Upcoming Events

Where the Cloud Touches Down: Simplifying Data Center Infrastructure Management

Thursday, July 25, 2013
10:00 AM PT/1:00 PM ET

In most data centers, DCIM rests on a shaky foundation of manual record keeping and scattered documentation. OpManager replaces data center documentation with a single repository for data, QRCodes for asset tracking, accurate 3D mapping of asset locations, and a configuration management database (CMDB). In this webcast, sponsored by ManageEngine, you will see how a real-world datacenter mapping stored in racktables gets imported into OpManager, which then provides a 3D visualization of where assets actually are. You'll also see how the QR Code generator helps you make the link between real assets and the monitoring world, and how the layered CMDB provides a single point of view for all your configuration data.

Register Now!

A Network Computing Webinar:
SDN First Steps

Thursday, August 8, 2013
11:00 AM PT / 2:00 PM ET

This webinar will help attendees understand the overall concept of SDN and its benefits, describe the different conceptual approaches to SDN, and examine the various technologies, both proprietary and open source, that are emerging. It will also help users decide whether SDN makes sense in their environment, and outline the first steps IT can take for testing SDN technologies.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

Trapeze Welcomes Guests with SmartPass

According to a June 2007 Kubernan Guiding Innovation 2007 Wireless LAN State of the Market report, 64% of enterprises are deploying guest access, placing it as the third most important application for wireless networks, followed only by e-mail and internet/intranet access. Ironically, guest access has been one of the more clumsily deployed services, torn between concerns regarding security; being a good host for clients, suppliers, and contractors; as well as technical limitations in network infrastructure and design.

There have been several approaches to guest access for wireless LANs, some with or without wireless encryption, with or without restricted access via access control lists. One approach has been to deploy an public-access network with a separate SSID that terminates all traffic outside the enterprise firewall. Most of these don't use any wireless security such as WPA-Personal or WPA-Enterprise as the goal has been to make access as barrier free as possible.

Another technique forces users to go through a gateway or portal (e.g. Bluesocket controller, Cisco BBSM, etc) and register themselves. Sometimes this method facilitates access to an SSL VPN or instructions or a tool to configure the end user's wireless supplicant. If no security is offered, the user also has the option to use their corporate VPN client, unless they're a student or employee without access to such kind of services. One limitation with self-registration is that there is no external validation, unless the portal requires some kind of credit card payment or hooks into an external authentication system such as Shibboleth or OpenID.

Other institutions have tried the "sponsored guest" approach, where an authorized employee uses a web-based portal to generate temporary credentials for their guest. These credentials could be inserted into the organization's AAA infrastructure such that the guest can use secure access via WPA Enterprise or it could give them access to a web portal. And for each of these approaches there a dozen variations which reflect the organization's unique business requirements and capabilities.

One of the additional challenges of guest access are the growing numbers of ASD (application specific devices) such as Wi-Fi enabled smartphones (e.g. Apple iPhone) and MP3 players (e.g. Microsoft Zune) that don't easily facilitate web-portal authentication. While MAC-based authentication appears to be an easy solution, unless there is some additional device profiling and monitoring it's too weak from a security perspective. What that means is that these devices are either considered completely untrusted and placed outside the firewall or lowest common denominator security such as a WPA-Personal using unique pre-sharked keys are provisioned.

Trapeze Networks original guess access solution called "GuestPass" depended on a Java-based application innovatively called "Guest Provisioning Application" to allow people such as receptionists and security guards to create non-AAA accounts with the necessary restrictions via IT-supplied templates. While Aruba and Cisco have their own guest-access solutions, Trapeze Network's originally led as one of the most polished.

Trapeze is attempting to keep a leg up with the introduction of "SmartPass", adding a significant stream of features. A few more new knobs have been added to access control. Rather than allow access for so consecutive hours or days, it's now possible to limit access to time of day (e.g. only 8 am to 5 pm), day of week (e.g. only Monday thru Friday), and date range (e.g. only September 10-12). Pre-defined templates have been added to address the most common scenarios, building on the pre-existing capability to create custom ones. There is now an ability to create guest accounts in bulk for situations such annual customer events or conferences. For those who want to tie guest access provisioning into an existing system, Trapeze has also introduced a web API, already put into use by the Bank of Montreal. SmartPass also automatically purges expired guest accounts.

Unlike some products that require configuration on a per-controller basis, Trapeze has developed the GuestPass solution as a separate piece of software than their management component, RingMaster. It communicates with all the controllers, and even in a N+1 configuration with failover, the guest access continues seamlessly.

One aspect where SmartPass falls short is out of the box support for location-based restrictions. While that's possible with the additional purchase of Trapeze's location application, the LA 200, some kind of a coarse location-based restrictions should have been included. There are times where an organization may want to restrict guest access to just the lobby and conference rooms in the main building, but no access in other buildings around campus.

Trapeze will charge just under $2,000 for an enterprise license that supports 10,000 guest accounts.

bullet Extricom Forms Uni-Fi Alliance
Trapeze Announces 802.11n Access Point--With a Difference
Vendor delivers early standards-based AP, but also touts key architectural differences from market-share leaders Cisco and Aruba.

Related Reading

More Insights

Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
Vendor Comparisons
Network Computing’s Vendor Comparisons provide extensive details on products and services, including downloadable feature matrices. Our categories include:

Research and Reports

Network Computing: April 2013

TechWeb Careers