RADIUS-Based Enforcement

RADIUS-Based Enforcement (RBE) – Eliminates VLAN Steering

In addition to Impulse’s existing Layer3 Policy Based Routing (PBR) network enforcement, SafeConnect provides an alternate enforcement option called RADIUS-Based Enforcement (RBE). RBE delivers dramatic scalability enhancements and more granular network and application access role assignments for 802.1X/WPA2 Enterprise and Open wireless network environments.

As mobile devices exponentially increase network density, a more flexible, scalable and dynamic mechanism is needed to manage device enforcement. Recognizing this, Impulse developed RBE to support the massive increase of mobile devices on the network. Capitalizing on existing customer investments in wireless technologies, RBE utilizes network-based communication standards to manage user/device role and access control.

The Impulse RBE module includes a RADIUS proxy server that (in conjunction with a customer’s existing RADIUS authentication environment) leverages the “Vendor Specific Attributes” (VSAs) of wireless network controller platforms to control network access privileges. Unlike other industry approaches, RBE does not require customers to change/abandon their existing investment in RADIUS infrastructure. Customers are free to choose which RADIUS “authentication” platform is best for their organization and RBE handles the device’s RADIUS “authorization” access on the network.

It is important to note that the customer’s RADIUS infrastructure continues to provide primary authentication services. For example: If a customer’s RADIUS environment is configured appropriately, Impulse Point’s RBE will fail-open whereby the wireless network will revert to its original state of RADIUS authentication-only.

RBE Eliminate VLAN Steering

Another key benefit of Impulse’s RBE is its non-reliance on VLAN Steering. Within a wireless network environment, VLAN manipulation is a resource burden to design, deploy, and support; in addition to contributing to a poor end user experience every time a device is forced to change VLANs. Impulse Point’s RBE utilizes “DynamicACL” technology to assign network access privileges to a specific device versus moving a device to a common VLAN. RBE’s non-VLAN approach for wireless networks offers the following benefits over other vendor alternatives:

  • Easier to design, deploy, and support – Fewer technical resources required
  • Real-time post-admission network access assignment – No need to remove or re-authenticate a device to change network access status
  • A better end user experience – No IP address/VLAN changes
  • Higher level of device quarantine/segmentation – Devices are restricted/isolated directly, not placed into a shared/quarantine VLAN

An example of an RBE device access transaction is detailed below that fully supports both Secure 802.1X/WPA2 Enterprise and Non-encrypted Open SSID wireless network environments.