BYOD Implementation Examples

The following describes how you can implement the Smoothwall Filter and Firewall for using BYOD.

DHCP, Authentication, and Accounting Services

You can configure the Smoothwall Firewall to be the DHCP server, and the RADIUS server for both authentication, and accounting requests.

Note: To use the DHCP, you need a Unified Threat Management license.

This might be implemented as follows:

Authentication and accounting

This implementation provides greater control over authentication services.

The Smoothwall Firewall will authenticate the user and authorize them to the wireless network. However, the Smoothwall Firewall is informed of the IP address assigned to the user in the RADIUS accounting packet received from the network access server. This are contained in the Framed-IP-Address attribute.

Accounting services

You can delegate user authentication and authorization to the wireless network to the network access server, and only use the Smoothwall Firewall as the RADIUS server that receives accounting requests. Typically, the Smoothwall Firewall uses the accounting requests to log the user on or off the network. For this to work the network access server must include the Framed-IP-Address attribute (and Accounting-Start or Accounting-Stop) in the RADIUS accounting packet to the Smoothwall Firewall.

This might be implemented as follows:

Multitenant setup

You can use BYOD in a Multitenant configuration, by passing the client’s IP address into the Framed-IP-Address attribute denoting the tenant membership.

Typically, you add all network access servers’ IP addresses into the same tenant as the clients they're serving. This is essential if the network access server is unable to support sending the client’s IP address in the Framed-IP-Address attribute (the Smoothwall Firewall would receive the IP address of the network access server instead), or if Framed-IP-Address isn't sent in every accounting packet. This is to make sure that users receive the correct web filtering policies. See the help topic, Adding tenants.

Centrally managed solution

A BYOD service in a centrally managed solution, could potentially be configured with any of the implementations previously described.

You can configure the parent Smoothwall Firewall node as the primary RADIUS server, with the child nodes acting as extra RADIUS servers receiving forwarded accounting packets.

You can also configure more than one Smoothwall Firewall to act as the RADIUS server for the network access server, with each processing a different RADIUS request.

You can also configure the network access servers to use one of the Smoothwall Firewall nodes as a backup RADIUS server. However, the following limitations apply:

Note: Nodes from a centrally managed solution aren't added to the BYOD configuration automatically. You must add them separately to the Forward RADIUS accounting to section located on the BYOD page.

See the help topic, Setting up a centrally managed system.

Something not right? .