P. 1
UCDavisWirelessInfrastructureProposal

UCDavisWirelessInfrastructureProposal

|Views: 4|Likes:
Published by raulkmaina

More info:

Published by: raulkmaina on Aug 18, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

06/28/2014

pdf

text

original

CAMPUS WIRELESS INFRASTRUCTURE PROPOSAL

IET – Communications Resources 10/22/04

BACKGROUND UC Davis introduced its wireless network in December, 2001 with a pilot program in King Hall, Memorial Union and Shields Library. Since that time, occupants of these facilities have assumed responsibility for the local access points while IET continued to provide central authentication via Kerberos and Distauth services. Many more access points were added in these locations and other departments have elected to install their own wireless networks – some using centralized authentication and others using their own methods for security. IET currently provides central authentication services for 63 department owned access points and another 8 that IET owns and manages. At present, the existing campus user authentication system is being stressed and does not offer a number of necessary network security features. Additionally, the existing architecture is not scalable and will inhibit performance and future growth. There is also no corresponding network management system for the wireless network as there is with the wired network. There is therefore no easy way to monitor the wireless access points (WAPs) or to obtain any statistics on usage or traffic patterns which assist in engineering and upgrading the network. The 802.11g WAPs and NIC cards are now widely available and in many cases included as part of laptop computers. Wireless 802.11b phones are also available and phones are being developed with dual chip sets that allow for 802.11 networking as well as cellular technology. This technology is making its way into Personal Digital Assistants, security systems, equipment location devices, and Facilities control systems. Widespread development and dependence upon wireless end user devices continues to increase. These developments coupled with increasing rates of departmental wireless deployments is stressing existing IET systems and creating a number of security issues. IET has developed a three-step action plan to address the issues surfacing with wireless network deployments and access: Action #1: IET will immediately upgrade the wireless firewall infrastructure so that it is scalable, secure, and capable of handling the growing demand being placed upon it by increasing numbers of departmental wireless access points. Action #2: Upon completion of Action #1, IET will be ready to segment the wireless network and revise the authentication system to include encryption via 802.1x for additional security. In preparation for this subsequent work, IET is soliciting the TIF’s review of the proposed architecture and options included within this document. Upon solidification of architecture, IET will proceed with implementation. Action #3: IET proposes a sustainable future direction for wireless network deployments. Details on each of these actions are provided in the balance of this document.

2

provide real-time client information for the entire network or per access point. 3 . track a particular user on the network by Mac address or username. must support multiple VLANs and Gigabit Ethernet speeds in order to integrate seamlessly into the campus wired network and must provide the capability to apply network security filters to protect the campus from malicious activity originating from wireless networks. provide rogue access point detection/reports. wireless equipment vendors. IET reviewed the set of issues associated with the current infrastructure limitations and through consultation with campus administrators. The management system must be able to use SNMP traps to set alarms on access points. developed a set of requirements that could be used to guide equipment procurements. Specific requirements the system must support include: • • • • • • • • • Web-based authentication (via a captive portal) to campus Distauth and Kerberos systems DHCP relay services 802.1q VLAN trunking Gigabit Ethernet fiber optic interfaces Operates with any Wireless Access Point Supports 802. push centralized configurations to multiple access points on the network. and provide sufficient evidence of the development of further access point support from more vendors in the future. and provide the tools to disconnect them from network if necessary. It does not need to be integrated with the gateway or firewall. provide traffic and usage reports per access point. The management system must have hooks that tie it to the overall network management system. Firewall/Authentication System General Requirements: The firewall and authentication system must be a scalable solution capable of integrating with campus central authentication services (Distauth/Kerberos) to allow only authorized user access to the wireless networks. HP Openview.1x authentication Supports VPN tunnels Restricts traffic based upon protocol Provides protection from Denial of Service attacks Management System General Requirements: The wireless management system must be able to support more than one manufacturer’s access points. and a standalone system is preferred. and technical staff.WIRELESS INFRASTRUCTURE ACTION PLAN ACTION #1: Replacement of the existing wireless authentication and firewall system with a more scalable and robust solution.

Some offered proprietary access points to promote their features.000 $ 6. vendors were classified into two groups: switched or centralized gateway. Inc.000 $ 40. is provided below: Bluesocket wireless gateway & spare Airware wireless management Wireless management server Radius Servers Spare WAPs Cost of programming time for 802. Funds expended for this phase by IET are currently at $44.692 $ 32.000 $132. The total cost for the purchase.A comprehensive vendor review was conducted to select platforms that met the above requirements. Aruba Wireless Networks Vernier Networks Gateway Vendors Aruba Wireless Networks Reef Edge. Inc. Within this review. The review also considered some independent AP management vendors that do not sell gateway/firewall products.000 $ 10.000 $ 10. Reviews were conducted for the following vendors: Switched/Edge Vendors Trapeze Networks Reef Edge.749 $ 5. Bluesocket Vernier Networks Perfigo Cisco Systems Management Vendors Airwave WaveLink AirMagnet Upon completion of the review.594. The purchases have been made and installation is expected to be complete before the start of Winter quarter. but only sell wireless lan management software. programming and installation of the security and wireless LAN management system. and all of them offered a number of authentication/authorization and WLAN management services.00 for equipment and software.1x Cost for configuration (gateway/management) Promotion/Signage/Advertising TOTAL $ 23.441 4 . Airwave was selected as the management vendor and Bluesocket was selected to replace the existing Cisco PIX firewall.000 $ 5. Some vendors offered both options. while others supported a number of different manufacturers’ access points.

