Irrespective of the type of BYOD setup, before you configure the Smoothwall you must have the following information:
- The IP addresses for the wireless access points.
- The IP addresses for any external RADIUS servers.
- The shared secrets for the RADIUS servers and clients.
Additionally, the NAS must be able to act as a DHCP server to provision the wireless device with an IP address.
When Smoothwall is the RADIUS Authentication Server
If the Smoothwall is acting as the RADIUS server for authentication, the following must be considered:
- Users’ wireless devices must support WPA Enterprise with Protected Extensible Authentication Protocol (PEAP), and Microsoft Challenge-Handshake Authentication Protocol (MSCHAP) version 2.
- If a web filtering policy is applied to users, Guardian must be configured to use core authentication. See the help topic, Creating authentication policies.
- Active Directory must be used to authenticate users to the wireless network.
Note: If the Smoothwall is the authentication server, no other directory services are supported. This includes the legacy method of using Active Directory.
See the help topic, Managing directories.
When Basic Network Access Servers are Used
If the network access server is unable to authenticate the user, or act as a DHCP server to provision the wireless device with an IP address, the following must be considered:
- You must enable DHCP on the Smoothwall and configure a valid DHCP subnet. See the help topic, Turning on the DHCP service.
- All network access servers must be in the same subnet as the Smoothwall. Network switches can be used, but there must not be any routers between them. Again, the Smoothwall must be the DHCP server for that subnet.
- The Smoothwall must act as the RADIUS authentication and accounting server.
Note: To use DHCP, you need a Unified Threat Management license.
Network Access Servers
Refer to your documentation for the network access server you're using for a detailed description of how to configure the access points.
The following should be considered:
- The wireless network added to or modified in the network access server must use WPA2 with 802.1X.
- The wireless network type might be referred to as WPA2-Enterprise, WPA2-RADIUS, or WPA2 with a separate option for RADIUS accounting. WPA2 is the most secure. To support older hardware, WPA1 is also supported. Some network access servers might support WPA1 and WPA2 simultaneously.
- Some network access servers need you to enter the Smoothwall’s details twice, if the Smoothwall is the RADIUS server for both authentication and accounting.