How a WISP works with VLANs

The Internet connection process using WPS technology with a VLAN-aware gateway device differs depending on whether the customer attempting to connect is a new customer or an existing customer. The following example describes the process for a new customer using a promotion code at a Wi-Fi hotspot location. In addition, the manner in which IAS handles an expired account is explained.

When a new customer connects to a WISP and establishes an account, the following stages occur:

The customer discovers the WISP network at a Wi-Fi hotspot

The customer authenticates as guest

The client is provisioned and the customer establishes an account

The customer is authenticated with the new account credentials

The user is switched to a VLAN that provides Internet access

In the next section we will look at these stages in more detail.

1.  The customer discovers the WISP network at a Wi-Fi hotspot

When a customer arrives at the WISP Wi-Fi hotspot with a portable computer running Windows XP Home Edition with SP2, Windows XP Tablet PC Edition with SP2, or Windows XP Professional with SP2, the computer comes within range of the WISP access point beacon.

Wireless auto configuration on the client computer detects the beacon information from the access point, which is configured to broadcast the Service Set Identifier (SSID) of the WISP's network. The SSID is equivalent to the network name.

The customer is informed by Windows XP that a wireless network is available. In this example, the customer possesses a promotion code to use for account establishment, and proceeds by clicking Connect.

2.  The customer authenticates as guest

Wireless auto configuration uses 802.1X and PEAP guest authentication to connect to the WISP network through the access point, automatically passing a null user name and a blank password to the WISP IAS server. The access point is connected to a VLAN-aware gateway device that allows traffic from the client to pass through the Network Resource VLAN, but blocks the client from access to the Internet VLAN.

The IAS server is the PEAP authenticator and TLS endpoint for customers who connect as guest. The TLS tunnel is created between the wireless client and the IAS server. All subsequent messages between wireless client and IAS server pass through this tunnel, which traverses the access point and the gateway device.

Server authentication is performed when the IAS server verifies its identity to the client computer using a certificate that contains the Server Authentication purpose in Enhanced Key Usage (EKU) extensions. This certificate is issued by a public CA that the client computer trusts.

The IAS server authenticates and authorizes the customer as guest. In the Access-Challenge message that the IAS server sends to the client is a URL PEAP-TLV attribute. The URL PEAP-TLV message contains the URL of the provisioning server. This URL provides the client with the location of the XML master file.

The wireless client computer receives an IP address lease from the DHCP server. The address is from an IP address range configured in a scope on the DHCP server. In addition to the IP address, the client receives DHCP options, such as a default gateway and a DNS server IP address.

3.  The client is provisioned and the customer creates an account

The XML master file on the provisioning server contains pointers to the XML subfiles. The wireless client creates an HTTPS connection with the provisioning server and downloads the XML master file and subfiles. When the XML sign-up file is downloaded, the sign-up wizard is started on the wireless client to allow the customer to create and pay for an account with the WISP.

Using the sign-up wizard on the wireless client computer, the customer steps through the process of signing up for an account. The customer enters the promotion code as well as personal data such as name, address, and credit card number. The data entered by the customer is converted into an XML document.

The XML document containing the customer's sign-up data is sent to the Web application on the WISP provisioning server.

The Web application checks the promotion code entered by the user against the promotion code database on the SQL server. If the promotion code is valid, the Web application continues processing the customer's data.

The Web application processes the customer payment information. After payment is verified and sign-up information is completed successfully, the Web application reads the domain and security group information from the promotion code database on the SQL server and creates a user account in Active Directory and adds the account to the security group. The Web application also enters the new user name in the promotion code database.

An XML document containing the new account credentials is sent from the WISP provisioning server to the client computer. The client computer uses the credentials to configure wireless auto configuration and 802.1X under the name of the WISP.

4.  The customer is authenticated with the new account credentials

Wireless auto configuration restarts the association to the SSID for the WISP.

Wireless auto configuration finds the correct 802.11 profile, which was downloaded with the other WISP information. Wireless auto configuration re-associates with the access point using the correct profile.

802.1X restarts the authentication process using PEAP-MS-CHAP v2 and the new account credentials.

As the client starts the authentication process with PEAP-MS-CHAP v2 authentication, a TLS channel is created between the customer's client computer and the WISP IAS server.

In the second stage of PEAP-MS-CHAP v2 authentication, the WISP IAS server authenticates and authorizes the connection request against the new account in the Active Directory user accounts database. The IAS server sends an Access-Accept message to the access point. Included in the Access-Accept message are attributes that specify which VLAN the customer can access.

5.  The customer is switched to a VLAN that provides Internet access

The access point instructs the gateway device to assign the client to the Internet VLAN rather than the Network Resource VLAN. In addition, 802.1X on the access point opens the virtual port to provide Internet access to the client.

The wireless client computer receives an IP address lease from the DHCP server. The address is from an IP address range configured in a scope on the DHCP server. In addition to the IP address, the client receives DHCP options, such as a default gateway and a DNS server IP address.

The wireless client computer can now access the Internet.

You can determine the types of account plans that you want to offer your customers. These plans can range from fees based on hourly use to accounts with life spans as long as a day, a month, or longer.

It is important for IAS to determine whether a connecting or connected client computer has a valid account, and to take the appropriate action if the customer's account is expired. The following example illustrates how IAS determines that a 24- hour account is current and how WPS technology behaves when the account expires.

Twenty-four hour connect option example

When the customer arrives at the WISP, the customer chooses an access account that has a one-day (24-hour) lifespan. The customer and client computer proceed through the account creation process described above, and then connect to the Internet. The following process occurs:

In the Access-Accept message sent by the IAS server, the IAS server sets a session timeout of 60 minutes for the client computer connection to the access point.

After 60 minutes, the access point requests that the client reauthenticate. The client reauthenticates successfully and the customer's session is not interrupted.

Each 60 minutes thereafter, the access point requests that the client reauthenticate. During each authentication the IAS server checks the current time against the expiry time for the user account to discover whether the customer is authorized to access the network.

On the last re-authentication, at hour 23 in the account lifespan and before 24 hours have passed, the IAS authorization check fails and the IAS server sends a URL PEAP-TLV message to the client that contains the account renewal action parameter and an HTTPS URL for an XML master file. The URL PEAP-TLV supplies the customer with the location of the provisioning server where the customer can renew the account.

Upon receiving the URL in the URL PEAP-TLV message, 802.1X requests that Windows XP display the account renewal application to the customer.

The customer renews the account and 802.1X initiates authentication using the new account credentials.

During authentication with the IAS server, the IAS server authenticates and authorizes the customer against the user accounts database, and sends an Access-Accept message containing a session timeout of 60 minutes to the access point.

During this process, because the account has not expired, the customer maintains connection to the Internet.

If the customer does not complete the renewal process before the 24-hour account lifespan is reached, authentication fails and customer access to the Internet is terminated. When authentication fails, Windows XP attempts authentication as guest. The VLAN-aware gateway device is configured to allow the connection to the Network Resource VLAN, and the customer is provided with the option of renewing the account for continued access.