Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Trapeze Welcomes Guests with SmartPass

According to a June 2007 Kubernan Guiding Innovation 2007 Wireless LAN State
of the Market report, 64% of enterprises are deploying guest access, placing
it as the third most important application for wireless networks, followed
only by e-mail and internet/intranet access. Ironically, guest access has
been one of the more clumsily deployed services, torn between concerns
regarding security; being a good host for clients, suppliers, and
contractors; as well as technical limitations in network infrastructure and
design.

There have been several approaches to guest access for wireless LANs, some
with or without wireless encryption, with or without restricted access via
access control lists. One approach has been to deploy an public-access
network with a separate SSID that terminates all traffic outside the
enterprise firewall. Most of these don't use any wireless security such as
WPA-Personal or WPA-Enterprise as the goal has been to make access as
barrier free as possible.

Another technique forces users to go through a gateway or portal (e.g.
Bluesocket controller, Cisco BBSM, etc) and register themselves. Sometimes
this method facilitates access to an SSL VPN or instructions or a tool to
configure the end user's wireless supplicant. If no security is offered,
the user also has the option to use their corporate VPN client, unless
they're a student or employee without access to such kind of services. One
limitation with self-registration is that there is no external validation,
unless the portal requires some kind of credit card payment or hooks into an
external authentication system such as Shibboleth or OpenID.

Other institutions have tried the "sponsored guest" approach, where an
authorized employee uses a web-based portal to generate temporary
credentials for their guest. These credentials could be inserted into the
organization's AAA infrastructure such that the guest can use secure access
via WPA Enterprise or it could give them access to a web portal. And for
each of these approaches there a dozen variations which reflect the
organization's unique business requirements and capabilities.

One of the additional challenges of guest access are the growing numbers of
ASD (application specific devices) such as Wi-Fi enabled smartphones (e.g.
Apple iPhone) and MP3 players (e.g. Microsoft Zune) that don't easily
facilitate web-portal authentication. While MAC-based authentication
appears to be an easy solution, unless there is some additional device
profiling and monitoring it's too weak from a security perspective. What
that means is that these devices are either considered completely untrusted
and placed outside the firewall or lowest common denominator security such
as a WPA-Personal using unique pre-sharked keys are provisioned.

Trapeze Networks original guess access solution called "GuestPass" depended
on a Java-based application innovatively called "Guest Provisioning
Application" to allow people such as receptionists and security guards to
create non-AAA accounts with the necessary restrictions via IT-supplied
templates. While Aruba and Cisco have their own guest-access solutions,
Trapeze Network's originally led as one of the most polished.

Trapeze is attempting to keep a leg up with the introduction of "SmartPass",
adding a significant stream of features.
A few more new knobs have been
added to access control. Rather than allow access for so consecutive hours
or days, it's now possible to limit access to time of day (e.g. only 8 am to
5 pm), day of week (e.g. only Monday thru Friday), and date range (e.g. only
September 10-12). Pre-defined templates have been added to address the most
common scenarios, building on the pre-existing capability to create custom
ones. There is now an ability to create guest accounts in bulk for
situations such annual customer events or conferences. For those who want
to tie guest access provisioning into an existing system, Trapeze has also
introduced a web API, already put into use by the Bank of Montreal.
SmartPass also automatically purges expired guest accounts.

Unlike some products that require configuration on a per-controller basis,
Trapeze has developed the GuestPass solution as a separate piece of software
than their management component, RingMaster. It communicates with all the
controllers, and even in a N+1 configuration with failover, the guest access
continues seamlessly.

One aspect where SmartPass falls short is out of the box support for
location-based restrictions. While that's possible with the additional
purchase of Trapeze's location application, the LA 200, some kind of a
coarse location-based restrictions should have been included. There are
times where an organization may want to restrict guest access to just the
lobby and conference rooms in the main building, but no access in other
buildings around campus.

Trapeze will charge just under $2,000 for an enterprise license that
supports 10,000 guest accounts.

RELATED LINKS
bulletExtricom Forms Uni-Fi Alliance
Trapeze Announces 802.11n Access Point--With a Difference
Vendor delivers early standards-based AP, but also touts key architectural differences from market-share leaders Cisco and Aruba.