Authentication, Authorization and Mobility in Openflow-enabled Enterprise Wireless Networks

Large-scale 802.11 wireless networks may benefit from Openflow deployment on its Access Points and other forwarding devices combined with centralized management of data flows on an Openflow controller. The reason is that services such as authentication or routing can be provided in an easier way and more efficiently when operating on a full view of the network rather than dealing with distributed state on the individual devices. The interaction of Openflow with mechanisms in wireless networks such as authentication, authorization and mobility of clients may yield new possibilities such as enabling roaming between APs or networks, enhancing handover or providing alternate means of authentication. For instance, computing a set of neighboring APs that the client frequently roams to may enable faster handover due to preauthenticating the station with the neighbors before roaming. The present student project report aims to explore ways to incorporate Openflow into an enterprise wireless network. It presents three examples of an Openflow-enabled architecture in terms of authentication, authorization and mobility. Furthermore, it describes the deployment of a prototype of one of these architectures in the Berlin Open Wireless Lab (BOWL) testbed, substituting the Linux bridge with the implementation of an Openflow-enabled virtual switch. Correct behavior in terms of authentication, authorization and handover were validated and an unexpected issue of flooding 802.1x frames was observed and corrected. This work is a proof-of-concept of how Openflow can be deployed in an enterprise Wireless network and proposes alternative architectures that require more implementation work, but enable features such as authentication to an arbitrary server and load balancing.