The authentication of devices that aren't joined to domains has always been a bit of a problem. Whether it's through prompting the user for authentication each time they turn on their device, or pre-authenticating these devices by their IP or MAC address, each of these solutions have been less than ideal.


HOW IT WORKS

So what is RADIUS authentication? The new improvements to Sonar's pass-through Authentication monitor makes the authentication of mobile devices simple and hassle-free. By taking advantage of your current network infrastructure, in much the same way that the monitor does for computers joined to your domain, users are no longer constantly prompted for username and password.  


When users connect their mobile devices to your RADIUS authenticated wireless access points for the first time, they'll need to provide their domain credentials to authenticate. If these credentials check out, the mobile device will store and re-transmit them every time they come within range of an access point. When this happens, Active Directory will notify the monitor that a user has logged in, authenticating them to Sonar. Before the user has opened an app or browsed the web, Sonar will have already identified the user and applied their appropriate policy.


FOR EXISTING INSTALLATIONS

If you've already installed the Domain Authentication Monitor on your NPS server, you'll unfortunately need to uninstall the agent, re-download and install it again.


CONFIGURATION 

Most of the configuration options are already set during the installation of the monitor, but there are a couple of extra configuration settings you might need to be aware of. These can all be changed by navigating to:

 

C:\Program Files\Blue Reef\Blue Reef Pass-through Monitor\BlueReefPassthroughMonitor.xml


Multiple SSIDs/Subnets 

While the monitor does its best to figure out where a user's IP address when they log in, if you have more than one VLAN used for wireless devices, it's necessary to provide a couple of hints about where to look. This can be done by modifying the <dhcp> tag to look something like the following:


<dhcp>
    <server>
      <server_ip>192.168.32.151</server_ip>
         <sub_scope name="brqa-cisco">all</sub_scope>
    </server>
      <server>
      <server_ip>192.168.2.100</server_ip>
      <sub_scope name="sonar_default">192.168.28.0</sub_scope>
      <sub_scope name="brqa-cisco1">192.168.28.64</sub_scope>
      <sub_scope name="brqa-cisco1">192.168.28.0</sub_scope>
    </server>
</dhcp>


Where brqa-cisco is the name of your DHCP scope, and 192.168.32.151 and 192.168.2.100 are the IPs of your DHCP server. The <sub_scope> tags are the names and the IPs of the scopes on those particular DHCP servers (if you have more than one). Multiple Sonar AppliancesIf you have multiple Sonar appliances running in either H/A or Load Balancing configuration, it's important to configure the monitor send authentication requests to both Sonar appliances. To add an extra Sonar appliance to the configuration file, add the <sonar_ip> tag to read something like the following:


<sonars>
   <sonar>
     <sonar_ip>192.168.2.18</sonar_ip>
     <sonar_port>80</sonar_port>
   </sonar>
   <sonar>
     <sonar_ip>192.168.2.19</sonar_ip>
     <sonar_port>80</sonar_port>
   </sonar>
</sonars>


Where 192.168.2.18 is the IP address of the first Sonar appliance and 192.168.2.19 is the IP of the second Sonar appliance. Note that each server requires its own <sonar> tag within the <sonars> tag.   CONFIGURATION (Sonar 3.2)The configuration file on Sonar 3.2 differs slightly from Sonar 3.5, being a .cfg file instead of a .xml file. The location of this file can be found in: C:\Program Files\Blue Reef\Blue Reef Pass-through Monitor\BlueReefPassthroughMonitor.cfg Multiple SSIDs/Subnets (Sonar 3.2)

While the monitor does its best to figure out where a user's IP address when they log in, if you have more than one VLAN used for wireless devices, it's necessary to provide a couple of hints about where to look. This can be done by modifying the <dhcp> tag to look something like the following:


# sonar configuration
sonar_ip=192.168.2.18,192.168.2.147 sonar_port=80
# dhcp configuration
dhcp_server_ip=192.168.2.100
dhcp_subnet_ip=192.168.28.0
ssid_subnets=SSID1+10.7.16.0?SSID1-1+10.7.9.0?SSID2+10.7.14.0


Where SSID1 is the name of your SSID, and 10.7.16.0 is the subnet used by that SSID. While the syntax may look at a bit strange, it is important that you place a + between the SSID and the IP subnet, and if you have more than one SSID, you'll need to separate them with a question mark (?).  Important Note: RADIUS authentication requires the presence of a wireless system configured to use Network Policy Server to authenticate users via PEAP or MSCHAPv2. The installation and configuration of these systems is outside the scope of this article, so we recommend you get in contact with your Systems Integrator to help you get this set up.