SmartPass is a security management application that gives network managers full control over client access to the wireless LAN. Network managers can fine tune network access and authorization to an extent never before possible, both for primary users and guests.

SmartPass is a huge time-saver for organizations that have a constanly changing user base e.g. schools, universities, hospitals and hospitality.

In addition, for enterprises with lots of visitors who would like wireless access, SmartPass provides non-IT staff with the means to safely provision many hundreds of guests, on demand, and without distracting or tying up scarce IT resources.

SmartPass is an entire software platform and ecosystem, which works seamlessly with other Trapeze components such as the LA-200E Location Appliance and the award-winning RingMaster management suite.

Beyond Identity-based Networking

Trapeze Networks pioneered Identity-Based Networking on wireless LANs and has several fundamental patents related to managing session keys across distributed databases spanning multiple WLAN controller. These innovations resulted in reliable, seamless campus-wide layer-3 roaming across APs, even when the APs are managed by different controllers. In short the identity follows the client anywhere it roams - indoors, outdoors, wherever.

With time however, it has become clear that the unique elements of mobility, combined with the shared media nature of Wi-Fi, calls for even more intelligent management of the privileges extended to different users. Privileges should not be set once and then forgotten. Instead they should be adjusted dynamically, based not only on who they are, but also on where they are, what they are doing, what time/day it is, and ultimately upon what others around them are doing too.

Once again, Trapeze is first to recognize and address this need, and does so in a standards based way, which takes advantage of existing RADIUS infrastructure.

Dynamic Authorization

With SmartPass, you not only permit or deny access based on user identity, but can also change authorization attributes – what resources the user has access to – on the fly, based on changing conditions.

SmartPass works with your other networking infrastructure equipment, such as RADIUS to enable you to change access to network resources for users based on dynamically changing conditions or events. Such conditions include the user’s physical location or change in location, the user’s SSID (wireless network name), after roaming to a new access point, or based on meeting certain conditions from RADIUS accounting, such as session life or amount of traffic passed. A user’s access privileges can be adjusted during the middle of a networking session if desired.

Access Control Policies

SmartPass uses sophisticated Access Control Rules (ACRs) or “policies” to enact dynamic authorization. With ACRs the IT manager has extensive flexibility over how they control and change access for a user. Using a standardsbased approach (RFC 3576) SmartPass augments the existing RADIUS server to change the client’s access to various network resources based on location, time of day, user identity, SSID, VLAN, accounting data, and more.

SmartPass can change authorization attributes even during active networking sessions, and invoke ACRs on demand, via the WEB API from another application, or by time or date via the built-in scheduler.

Location Integration

An essential ingredient for enabling location aware policies, is instantaneous access to accurate up-to-the-minute positioning data for any client. SmartPass is the only wireless Access Control software that is seamlessly integrated with location. It uses positioning information obtained from the Trapeze LA-200E Location Appliance to allow access control and dynamic authorization based on a user’s physical location.

The LA-200E provides real time location positioning for any Wi-Fi device accurate to within three meters. SmartPass adds location information to the user’s RADIUS accounting data enabling the network manager to invoke policies such as accept/deny, change bandwidth, or change allowed resources based on the physical location or “locale” of the client.

Safe, Flexible Guest Provisioning

SmartPass provides industry leading guest access functionality with precise control by time-of-day, day-of-week, date range, and duration. It includes pre-defined profile templates for different guest types, including guest passes for 1 hour, 12 hour, 24 hour, 5 days, 5 days - Business hrs only, and offers the ability to create custom templates. SmartPass also provides the ability to create guest accounts in bulk, with intuitive or random usernames. A pre-existing list of usernames can be imported.

Easy to Use for Non-technical Staff

Guest access is one of the most prevalent applications of wireless networking. Yet most wireless guest access solutions are so cumbersome and impractical that enterprises are torn between squandering IT resources to provision restricted guest access, and an even worse alternative, simply offering unsecured “open” network access 24/7, potentially making their network a perfect host from which someone could mount a malicious attack on someone else or merely choke your internet connection.

In contrast, SmartPass is so easy to use, any organization can plug this security hole, without burdening IT staff. In fact, it allows you to offload provisioning to non-IT staff, and avoid it becoming a disruptive network administrator chore. A highly intuitive, easyto- use interface completely shields front-desk personnel from the underlying complexities of network access control.

Non-technical staff — such as receptionists and clerks — can easily and quickly provision guest access accounts on demand, without requiring any networking knowledge. This is because unlike most other wireless guest management systems, the guest records are stored in a central database, not in the WLAN. For added convenience, different provisioners can be assigned to manage only certain guest types, and cannot alter the guest accounts created by their peers.

Saves Time for Employees Too

One of the biggest challenges with enabling guest access, has nothing to do with how network security is actually enforced, and everything to do with the workflow required to provision guests in a timely manner.

Provisioning Guest access is a daily task. Visitors come and go by the hour, and the demand for wireless access will only increase. Hence, huge productivity savings can be made if the task is made as simple as booking a meeting room.

In most businesses, visitors or guests do not randomly appear at the front door. No, typically they are invited by an employee. So, if employees can book meeting rooms themselves, why not let them grant limited access to their guests, as well. SmartPass makes use of RADIUS credentials for internal users, to safely give them self-service Guest provisioning. No other Guest access solution offers this flexibility or operational efficiency.

And, its perfectly safe, because it is still IT who ultimately defines the security profiles for different guest types and chooses whether or not to empower regular employees with limited rights to grant Guest access.

