VLAN Steering over captive portal login
What is VLAN steering?
Dynamic VLAN assignment (VLAN steering) is a core technique used by many Network Access Control (NAC) implementations, to quarantine untrusted connection, until the user is authenticated and device passes posture assessment checks. When a new device first connects (either wireless or wired), it's allocated into a quarantine network/VLAN, then after successful authentication (additionally maybe some sort of posture assessments via integration with other 3rd-party solutions), it's authorized and re-assigned to a trusted network/VLAN.
Dynamic VLAN assignment is also used to build a Personal Area Network (PAN) to group devices with the same access rights to their dedicated private VLAN/network. Particularly in an open Wi-Fi network, connections can be easily sniffed and hijacked. Most enterprise wireless AP supports "client isolation" feature to prevent associated clients from connecting to each other, but it also blocks some intended accesses. For example, in a hotel room, a guest may have multiple devices that need to connect to each other. So building a PAN network helps to achieve both objectives - if you login with the same user account, all devices can belong to the same dedicated private VLAN (therefore accessible to each other) while being isolated from the rest of other devices in the same open Wi-Fi network.
RansNet HotSpot Gateway (HSG) comes with built-in standard RADIUS server that works with 3rd-party wireless AP or switches to provide dynamic VLAN assignment (VLAN steering). Together with our winning captive portal features, customers can benefit the best of both worlds:
- use one SSID and one portal to welcome all new/pre-login users (visitors/guests/members/staff).
- use HSG captive portal features for user login/on-boarding, utilizing all our strengths in portal customization and extensive authentication options.
- use VLAN steering to assign authenticated users to their respective VLANs according to each user profile. eg. visitors fall into public VLAN, members get into their previldged VLAN, staffs assign to corporate VLAN, hotel guests get their own private VLAN (Personal Area Network), etc.etc.
How does it work?
VLAN steering is commonly used in conjunction with RADIUS and 802.1x authentication, and it requires compatible WPA supplicant which is not always available on all devices. And the user on-boarding process can be a challenge too. For example, if it's visitor/guest who doesn't have any account yet, how can they login to dot1x? Now with RansNet proprietary technology to correlate user account and device MAC address, we can do this in a open Wi-Fi network (unlike typical 802.1x authentication that requires users to enter credentials during Wi-Fi association), so that you can prompt user login (or self-register) with a captive portal to enjoy all our Wi-Fi monetization features, and steer authenticated users to their respective VLANs according to defined profiles.
This is how the user flow works (using an on-premise design example):
- A new device associates to open SSID and is allocated to a default untrusted/quarantine VLAN.
- Device gets DHCP IP from quarantine VLAN and attempts Internet access (mobile devices will auto trigger CNA portal).
- HSG prompts a login portal asking users to sign-in or/and accept terms and conditions. All RansNet captive portal features and authentication options are supported here.
- After user authenticates successfully, the device is re-assigned to an authorized VLAN, configurable under HSG user access profile (RADIUS Attributes).
- User device connections are now passing through the authorized VLAN (no longer forwarded through hotspot instance), where you can apply different QoS or access controls for the authorized VLAN.
NOTE: the authorized VLAN doesn't even have to pass through HSG physically. For example, if you have upstream UTM firewalls, the firewall could patch directly to the authorized VLAN and all authorized user traffic will pass directly across the firewall.
Why do we need VLAN steering?
There are several use scenarios for this VLAN steering feature:
- Hotels want to built Personal Area Network (PAN) for each guest room. In PAN, each guest room is mapped to a dedicated VLAN, isolated from other guests, while the same guest devices can communicate with each other within its private VLAN or PAN. Traditionally, this is done by using very complicated method, eg. provision each room LAN port to a dedicated VLAN, and plug in dedicated AP for each room LAN port (so that this room connections are isolated from other rooms). This "physical" isolation is very expensive and difficult to maintain, and guests are unable to roam to other physical hotel locations. With dynamic VLAN assignment, where VLAN assignment is an attribute of a user account, the same guest account can roam and enjoy private PAN across the hotel physical premise.
- Enterprises want to enforce Network Access Control (NAC) for visitors or BYOD devices. Traditionally, organizations would need to run multiple SSIDs with multiple VLANs and multiple portals, with each SSID maps to visitor or staff VLAN. Then users choose their SSID and sign-in from their respective portals. This works but hard to maintain configuration and user experience can be confusing. Now, you just need one single SSID for all users to connect, redirect them to a common captive portal with multiple login options (for visitor/staff) on the same portal, where users can self-register (for visitors) or login with corporate accounts (for staff), and automatically move them to their respective networks after authentication. You can optionally enforce next level of posture assessment or firewalling in selected VLANs by integrating with other 3rd-party solutions.
- Large hotspot deployments need to reduce HSG loading. By default, when hotspot service is turned on for a VLAN/network, after a user device is authorized, the connection remains in the current hotspot instance, then HSG tracks each connection (username + MAC + session info), enforces all necessary access rights and processes packets for all connections. Even if we don't enforce any controls (eg. no bandwidth or time control), HSG hotspot instance still needs to process each packet with the same cycle. This is a lot of loading to HSG computing resources (especially high CPU usage). Typically just throughput alone will be halved if all traffic passing throughput hotspot instances. That's why we usually set maximum concurrent users and maximum throughput per hotspot instance. HSG is a purpose-built appliance with high computing hardware, and it works well by default for most networks if sized to the correct models, but for really large networks requiring large throughput with tens of thousands of concurrent users (eg. airports, stadiums, large hospitals etc), passing all traffic through hotspot instances can potentially overload HSG to become a performance bottleneck. So with VLAN steering, we just need to run hotspot service for the quarantine VLAN (for users to login), and all authenticated connections are simply routed (or handled by HSG kernel firewall) through another authorized VLAN at wired speed, without any performance degradation. This makes HSG extremely efficient and perform at maximum throughput (equivalent to CMG), while we can still enjoy HSG hotspot features at initial login.