There are a number of excellent wireless access point (WAP) manufacturers on the market today. One of the leading brands in this space is Ruckus; competitors in this market also include Meraki and Aruba. Brand names aside, many of JumpCloud ® ’s customers use Ruckus WAPs alongside their cloud RADIUS service. In this article, we will discuss VLAN steering with Ruckus and how it benefits you and your organization.
Many IT organizations are looking to step-up their network security and have already done so by leveraging JumpCloud’s RADIUS-as-a-Service platform. Simply put, the cloud RADIUS service authenticates users individually to the WiFi network with their core identities (aka the ones they use to access their system), which could be the same as those in G Suite™ or Office 365™. This approach to network security is a significant improvement over a shared SSID and passphrase.
Network Segmentation and VLAN Steering
The next step in the network security strategy many are taking is to dynamically place users in separate virtual local area networks (VLANs). Wireless access point manufacturers such as Ruckus provide the ability to segment the network into different VLANs. This segmentation essentially works to create independent networks all within individual LAN. Further, manufacturers enable those VLANs to be tagged. So, users can be dynamically assigned to the proper tags (network segments) when they authenticate via the RADIUS protocol. The benefit of this approach is to increase security and control by limiting what users can see / access on the network. Ideally, users only have access to what they need and nothing more to limit the scope of their access. Overall, it’s a reduction in the attack surface of a network, for if one segment were compromised, the entire network would not be at risk.
Integration Work and Considerations
This all sounds great in theory, but what about in practice? While Ruckus and other network gear manufacturers continue to make it easier and easier to create VLANs, the overhead of integrating FreeRADIUS and the identity provider (generally an OpenLDAP™ or Microsoft ® Active Directory ® implementation) can be a deterrent to (Read more...)