Fixed broadband WISP subscriber authentication methods
The customer authentication process occurs each time that the customer connects to the network in order to verify the customer’s identity. A customer is identified when the authentication credential sent by the customers CPE is verified with the customer credential database.
Subscriber Authentication Strategies
The authentication credential is part of the customer record and may be stored as part of a Remote Authentication Dial-In User Service (RADIUS) server database to implement the authentication process. The field service technician configures the customer credential during installation of the CPE at the customer’s premises. Three methods of authenticating fixed broadband customers are commonly employed by WISP's. Methods of authenticating fixed broadband customers and allowing them onto the network that are commonly employed by WISPs are listed below:
- CPE MAC address verification.
- Point-to-point protocol over Ethernet (PPPoE) using RADIUS authentication.
- WPA2-enterprise using RADIUS authentication.
MAC Authentication
MAC address verification is the simplest but least secure method of verifying the authenticity of a customer. The MAC address of the customers CPE wireless is added to a table in the access control router either manually or by the provisioning software. When the access control router receives data packets from a customer the MAC address is checked against the MAC address table. When the MAC address is found the data packet is sent forward, if the MAC address is not found the data packet is dropped. With this method it is necessary to incorporate safeguards to verify that an attempt has not been made to duplicate the MAC address in order to hack into the Internet service. The diagram illustrates the data path for MAC authentication.
Point-to-point protocol over Ethernet (PPPoE) is an authentication method that has been used by DSL service providers for many years and is still popular with WISP's because most programmable routers that are used for access control include a PPPoE service. PPPoE provides authentication, encryption, and compression of the data connection over the data link to the customer, and offers good security for authentication. A PPPoE credential is stored in the CPE wireless and sent to the access control router PPPoE server to initiate a connection. The router PPPoE server authenticates the credential via a Remote Authentication Dial-In User Service (RADIUS) server to allow access to the network. The connection of the access control router with the RADIUS server is shown in the next diagram.
RADIUS Authentication
RADIUS (Remote Authentication Dial-In User Service) is a robust and popular protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service, ensuring secure access to a network. RADIUS is a client/server protocol and is used in many applications to authorize and control access to a network.
“RADIUS ... is a robust and popular protocol that provides centralized authentication, authorization, and accounting (AAA) management.”
In addition to authenticating the PPPoE protocol a RADIUS server is used for WPA2-enterprise authentication. A PtMP wireless with WPA2-enterprise authentication software communicates with the RADIUS server to validate a credential sent by the CPE client. The deployment of WPA2-enterprise authentication in a network requires a WPA2-enterprise client (the CPE wireless) to connect to a WPA2-enterprise server (the PtMP wireless) with a pre-programmed credential sent using the RADIUS protocol. The credential is passed to a RADIUS server for verification. The RADIUS server maintains a database of credentials to permit validation and authorization of many clients.
With WPA2 encryption and authentication each client has the same authentication key, which reduces the security of the method. WPA2-enterprise however requires a unique key for each client, providing greater security. The diagram illustrates the implementation of the network with WPA2-enterprise authentication.
Stay tuned for more information about WISP!