OAuth for Enterprise Endpoint Access Architecture

 

The Network Perimeter Is Disappearing

Traditional network architectures were built around fixed office locations and trusted internal networks. Users, endpoints, networks, and access permissions were relatively static.

Modern enterprise networks are fundamentally different. Mobile work has become the norm. Multiple endpoint types coexist across the network. User identities are more diverse than ever. Traditional NAC solutions struggle to adapt to these evolving requirements.

Growing Operational Complexity

Traditional authentication systems typically require administrators to configure VLANs, ACLs, RADIUS, Portal services, authentication policies, and user permissions on individual devices.

In medium and large-scale networks, more than 80% of operational effort is spent on repetitive configuration tasks and policy synchronization. Network deployment cycles are often measured in days rather than hours.

Common challenges include:

• Repetitive configuration tasks
• Heavy reliance on manual operations
• Difficulty maintaining policy consistency
• Complex troubleshooting processes
• High deployment costs across multiple sites

An Increasingly Ineffective Security Model

Traditional networks assume that any user or device inside the network is trusted by default. As a result, many organizations still rely on static credentials, fixed VLAN assignments, IP address bindings, and MAC-based admission control.

This approach introduces several security risks:

1. User accounts may remain active after employee departure.
2. Static passwords often remain valid for extended periods.
3. Access permissions cannot be adjusted dynamically.
4. The risk of lateral movement is significantly increased.
5. Continuous identity verification is absent.

The traditional perimeter-based security model no longer meets the requirements of a Zero Trust architecture.

Fragmented User Experience

In traditional authentication environments:

1. Users must remember complex passwords.
2. Network credentials are separate from enterprise application accounts.
3. Multiple devices require repeated authentication.
4. Forgotten passwords can prevent network access.

Meanwhile, modern workplace platforms such as Microsoft Teams, Notion and Feishu have become the primary identity entry point for enterprise users.

However, network authentication systems often remain disconnected from these identity ecosystems. This gap creates a fragmented user experience and increasingly impacts enterprise digital collaboration efficiency.

OAuth 2.0 is more than a login protocol. It serves as a core identity control framework in modern Zero Trust architectures. By using tokens instead of traditional usernames and passwords, OAuth 2.0 enables identity-based authorization and dynamic access control.

In enterprise networks, OAuth 2.0 allows identity platforms such as Microsoft Teams, Notion or Feishu to serve as a unified Identity Provider (IdP) and Single Source of Truth. This shifts network authentication from device-centric management to identity-centric access control.

① Initiate Authorization Request

After connecting to the network, the user endpoint is redirected to the Portal page hosted by the authentication server. The authentication server then redirects the user to the authorization page of an identity platform such as Feishu.

② Obtain Authorization Code

After the user completes identity verification, the Identity Provider (IdP) returns a one-time, short-lived Authorization Code to the authentication server.

③ Exchange for Access Token

The authentication server securely submits the Authorization Code and client credentials to the IdP and requests an Access Token.

④ Receive Access Token

After successful validation, the IdP returns:

• Access Token for API access and authorization
• OpenID as the unique user identity identifier

⑤ Dynamic Access Authorization

Based on the authenticated user identity and role-based policies, the authentication server dynamically assigns VLANs, ACLs, and network access permissions, enabling identity-based network access control.

To address common mobility scenarios such as endpoint reconnection and inter-AP roaming, the Asteria solution adopts a MAC-based authentication and authorization mechanism. This ensures a seamless user experience throughout the roaming process.

① Initial Network Access

When an endpoint connects to the network for the first time, it completes the standard Portal authentication process through OAuth 2.0. After successful authentication, the system automatically records the endpoint MAC address, user identity, and associated organizational policies. A persistent mapping between MAC address, user identity, and access policy is then established.

② Roaming and Reconnection

When the endpoint moves within the campus network and associates with a new AP, or reconnects after a temporary disconnection, the new AP immediately sends a RADIUS authentication request to the authentication server.

Upon receiving the request, the authentication server performs a real-time lookup of the endpoint’s existing authentication records. If a valid identity and authentication state are found, the server directly returns a successful authentication response to the new AP, along with the corresponding dynamic VLAN authorization attributes.

③ Service Continuity

After receiving the authorization information, the new AP automatically applies the assigned VLAN and access policies. The endpoint continues to use its existing network privileges without Portal redirection or credential re-entry.

The entire handoff process is completed within milliseconds, enabling uninterrupted service continuity during physical roaming across the network.

• Credential-Free Authentication

User passwords are neither stored nor processed by network infrastructure devices. Authentication relies on short-lived and revocable tokens, eliminating credential exposure risks commonly found in traditional authentication workflows.

• Granular Policy Enforcement

Access control is no longer tied to static asset databases. Authorization decisions are dynamically driven by attributes from the Identity Provider (IdP), such as user roles, departments, and email domains. This enables continuous verification and policy enforcement aligned with Zero Trust principles.

• Single Sign-On (SSO) Experience

Network access authentication is integrated with enterprise identity systems. Users can access network resources using the same identity employed across business applications. Multiple devices can share a consistent identity context, reducing the operational overhead of managing separate network credentials.

