Skip to main content

Built-in Authentication Server for Unified Network Management

written by Asterfuison

March 12, 2026

Introduction

In the process of enterprise digital transformation, network boundaries are becoming increasingly blurred. Traditional perimeter-based security can no longer address challenges such as mobile work, the rapid growth of IoT devices, and hybrid cloud architectures.
Asterfusion uses the built-in authentication server in the Asteria OpenWiFi Controller to implement unified security management for wireless, wired, and PON networks.
CX-M Switch Management by OpenWiFi Network Controller

Ⅰ. Pain Points of Traditional Authentication

Traditional AAA (Authentication, Authorization, and Accounting) solutions often create significant operational overhead:
Fragmented configuration: The authentication server (RADIUS), switches, and wireless controllers (AC) are usually managed separately. Adding a VLAN or modifying a policy requires logging in to many devices and entering commands manually. This process is error-prone.
Inconsistent policies: Wired access uses 802.1X. Wireless networks use WPA2-Enterprise. Guest access relies on a Portal. Accounts are not shared across these methods. Permission assignment also follows different logic. This often results in inconsistent access rights for the same user.
Poor user experience: When employees move from their desks to meeting rooms, SSID changes or authentication timeouts may force them to log in again. Guest onboarding is often complex. In some cases, the IT team must distribute passwords manually.
Black-box operations: When users report connectivity issues, administrators must review logs from multiple devices. The problem may relate to the physical link, a RADIUS timeout, or an expired certificate. There is no unified diagnostic view. Administrators typically access several jump hosts over SSH to collect logs. Without global visibility, fault isolation can take hours.

Ⅱ. Unified Control with the Built-in Authentication Server

This built-in authentication server is the Security Authentication Engine (ASE, Asteria OpenWiFi Controller Security Authentication Engine).
It is not an isolated authentication server. It is deeply integrated into the Asteria OpenWiFi Controller platform. Authentication, access control, and policy management are unified in a single interface.
This controller + security engine architecture changes the traditional model. Operators no longer move between multiple independent systems during daily operations.
Built-in-authentication-server-archi
  1. Centralized Management and Modular Configuration
Unified configuration entry: Administrators no longer need to access devices through the console or SSH. Switch port settings, AP radio parameters, and ASE authentication policies are configured in the unified web interface of the Asteria OpenWiFi Controller.
Real-time configuration synchronization: After authentication parameters are defined in the controller, the system distributes them to access devices through standard management protocols. This ensures consistent policy deployment across the network and avoids configuration drift caused by manual operations.
Built-in-authentication-server-real-config
  1. Full Lifecycle Visibility for Endpoints
This is the feature that most excites operators in the Asteria OpenWiFi Controller + ASE solution. Unlike traditional AAA systems, which only indicate “connected or not,” the controller provides full-session lifecycle insights.
Through the unified controller view, administrators can monitor all endpoints under each account:
Offline cause tracing (key highlight): When users report connectivity issues, the system does not just show a generic “offline” status. It accurately identifies the reason, such as authentication timeout, manual account logout, or disconnection due to low signal strength.

Built-in-authentication-server-offline-trace
Real-time online monitoring: Administrators can see how many endpoints are associated with each account and which device, port, or SSID each endpoint is connected to.
Accurate timeline: The system records each endpoint’s connection and disconnection times, providing reliable data for security auditing and network asset planning.

Built-in-authentication-server-snr
Built-in-authentication-server-timeline

Ⅲ. Multiple Authentication Methods in ASE

The built-in authentication server offers multiple authentication methods to balance user convenience and operational simplicity.

