cancel
Showing results for 
Search instead for 
Did you mean: 

users signing into wifi using an AD server

itdept_head_me
Contributor

Hi,

ok we have a captive page for the general users

1. Enter wifi  password (for encryption) to gain access to non-open AP

2. get thrown over to web page to enter user name & pw  with MS AD as the database

Ok.

A. So  if i need to "block or delete"  a user , it seems it is not possible, once they are authenticated to the database?

Why ?

B. for testing how can i force a reset of the user authentication , if there is an option to "re connect without re-authentication"

C. What is a normal value for   "re connect without re-authentication"? maybe  90 minutes so they can get lunch/ a week ?

and yes i know.. it depends on the scenario.. but what is generally found to work ?

2 REPLIES 2

eizens_putnins
Valued Contributor II

Hello,

WEB authentication with AD  is not a very good way to manage users. If users are in AD, you can just use normal Radius authentication, why you want to use WEB authentication at all?  WEB authentication is in fact using MAC authentication after password is checked, which is not very secure.

If you use normal WPA2/Enterprise with Radius/AD, you have encryption without  need for separately adding password, and it is unique for each user and each session. The only complication is that you need to configure NPS role on some your Windows server, but it is simple and doesn't cost anything.

About delete user -- this option works, but windows normally reconnects very fast, so it  looks as it is not working.

About block user - it should work, disabling access for user permanently (it blocks user MAC).

Grace period is set for WLAN, and it can be set for 90 min, as you mention, but  I would avoid using WEB authentication at all.

With WPA2/Enterprise and Radius you don't care about grace period that much  (for grace period authentication in cached and no Radius requests are sent), as after the first connection Windows handles authentication  automatically, without user entering anything (you just need to install Radius server certificate, or accept that you are not checking it). There is good manual on Ruckus support how to configure that.

Hope this helps.

itdept_head_me
Contributor

The network is in no state to use Radius...

too much legacy kit.... some of which is consumer..

you work with what you have , not what your ideal world is.