Single sign-on by 802.1X
NxFilter supports single sign-on by 802.1X Wi-Fi authentication with its built-in RADIUS accounting server.
You can have single sign-on for smartphones and other mobile devices in your network. Since you can
import users and groups from Active Directory, Google G Suite LDAP you can have your users to be appeared
on NxFilter with their AD or Google usernames.
How it works
We use RADIUS accounting protocol to pick up usernames from Wi-Fi authentication. NxFilter works as a RADIUS accounting
server and you need to set your Wi-Fi router to send RADIUS accounting requests to NxFilter.
One thing to note is that NxFilter doesn't do RADIUS authentication by itself. You do RADIUS authentication with your own
authentication server. If you are in an Active Directory environment, your authentication server would be your Windows
Network Policy Server.
GUI Options
After changing these option on GUI, you have to restart NxFilter.
- Accounting Port
The port to which you receive RADIUS accounting requests. We use UDP/1813 at default.
- Shared Secret
Shared secret string for your Wi-Fi router to communicate with NxFilter.
- Enable Logout
Destroy user login session when the status type of an accounting request is 'Stop'.
- Auto-register for New User
When there's an unknown username to NxFilter you can create a user automatically with the unknown username.
- Default Group for New User
You can set a default group for the newly created users.
- Local Domain
When you recive usernames in an email form (uname@mydomain.loal) you can specify domains to remove. At default,
NxFilter removes the domain part from an email form username always.
- Use RADIUS
Run RADIUS account server.
Active Directory integration
Firstly, import users and groups from your Active Directory on 'User > Active Directory'.
After that, you need to set up NxFilter's integrated RADIUS accounting server on 'User > RADIUS'.
Mostly you don't need to change anything on there except Shared Secret.
Lastly, you implement 802.1X authentication with your Wi-Fi router and Windows NPS (Network Policy Server).
This is the capture image of our NPS setup.
And the below is the capture image of our Unifi router setup.
Delay for the first contact
There will be several seconds of delay for getting the first RADIUS accounting request after a user logged in by Wi-Fi authentication.
One problem is that your users might get blocked by NxFilter as unauthenticated users. The solution is to create a default user associating
an IP range covering all the IP addresses in your network. Your Wi-Fi authenticated users will be appeared as the default user
for several seconds before NxFilter receiving the first RADIUS accounting request and then they will be appeared with their own usernames.
Auto-register for new users
You may have some guest users temporarily using your network through 802.1X Wi-Fi authentication by a third party authentication service like Eduroam.
They are not in your user database, but they are authenticated users. You want to allow them to use your network but monitor them with their usernames and
apply a policy to them as a group. If you have only small number of visitors, you can do this by issuing temporary usernames to these guest users. But
if there are hundreds of them coming and going, you don't want to do it manually.
For this kind of situation, we have 'Auto-register for New User' option. With this option enabled, when NxFilter
finds a new username in an RADIUS accounting request, it will create a user with the username. You also can set a default group
for these new users with 'Default Group for New User' option.
However, before you enable 'Auto-register for New User', there's one thing to think about.
These visitor users most likely use email form usernames like 'uname@visitor.com' to differentiate themselves from other organization users. However,
NxFilter strips out the domain part of an email form username at default. To keep the domains in these visitor usernames, you can specify Local Domain.
If you specify Local Domain, NxFilter removes only the specified domains.