Wireless 802.1X Authentication under the ASE Engine

Similar to Portal authentication, 802.1X supports MAC Priority Authentication. Returning users can reconnect automatically without re-entering usernames or passwords.
Our APs support several enterprise-grade authentication methods, fully integrated with the built-in authentication server to complete the 802.1X workflow:
  • WPA Enterprise
  • WPA2 Enterprise (EAP-TLS)
  • WPA3 Enterprise (EAP-TLS)
  • WPA3-192 Enterprise (EAP-TLS)
Built-in-authentication-server-802.1x
The following describes only the 802.1X authentication workflow:
1. Link trigger and association
When an endpoint connects to an SSID configured in WPA Enterprise mode, the AP acts as a NAS (Network Access Server), intercepts unauthenticated traffic, and initiates an EAP session.
2. Identity encapsulation (RADIUS tunnel)
  • Packet forwarding: The AP encapsulates the EAP packets from the endpoint into RADIUS Access-Request messages.
  • Transmission to ASE: The AP sends the encapsulated packets to the built-in authentication server – ASE engine over the network.
3. ASE decision engine: policy matching
Upon receiving the request, ASE performs dual verification:
  • NAS parameter check: The built-in authentication server verifies whether the source AP’s IP and shared secret are in the whitelist.
  • User identity verification: ASE checks the username/password (PEAP/MSCHAPv2) or client certificate (EAP-TLS) according to policies defined for the user group.
4. Dynamic authorization (key highlight)
After successful authentication, ASE returns an Access-Accept message with specific authorization attributes:
  • Dynamic VLAN/Filter-ID: ASE assigns VLAN IDs or ACL rules (Filter-ID) in real time based on user identity.
  • Enforcement: The AP applies the instructions, mapping the wireless connection to the correct business VLAN, achieving different access rights for different identities.

MAC-priority Portal Authentication

Built-in-authentication-server-mac-priority

The core logic of MAC-priority Portal authentication is to attempt silent MAC authentication first, and fall back to Portal authentication if it fails. Once successful, the system automatically caches the MAC-to-user binding for seamless future access.

1. First-time access: from “silent failure” to manual completion
  • Trigger and detection: When the endpoint associates with the AP, the AP sends a MAC-based authentication request to ASE.
  • Status check: The built-in authentication server searches the RADIUS database for the MAC. As this is the first connection, the MAC is not found, and authentication fails.
  • Address assignment: The endpoint receives an IP in the Guest VLAN, which only allows access to the authentication server. Pre-auth DHCP leases are typically short (e.g., 60 seconds) for login purposes.
  • Forced redirection: When the endpoint initiates an HTTP request, ASE intercepts and redirects it to the Portal login page.
  • Binding and disconnect: After the user completes Portal login, ASE records the MAC-to-user mapping and forces the endpoint to disconnect and reconnect, refreshing network authorization.
2. Subsequent access: from “recognition” to automatic authorization
  • MAC match success: When the endpoint reconnects, ASE recognizes the MAC and authentication passes automatically. ASE assigns the endpoint to the appropriate VLAN.
  • IP assignment: The endpoint obtains a DHCP lease in the authorized VLAN/subnet, usually with a longer duration (e.g., 1800 seconds).

Seamless Identity Integration via OAuth

Employees do not want to enter a separate password when connecting to Wi‑Fi after logging into tools like Feishu or DingTalk.
Through deep integration between the ASE and Logto (OAuth service), the system enables a “scan-and-connect” workflow. This simplifies access while maintaining consistent enterprise identity and permissions across the network.
Built-in-authentication-server-oauth
  • Traffic Redirection and Portal Trigger
After a user connects to Wi‑Fi, the AP intercepts unauthenticated traffic. The built-in authentication server displays a customized Portal page. The user clicks the “Feishu Login” button.
Built-in-authentication-server-portal-trigger
  • OAuth Authorization Redirect
    • Redirect to Logto: ASE guides the user to the Logto-hosted login page.
    • Identity confirmation: The user approves authorization in the Feishu app. After verification, Feishu returns an Authorization Code to Logto.
  • Token Exchange and Identity Synchronization
    • Processing by Logto: Logto requests an Access Token from Feishu and retrieves the user’s unique identifier (OpenID) and organizational information.
    • Callback to ASE: After validation, Logto securely notifies ASE via a callback. ASE now has the user’s verified corporate identity.
  • Policy Activation and Network Access
    • Dynamic RADIUS delivery: ASE maps the user to the correct enterprise (based on OAuth email domain in ASE user group management) and sends an Access-Accept message to the AP via RADIUS.
    • Permission binding: ASE assigns dynamic VLANs or Filter-IDs, ensuring employees from different enterprises join their respective corporate networks. Networks remain isolated across organizations.

