best option for authentification of users at this remote site.

Wi-Fi authentification on our main campus is through 802.1x, with NPS on our Domain Controllers functioning as the RADIUS servers. Clients authenticate using PEAP-MSCHAPv2 with their domain credentials.

At the remote site, we'd ideally like to have the same SSID and same authentification method, so that users' devices can seamlessly roam from one network to another. Apart from authentification, the two networks do not need (and should not have) any connectivity between them.

Both sites have reliable fiber-optic connections, so the reliability of the connection itself is not a major concern.

The options at which I'm looking so far are:

Option 1: Remote access points authenticate directly through NPS on main campus Domain Controllers via a VPN tunnel:

  • Pros
  • Relatively easy.
  • Cons
  • If VPN link goes down, so does... everything.

Option 2: Set up a Read-Only Domain Controller running NPS at the remote site, with a VPN tunnel for synchronisation with the main campus's domain controllers, and the access points talking to NPS on this local DC for authentification.

  • Pros
  • Most reliable - authentification will continue to function if the VPN link goes down temporarily or if there is any other kind of service outage at the main campus.
  • Cons
  • The security of putting a domain controller in an off-campus location seems questionable.

Option 3: RADIUS proxy at remote site connecting directly to RADIUS on our main campus, without going through a VPN:

  • Pros
  • Easiest option to configure - no need to set up VPN access to our main network.
  • Using Anonymous Identity, theoretically, no usernames or passwords will be transmitted outside of the encrypted EAP tunnel.
  • Cons
  • Although no VPN is required, Wi-Fi authentification would still go down if there happened to be any issue reaching NPS at the main site.

...or perhaps I've missed some other great option!

If we had a truly 100% secure location to put a read-only Domain Controller, I'd probably go for Option 2, but without that being guaranteed, I'm leaning toward Option 3.

If anyone has any advice for this situation, it would be much appreciated!!



No comments:

Post a Comment