Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Advanced Onboarding Service

Introduction

Limited browsers and CNAs are browsers that are browsers that launch on devices when they detect limited network access, often on SSIDs that are for public use (Coffee shop, Airport) or are used for configuring devices for a different secure SSID (corporations, universities). These are helpful for public Wi-Fi, but are problematic when secure network access is required by an organization. Organizations that are responsible for handling personal/important information often rely on software to configure devices for secure network access to prevent hackers from stealing information over Wi-Fi. They do this by providing that software on open SSIDs, but are hampered by limited browsers preventing devices from downloading software, which limited browsers do for security reasons. Fortunately this issue has been solved by SecureW2, that has designed an Advanced Onboarding Service that allows devices to use limited browsers and still access onboarding / network configuration software.

The Limited Browser / CNA

The limited browser is a network connectivity feature that exists on macOS, iOS and Android devices. It’s name is self-explanatory; the limited browser is used when the device detects it’s connected to a network that has limited network access. The device does this by trying to connect to specific URLs:

  • macOS and iOS: captive.apple.com
  • Androids: connectivitycheck.gstatic.com or clients3.google.com

If these URLs are allowed access through the walled garden or firewall, then the limited browser will not deploy. For security reasons, limited browsers (referred to as Captive Network Assistants by Apple) prevent the device from downloading any files from the pages they are browsing. This is an important security feature. Joining an unknown network is already a risk, let alone downloading something from it. However, this is an issue when it comes to using onboarding software (such as SecureW2) to set up devices for WPA2-Enterprise secure network access.

Onboarding software, is typically distributed to end users through an “Onboarding SSID”. An onboarding SSID is an open SSID that redirects to a landing page, where end users can download the onboarding software and get devices configured for network access.

The dilemma that many organizations face is that having limited browsers / CNAs on the onboarding SSID is a critical piece of the onboarding user experience. We’ve had customers experiment with disabling it, but it left many users confused and unable to configure their devices. Using the limited browser is equally confusing, as users are not able to download the configuration files/software necessary for secure network access. When we saw customers faced with this dilemma, our engineers set to work and came up with a brilliant solution we call the Advanced Onboarding Service.

The Advanced Onboarding Service

The Advanced Onboarding Service is quite simple. The end user joins the onboarding SSID and the limited browser / CNA pops up. The SecureW2 landing page prompts the user to click on the page to continue the onboarding process, which opens a full browser window where they can configure their device for secure network access.

To end users, there’s only one additional step added in the onboarding process. But the Advanced Onboarding Service works hard in the background to make sure users can seamlessly self-service themselves for secure network access. It leverages a RADIUS server, giving users limited network access, but only for a brief amount of time to prevent them from abusing the SSID. After this, the user can continue the onboarding process as normal in a full browser.

In theory, you could accomplish the above solution on your own. In practice, it’s impossible due to the constant changes and updates that occur on operating systems, and the differing ways they interact with network infrastructure. We are only able to provide such a service because of our experience rigorously QAing our software to support nearly every type of device and infrastructure. The data, machine learning and engineering know-how we’ve accumulated over the years because of this, is the reason that our Advanced Onboarding Service works so seamlessly.

How Onboarding is Traditionally Set up

Onboarding is traditionally setup with an open SSID that directs users towards onboarding software so they can self-service their devices for secure WPA2-Enterprise network connectivity. Conceptually, it’s not a difficult thing to setup. However in our experience with customers, configuring and troubleshooting the Walled Garden can be particularly time consuming. It needs to allow all the resources required (SecureW2, Android Play Store, Identity Provider.. etc) for onboarding. The general setup goes as follows:

  • Set up an open SSID on your wireless AP/controller
  • Configure redirect to the SecureW2 landing page
  • Set up a Walled Garden
    • Android resources
    • macOS resources
    • iOS resources
    • Windows resources
    • SecureW2 resources
    • Updating over time

Setting up and troubleshooting the Walled Garden resources is difficult because many of them are location based. Google, Apple and other vendors can also change these resource locations over time, causing maintenance in the future. This is the biggest difference in setting up the onboarding SSIDs, as our Advanced Onboarding Service requires a much less complex Walled Garden / firewall setup.

How Advanced Onboarding Works / Set up

Our Advanced Onboarding Service is incredibly easy to setup, as most of the heavy lifting is done by our engineers. Key differences are the onboarding SSID needs to be authenticating against a RADIUS server, and the Walled Garden setup is much less complex. Below are the general steps on setting it up.

  • Set up an open SSID on your wireless AP/controller
  • Configure redirect to the SecureW2 Advanced Onboarding Service landing page
  • Configure RADIUS authentication
  • Setup a Walled Garden
  • SecureW2 resources

Organizations must specify a redirect URL for their captive portal and point it to a RADIUS server. Setting up and configuring a RADIUS server is an area where the Advanced Onboarding configuration can be more complex. However, SecureW2 products come with a RADIUS server already set up, simplifying the process.

While users begin to authenticate against the RADIUS server, the process is completely hidden from them and they continue with their usual authentication flow. Once authenticated, the limited browser is automatically closed and the user is redirected to the SecureW2 landing page on a normal browser where mobileconfig (iOS), Cloudconfig (Android), or DMG (macOS) can be downloaded.

The authentication process is simple. First, SecureW2 allows the end user to perform layer 3 authentication within the limited browser, and only for a limited amount of time. Based on trials and gathered data, we’ve found that 300 seconds is sufficient time to allow for the authentication process to be completed while limiting the end user from abusing the SSID.