SmartPass allows employees to grant access themselves and be done with it, in less time than it takes them to inform the Front Desk, or worse to burden IT with such a trivial task.

Guest Credential Notification

In addition to printing labels and companybranded login instructions showing the guest credentials, SmartPass also allows for Email and Text (SMS) notifications to the guest at the time the guest account is setup. This eliminates manual transcription, removes the risk of errors, and improves productivity both before and during the guest’s visit. Consider how often meeting time is wasted while participants wait for one person - the guest - to get online.

Scalable Centralized Architecture

Different from other solutions, which write each guest account to every WLAN controller’s local database, SmartPass uses a centralized guest account database. While other solutions actually change controller configurations— by adding, modifying, or deleting guest credentials on individual WLAN controllers throughout the network—SmartPass never stores guest data to any WLAN controller. This centralized approach is not only cleaner and more efficient, it is also more reliable. That’s because it prevents potentially harmful configuration changes from being made to critical network hardware by individuals with no domain expertise, and ensures that all access security operates independently of which controllers are in service.

No longer tied to the WLAN Controller platform, Smartpass also scales exceptionally well. With up to 10,000 users per SmartPass server, SmartPass is ideal for conventions, universities, hospitality, healthcare and large enterprise.

Centralized Captive Portal

Another advantage of the centralized architecture, is the way “Captive portals” are managed. Captive portals are a popular way to manage network access en-mass, when IT does not have authority or control over client devices.

With other vendors’ access control systems the web-page and other components of the captive portal are tied to the controller hardware - in the same way as guest records are local. Each WLAN controller has its own local copy of the captive portal. Consequently, once you have more than a few controllers, this becomes a maintenance headache, with the smallest change requiring replication on every controller. In contrast, the SmartPass server keeps only one instance of the Captive Portal which is served up to any user at any location, regardless which controller is managing the users’ authentication.

The centralized architecture also has a direct impact on the cost of SSL Certificates. Instead of needing one per controller, only a single certificate is needed on the SmartPass server.

Session Persistence for Handhelds

With the increased adoption of handheld mobile devices, session continuity is becoming a growing problem. In an effort to preserve battery life, many devices implement a “sleep” mode that results in the client losing its session and dropping off the network. So when the user wakes-up the device, they often have to login to the captive portal all over again, to access all their applications. For securitysensitive applications such as Electronic Medical Records which time out quickly, this is particularly annoying to users, as the applications themselves often time out the moment the client session is inactive. Trapeze has solved this problem, by maintaining a form of device cookie which is used to maintain wireless session persistence.

Open APIs for System Integration

SmartPass is designed to work with external applications such as credit card billing, guest registration, facility management, and custom reporting systems. This allows ad-hoc granting of secure wireless access to be safely automated within other business processes. SmartPass ships with published, open, standards-based, Web-based open Application Programming Interfaces (APIs) to make it easy to integrate its functionality with other systems. Likely 3rd party applications for such integration include credit card billing systems, facility management systems, hospitality registration systems, IPS/IDS systems and custom reporting systems.

RADIUS Accounting and Reporting

SmartPass uses standards-based RADIUS accounting to calculate and utilize per user statistics including lifetime session counts and total traffic passed for session. Reports can be generated based on these statistics in SmartPass or RingMaster or from a 3rd party application.

Unified Services Management

As wireless LANs become more pervasive, there is a growing need to bring services together under common management, so they can leverage thier collective network intelligence.

SmartPass is now tightly integrated with RingMaster. This enables user, location information and activity history to be correlated, and this allows all manner of custom reporting and visualization capabilities not previous possible with either tool on its own. Simple examples include: Show me the current location of all guests; Report all users with call detail records between 10am and 11:00am yesterday.

In future, wired policy managers will be able to use RFC 3576 and emerging standards such as IF-MAP to combine policies across both wired and wireles networks and tap into unified mobility services.

Key Applications

The applications for such granular and dynamic access control are unlimited but are illustrated in the following examples.

Prevent Students from Cheating

A professor giving a test from 2pm - 3pm in Classroom 230, has the ability to change wireless access for students instantly to deny access to the Internet during that time from that specific location. At the professors’ option, the students could still have access to relevant classroom materials on the LAN.

Restrict Corporate Guest Access

A large company wants to provide a hired consultant access to the Internet and certain LAN resources but only while working in an assigned building or areas of the building. If the consultant tries to access the network from another location, he will be denied access even with valid log-in credentials.

Lock-Down Bandwidth Abuser

A user on the network is consuming an excessive amount of bandwidth. After a utilization threshold is crossed within a time window, SmartPass throttles down bandwidth and priority for that user. For example, a rule can be set that for any given user, after 10 MB of download in any given hour, the user is restricted to only 100 Kbps maximum.

Provide “Free” Access in Lobby

In Hotels, Wi-Fi access is fast becoming an expected service. SmartPass makes it possible for Hotel management to offer tiered services based on where someone is, or perhaps based on the accommodation or conference package they purchased. For example, one could offer FREE rate-limited access in public areas, while offering higher-bandwidth services for a daily rate, in rooms, while simultaneoulsy offering a metered service for conference attendees.

Extra Security for Sensitive Networks

All users can be prevented from accessing the network from unauthorized locations even with legitimate credentials. This adds an extra layer of security against offsite attackers who may have stolen legitimate credentials, e.g., “the parking lot hacker”.