Asteria no longer treats authentication as an isolated network function. Instead, it integrates the controller and authentication services to build a unified enterprise network capability platform.

It exposes standard REST APIs to abstract network control capabilities into programmable interfaces. These interfaces can integrate with enterprise business systems and security components for automated orchestration.

Integration with HR and Enterprise Management Systems (End-to-End Network Lifecycle Automation)

Asteria integrates with HR systems and campus management platforms through APIs to synchronize employee lifecycle events and enforce identity-based network policies in real time.

• Onboarding / Promotion:
  When a user is onboarded or promoted, the HR system triggers an API call.
  The authentication server automatically activates the account and assigns the user to the corresponding OAuth group based on role and access level.
• Role Transfer / Department Change:
  Organizational changes such as department transfers are synchronized in real time.
  Updates to email domains or organizational attributes dynamically adjust VLAN and ACL policies, preventing privilege retention.
• Offboarding / Access Revocation:
  When an employee leaves the organization or access is downgraded, a webhook triggers immediate revocation.
  Active tokens cached in the authentication system are invalidated within seconds, enforcing instant network and application access termination across the entire infrastructure.

Integration with Security and Threat Intelligence Systems (Active Defense Loop)

When enterprise security platforms such as SIEM, EDR, or sandbox systems detect abnormal traffic, lateral movement, or malicious behavior from a mobile endpoint, no manual intervention is required.

The security system can issue a remediation API request to the Asteria controller.

Upon receiving the instruction, the controller executes enforcement actions within seconds, including session termination and MAC address quarantine.

This reduces security response latency from hours to seconds, enabling a real-time, automated defense loop across the network.

By leveraging a highly automated graphical interface, complex network engineering tasks are simplified into intuitive and streamlined operations, significantly improving IT team productivity.

The following configuration uses Feishu authentication for wireless endpoints as an example.

The authentication server configuration is automatically synchronized after saving, with no manual deployment required.

Navigate to the organization settings and select Auth Server.
Verify that the authentication server is online and operational.

Double-click the target site to switch to the location where the configuration needs to be applied.

Bind the authentication server to a site under the organization.

By default, the default site is not associated with any authentication server. Select the target authentication server, then click Save to apply the binding.

Navigation path: [Configuration] → [Auth & Accounts] → [Bind NAC]

Navigation path: Configuration → Auth & Accounts → NAS (Network Access Service)

The authentication server only responds to NAS authentication requests that originate from authorized network segments and match the configured shared secret.

NAS: Authentication access point. In typical deployments, the NAS for wired endpoints is the switch, while the NAS for wireless endpoints is the AP.
IP Addr: The actual IP address of the AP in the production network.
Secret: The shared key used for authentication between the NAS and the authentication server. It must match the configuration on the AP under the same site.

Navigate to Account → User Group and click + to create a new user group.

Set the authentication method to OAuth.

Recommended Field Descriptions:

Administrators can directly access the user page to view users who have successfully completed authentication.

Navigate to Configuration → Wi-Fi Configuration to configure AP-related settings.

OAuth authentication is implemented based on captive portal authentication. When configuring the AP, the authentication mode must be set to Captive.

In Security & Services, configure the Captive parameters according to the on-screen instructions.

Key Parameter Description:

• Auth Mode: When using a controller-integrated authentication server, select External-UAM.
• Walled Garden FQDN: Domain whitelist that can be accessed before authentication.
  For Feishu-based authentication, allow access to *feishu* and *logto*.
• UAM Server: Redirect URL in the format:
  https://${Auth_Server_IP}/${Site_UUID}/login
  The Site UUID can be copied by clicking the button on the right side of the Auth Configuration → Bind NAC page.
• Walled Garden IP Addr: IP whitelist accessible before authentication.
  This must include the authentication server IP and DHCP server IP.
• Auth Server / Acct Server: Both authentication and accounting servers use the controller-integrated service.
  Enter the server IP address from the Bind NAC page.
• Auth Secret / Acct Secret: Must match the Secret configured in the NAS settings.
• Other parameters: Keep default values unless specific customization is required.

Navigate to Configuration → Auth Configuration → Block Access to configure access blocking rules.

The system supports blocking based on MAC address and username. Administrators can configure these rules as needed.

In the controller’s Portal customization module, administrators can update branding elements, login components, and prompt text by uploading images or configuring links.

No HTML development skills are required. Non-technical users can complete professional portal page design through a simplified configuration interface.

The OpenWiFi Controller integrates OAuth-based authentication to unify identity-driven network access and simplify enterprise onboarding. With built-in support for external IdPs and automated policy orchestration, the controller enables rapid deployment of secure, identity-centric access control without complex configuration overhead. Users can experience end-to-end OAuth authentication, dynamic authorization, and seamless roaming in a fully integrated environment.

Try the OpenWiFi Controller trial and explore OAuth-based network access in practice: OpenWiFi Controller

Contact us by submitting a support request to obtain a temporary username and password for trial access.