Chapter Contents
Access Points
Elektron needs to be able to communicate with the wireless access points on your network in order to authenticate users on behalf of the access points. The Access Points pane allows you to configure the options available for determining how Elektron talks to your access points.
Note that Elektron must be installed on a computer that is connected to your access points via your wired ethernet network. Elektron cannot communicate with access points using your wireless network.
The Access Points pane contains a list of all currently configured access points. Each access point that will use your Elektron server for user authentication must have a configured entry in the list. Access points that are unrecognized by Elektron are ignored when attempting authentication.
To configure a new access point, click the appropriate button below the access point list. To remove or edit an existing access point, select it in the list and click the appropriate button.
When you first install Elektron, the Elektron Setup Assistant creates a default access point with an IP address range of “0.0.0.0/0” that covers all access points on your network. While this is simple and effective, it is more secure to configure access points individually. This will result in each access point having its own shared secret, which in turn makes it more difficult for eavesdroppers to guess the shared secret.
When configuring an access point, the following options are available:
Friendly Name
You may give each access point a simple description to make it easier for administrators to map IP addresses to specific access points. Example friendly names are “Marketing Area” or “Boardroom 3”. This field is for convenience only, and is optional.
IP Address
Enter here the IP address of the access point. You may enter either a specific IP address, such as “192.168.2.4”, or a range of IP addresses with a subnet specification, such as “192.168.2.0/24”. Entering a range of IP addresses can simplify large deployments. This field is required.
Shared Secret
This is the password or passphrase used by the access point and Elektron to authenticate communications between the two. The password entered here must match exactly the password configured on the access point. The password is case-sensitive.
Consult the manufacturer’s documentation for information on how to configure the shared secret on the access point.
Enable MAC Address Authentication
Selecting this option will enable MAC address authentication, and by extension, disable basic RADIUS protocols like PAP and CHAP (while leaving wireless authentication protocols like PEAP and TTLS enabled). For more information, see the chapter on MAC adddress authentication.
Access Point is Disabled
To temporarily disable an access point without deleting its entry in the access points table, select this option.
Group Membership
To implement authorization policies that limit or deny access based on the access point to which the user is connecting, you must create group memberships for your access points. In order to join an access point to a group, you first create your access point groups.
Importing Access Points
You can import a list of access points using a text file in either tab-delimited or comma-separated value (CSV) format. Each line in the text file represents a single access point, with each line formatted as:
IP Address<tab or comma>Friendly Name<tab or comma>Shared Secret
For instance, to add the access point “192.168.1.10” with a friendly name of “Conference Room” and a shared secret of “foobar”, the entry in the text file (in CSV format) would look like:
192.168.1.10,Conference Room,foobar
The IP address and shared secret are required, while the friendly name is optional (but a delimiter is still required, for instance “192.168.1.10,,foobar”).
Access Point Groups
Access point groups allow you to manage access points to create authorization policies. These policies allow you to limit or deny user access based on the access point to which they are connecting.
Configuration of access point groups is simple — the only value configurable is the name of the group. To add or remove a group, use the buttons below the access point group list.
To manage access point group membership, use the access points pane to configure individual access points.
RADIUS Dictionaries
RADIUS dictionaries allow Elektron to understand incoming requests and properly format responses. The chapter “RADIUS Dictionaries” has more information.
Policies
Authorization policies allow you to limit network access based on account groups to which a user belongs, the access point to which they are connecting, and the day and time. You may choose to reject a connection altogether based on these criteria, or to limit the network access granted by adding specific RADIUS attributes to Elektron’s response to the user authentication request. The chapter “Policies” covers authorization policy deployment.