Using a combination of Mobile Accounts with Local Home Folders and RADIUS Server with WPA2 Enterprise Security, an office of any size with a Mac OS X Server can provide employees with a single username and password for authentication to a variety of networks and devices:
- Local Workstations
- Company Servers
- Company Wireless Network
- Company VPN
We're continually investigating ways to enhance the end-user experience for our clients as well as the security of the networks we manage. Two features that help in this area are built-in to Mac OS X Server.
1. Mobile Accounts with Local Home Folders
A Mobile Account is a type of local user account that’s tied to a server (Open Directory or Active Directory) so that the username and password for logging in to the workstation and authenticating to the server are the same. The immediate benefit is that instead of managing two accounts, there is only one account per user to manage. We like the Local Home Folders option because syncing with a Mobile Account on the server is not always reliable or user friendly. Another advantage is that the password-change policy can be automated so that the password...
- Is required to be change at a specified interval.
- Must contain a certain number of characters.
- Must differ from account name.
- Must contain at least one number.
- Must contain a character that isn't a letter or number.
- Must differ from last x number of passwords.
- Or any combination of the above.
2. RADIUS Server with WPA2 Enterprise Security
In most offices if an employee leaves the company there is often a need to change the wireless network password because everyone uses the same password to connect to the wireless network. A change like this affects every person and every device in the office.
If authentication to the wireless network is tied to the server's list of usernames and passwords (via RADIUS) then everyone authenticates to the wireless network using the same credentials they use to login to their computers and connect to the servers. Each employee has a unique username and password so if they leave the company their account — and access to company resources — can be terminated quickly and easily without affecting anyone else.
A Cisco VPN security device can also be tied to a RADIUS Server so that the same username and password used to gain access to workstations, servers, and the wireless network is also used for secure remote access to the office when traveling or working from home.
Additionally, with an Apple Airport Extreme Base Station, a Guest Network can be configured that allows office visitors full Internet access but disallows access to the company network and confidential information that lives on the server.
Please contact us if you have any questions or feedback.