NetServer Architecture

The Authentication Cycle

Access requests sent over the iPass network travel a complete cycle from remote endpoint to corporate sites. The complete cycle, illustrated here, works as follows:

  1. A remote user connects to an iPass-enabled network provider with the Open Mobile client.
  2. The request is sent using the RADIUS protocol to a Network Access Server (NAS) at the provider site, where it is authenticated against the local AAA server and determined to belong to an iPass customer.
  3. Depending on the configuration, either the NAS or the AAA forwards this information through RADIUS (UDP) to the NetServer, which sorts the requests and identifies valid iPass users. These packets are translated into the iPass protocol using Secure Sockets Layer (SSL) encryption before the NetServer transmits them to one of the iPass Transaction Centers.
  4. The iPass Transaction Center verifies if the NetServer from which it received the request is configured as a valid source IP address in its database. If not, it rejects the request.
  5. The Transaction Center records the user's authentication request and examines the realm to determine whether it is registered to an iPass customer account. If the realm is valid, the user's credentials are forwarded to an iPass RoamServer at the associated provider or corporation for authentication.
  6. At the corporate or provider site, the RoamServer receives each user authentication or accounting request, decrypts, and translates the packet to the native authentication protocol (RADIUS, TACACS+, LDAP, etc), and forwards it to the local AAA server for authentication and authorization.
  7. After the AAA server has authenticated the user, the response packet is sent back to the RoamServer to be re-encrypted, before it is returned through SSL to the iPass Transaction Center and back to the NAS at the iPass provider site where the request was initiated.
  8. If the session is authorized, the provider's NAS establishes a PPP session, assigning the user an IP address, default gateway, and a DNS server address, granting access to the Internet.
  9. To access resources behind the company's firewall, the remote user initiates a virtual private network (VPN) client and enters a second password to obtain authorization for access to the corporate network. Once authorized, the VPN creates a tunnel between the user and the corporate network to allow encrypted data to travel securely over the Internet.

Go to: Other Product Documents > NetServer Admin Guide


©2015 iPass Inc. All rights reserved. Terms of Use