Zum Hauptinhalt springen

Network Access Overview

Atrium's network access feature provides automated guest WiFi provisioning with full session lifecycle management. When a visitor checks in, they receive time-bound WiFi credentials. When they check out or their visit expires, their active WiFi sessions are terminated on the firewall.

This feature requires the Atrium Agent — an on-premises container that handles RADIUS authentication and firewall communication. Without an Agent, Atrium still generates WiFi credentials at check-in, but they won't authenticate against any network.

Three separate concerns

Network access in Atrium involves three distinct concerns with different reliability characteristics. Understanding this separation helps with troubleshooting and architecture decisions.

1. Authentication (RADIUS)

When a visitor's device connects to the guest WiFi network, the WiFi controller (access point, WLC) sends a RADIUS Access-Request to the Atrium Agent. The Agent checks the username and password against its voucher store and responds with Access-Accept or Access-Reject.

Reliability: High. The Agent keeps all active vouchers in memory. RADIUS authentication is fast (sub-millisecond) and doesn't depend on the Atrium Server being reachable at the moment of authentication.

2. Session tracking (IP mapping)

After authentication, the WiFi controller sends RADIUS Accounting messages to the Agent. These messages report the IP address assigned to the visitor's device. The Agent forwards this information to the Atrium Server, which maps IP addresses to visitors.

Reliability: Medium. Depends on the WiFi controller sending Accounting messages correctly. Some controllers don't send them, send them late, or use non-standard formats. IP mapping is useful for session termination and monitoring but isn't critical for basic WiFi access.

3. Session termination (CoA / Disconnect-Message / vendor API)

When a visit ends, the Atrium Agent sends a disconnect command to the firewall to terminate the visitor's active WiFi sessions. This uses either RFC 5176 Change of Authorization (CoA) / Disconnect-Message (DM) or vendor-specific REST APIs, depending on the firewall.

Reliability: Best-effort. Firewall implementations of CoA/DM vary significantly between vendors. Messages can be dropped, ignored, or partially processed. Atrium tracks termination results and surfaces failures, but cannot guarantee instant session termination. The firewall's own session timeout provides a fallback.

Component diagram

┌─────────────────────────┐
│     Visitor Device       │
│  connects to guest WiFi  │
└────────────┬────────────┘
             │ WiFi association

┌─────────────────────────┐
│  WiFi Controller / AP    │
│  (customer infrastructure)│
└────┬──────────────┬──────┘
     │ RADIUS       │ RADIUS
     │ Access-Req   │ Accounting
     ▼              ▼
┌─────────────────────────┐      ┌──────────────────┐
│    Atrium Agent          │◄────►│  Atrium Server    │
│  • RADIUS server         │ WSS  │  • Voucher mgmt   │
│  • Session tracker       │      │  • Visit lifecycle │
│  • Firewall adapters     │      └──────────────────┘
└────────────┬────────────┘
             │ CoA/DM or
             │ vendor API

┌─────────────────────────┐
│    Customer Firewall     │
│  (Palo Alto / Fortinet / │
│   Cisco / Sophos)        │
└─────────────────────────┘

Voucher lifecycle

WiFi credentials (vouchers) follow a simple lifecycle:

  1. Created — When a visitor checks in, the server generates a voucher (username + password + TTL) and pushes it to the Agent.
  2. Active — The voucher is in the Agent's RADIUS store. The visitor can authenticate.
  3. Revoked — When the visit ends (check-out or expiry), the server sends a revocation command to the Agent. The voucher is removed from the RADIUS store. New authentication attempts are rejected.
  4. Expired — If a voucher's TTL expires (matching the visit's expected departure), it's cleaned up automatically.

For details, see Voucher Lifecycle.

What you need

To use Atrium's network access feature, you need:

  1. An Atrium Agent deployed on your local network (see Agent Deployment).
  2. Your WiFi controller configured to use the Agent as its RADIUS server.
  3. A firewall adapter configured for your firewall model (see Firewall Adapters).
  4. The wlan_guest_access entitlement enabled in your license tier.

Without the Agent, Atrium still displays WiFi credentials on the kiosk and dashboard, but they won't work on any network.