Ⅳ. User Experience and Advanced Features of ASE

Seamless User Roaming

Built-in-authentication-server-user-roaming
Logic principle: After an endpoint successfully authenticates for the first time, ASE records its MAC address, authentication status, and authorization attributes in the database.
Operational value: Within the configured session duration, if the endpoint temporarily disconnects and reconnects (e.g., roaming across APs in the campus), the AP queries ASE via MAB (MAC Authentication Bypass). This built-in authentication server matches the existing session and directly applies the authorization, so the user does not need to re-authenticate via 802.1X or Portal.

Comprehensive RESTful API

ASE’s power comes not only from its core functionality but also from a well-designed, open RESTful API. This allows network access control to integrate seamlessly with existing enterprise IT workflows, such as DingTalk, Feishu, or HR systems.
The API is divided into four modules: user management, user group (role) management, network event notifications, and endpoint control. Developers are also provided with multi-language SDKs and code templates, reducing integration complexity and enabling rapid, efficient development and deployment.
Built-in-authentication-server-restful

Zero-Code Customizable Portal Pages

In Portal authentication scenarios, the login page is often the first impression for employees and visitors accessing the network.
The ASE provides an intuitive and flexible page customization feature on the controller, making branded network access easily achievable:
  • Visual and branding customization: Administrators can upload the corporate logo, change background images, and modify welcome messages and instructions directly through the controller’s UI.
  • Zero-code configuration: No HTML or CSS coding is required. Pages can be updated using simple forms and image uploads. This “what you see is what you get” approach significantly shortens the time needed to implement administrative or marketing requirements at the network layer.
Built-in-authentication-server-portal

Ⅴ. Case Study: Seamless Network Access in Large Building

Project Background: Ultra-High-Density Scenario
As a national-level technology incubator, the tech center comprises three buildings (A, B, and C) with a total of 43 floors, hosting over 2,000 tenant companies. The network supports daily operations for 10,000+ employees and tens of thousands of mobile endpoints.
Physical Architecture:
  • Core/Aggregation: High-performance CX308P series switches
  • Access layer: 30+ CX204Y PoE switches
  • Wireless coverage: 550 AP6020 access points across the campus
Challenges: Multi-Tenant Network Management
  • Complex logical isolation: Over 2,000 startups share a single physical network, requiring strict Layer 2 isolation to prevent inter-company data leakage.
  • High-frequency roaming: Employees move frequently across floors, meeting rooms, and public event spaces, demanding millisecond-level seamless handoff.
  • Fragmented guest management: Large daily visitor volumes make traditional password distribution unscalable. Efficient, secure, self-service access is required for temporary users.
Built-in-authentication-server-case
Asterfusion Solution: Global Orchestration with Built-in Authentication Server
1. Multi-Tenant User Group Management: “One Enterprise, One Policy”
The ASE engine maps over 2,000 tenant companies into independent policy entities through user groups:
  • Enterprise-level user groups: Each company is assigned a unique user group ID, enabling fine-grained identity-based policy definitions.
  • Dynamic VLAN assignment: Leveraging ASE’s decision engine, employees are automatically assigned the correct enterprise-specific VLAN via RADIUS, whether connecting through wired ports or wireless SSIDs. This ensures network access follows the user and permissions align automatically.
2. Hybrid Authentication: Balancing Security and Efficiency
  • Employee access (802.1X + seamless login): Strong 802.1X authentication combined with ASE’s MAC-priority/session persistence allows first-time login only. Subsequent roaming across APs (elevators, meeting rooms) automatically matches MAC status, providing a seamless roaming experience.
  • Guest access (Portal self-service): Custom Portal pages support SMS verification for self-service login. Guests are restricted to isolated external VLANs, protecting the core production network.
3. API-Driven IoT and Ecosystem Integration
Property management systems use ASE’s comprehensive RESTful API for deep business integration:
  • Unified management: When new companies move in or employees leave, the property system automatically updates ASE account status via API, eliminating manual intervention.
  • Data visualization: Traffic monitoring, online status tracking, and offline cause tracing provide actionable insights for intelligent building operations.

Ⅵ. Building a Manageable and Always-On Network

As the built-in authentication server within the OpenWiFi Controller, ASE is not “redefining security concepts.” Instead, it turns complex authentication, security, and policy challenges into visible, controllable, and sustainable operational capabilities.
When the network no longer interrupts users, burdens operators, or slows business, it becomes a trustworthy, durable, and long-term infrastructure foundation for enterprise digital transformation.
Contact US !

Latest Posts