Dell PowerConnect W Clearpass 100 Software Implementing Accounting-Based Autho - Page 7

In the standard AAA framework, network access is provided to a user according to the following process: • The user connects to the network by associating with a local access point [1]. • A landing page is displayed to the user [2] which allows them to log into the NAS [3], [4] using the login name and password of their guest account. • The NAS authenticates the user with the RADIUS protocol [5]. • The Amigopod Visitor Management Appliance determines whether the user is authorized, and if so returns vendor-specific attributes [6] that are used to configure the NAS based on the user's role [7]. • If the user's access is granted, the NAS permits the guest to access the network, based on the settings provided by the Amigopod Visitor Management Appliance. • The NAS reports details about the user's session to the Amigopod Visitor Management Appliance using RADIUS accounting messages [8]. • After the user's session times out [9], the NAS will return the user to an unauthorized state and finalize the details of the user's session with an accounting update [10]. Accounting-Based Authorization Authorization decisions can be made based on the accounting records available to the RADIUS server. By using this process, traffic limits can be applied for guests within a particular time period. The example portal developed in this technical note applies a 200 MB combined limit for guest traffic (upload and download), measured in any 24 hour period starting from midnight. Many other rules are possible using the flexible approach to authorization conditions. There are two scenarios in which authorization is required: Authorization during Access-Request As shown in Diagram 1, when a guest connects to the network and logs in a RADIUS Access-Request is performed. More detail on the initial authorization is shown in Diagram 2. Amigopod |Technical Note Implementing Accounting-Based Authorization |7