The wireless architecture will provide a centrally managed component offering authentication.1x authentication. • • • A wireless architecture that meets these requirements must address concerns such as the capability of the “wired” network to support widespread wireless services. Centrally managed AAA services will support a variety of client systems through webbased and 802. This category of access is intended to provide a relatively simple method of acquiring wireless access that is not dependent upon client hardware and software. All design and development efforts begin with a definition of the requirements to be met. will not incorporate encryption technology and will require authentication via a web-based interface. It must provide the means for university departments to extend wireless connectivity into departmental VLANs. For this case. The requirements that the UC Davis wireless architecture must meet are defined as follows: • The wireless architecture must support ubiquitous (or near ubiquitous) coverage of the campus for general use wireless access. the flexibility and availability of authentication systems and the features of the wireless network components themselves. 5 . The architecture will support the goal of generalpurpose wireless LANs being made available for use to any university-affiliated user throughout the core campus and in selected areas outside the core campus.000. it will be necessary to augment the infrastructure by an additional localized gateway at an approximate expense of $12. wireless coverage will be limited to departmental spaces. ACTION #2: Segmentation of the Network and Implementation of 802. The proposed wireless architecture incorporates the following characteristics. General use wireless LANs will be accessible to any university-affiliated user. network security/encryption services as well as traffic and equipment management. components and services: Categories of Wireless Access Access to wireless networks will vary depending upon the users being served and upon the capabilities of the wireless client being used. authorization and accounting (AAA) services.Note: As the density of wireless users grows beyond approximately 500 in any given campus area. The architectural model will provide for the co-existence of the centrally managed component with departmentally managed wireless LANs. The architecture currently proposed leverages existing infrastructure and experience while proposing enhancements that provide a range of flexible services to support the objectives and requirements listed above. Nearly any wireless capable device can establish an authenticated network connection to general use wireless LANs.1x Authentication The development and approval of an architectural model that provides the foundation for expanding wireless services throughout the campus is the primary objective of this phase.

1x authentication and multiple VLANs. 6 . Where a department opts to manage their own wireless access points. 802. Additional VLANs configured on these access points will require encryption (keys delivered through the authentication process) and will not be advertised via beacon broadcasts. when users activate their wireless network interface. It should be noted that in order to provide a costeffective centrally managed service it is likely that wireless access points from a single vendor will be required.1x authentication and rotating WEP encryption keys. Connections to other available networks (such as department VLANs) will have to be explicitly requested by the user in order to gain access. Authorization in this case would require the incorporation of a user specific permit allowing the user to join the department VLAN through the wireless connection. centrally managed authentications services can be provided if the access points deployed meet IET specifications. One unencrypted VLAN will be deployed as a general use wireless LAN within a geographically defined area or zone. Guests and visitors would be considered as a third category of users that would access the general use wireless LANs but could have specific restrictions placed upon their network access. These access points can be incorporated into the general use wireless LANs or can be configured as a wireless component of the department’s VLANs. Leveraging the current capabilities of the wired network while providing the required wireless services is best accomplished through the use of wireless access points that provide encryption. Centrally Managed Wireless Networks In order to provide the required security and flexible authentication services. Managed wireless access points will meet IET specifications and will be capable of supporting multiple VLANs.Departmental users who wish to directly connect to their department VLANs via a wireless connection would constitute a second category of users. and will be advertised via beacon broadcasts. Access to department VLANs would be accomplished through an encrypted connection after authentication and authorization via 802.1x. the general use VLAN will be automatically listed as an available connection. 802. Other categories of access can be defined and accommodated including classroom access and emergency operations. Where the department opts to incorporate their access points into a general use VLAN. centrally managed authentication services can be provided. The use of “smart” wireless access points for managed wireless services provides the range of flexibility needed to support general access and department specific access needs. network components must be capable of supporting encryption. In this model. The current “wired” data network has the bandwidth capacity to support the widespread deployment of wireless access points throughout the campus and has the features required to the deliver multiple VLANs to wireless network components but does not have the capability to provide encryption services. Department Managed Wireless Networks Departments will have the option of deploying and managing their own wireless access points.

Distribution of Departmental Wireless Access Centrally managed wireless access points can be programmed to provide direct access to department VLANs. This will be accomplished through a web-page re-direct performed by the wireless gateway device. the core campus will be divided into geographic zones with each zone serviced by a distinct general use wireless LAN. As indicated previously. Authentication via 802. Radius groups containing lists of authorized users will be established for participating departments. Wireless Gateways The network infrastructure will support the deployment of centrally managed wireless gateways to control and monitor access to general use wireless LANs. Due to the size of the coverage areas and the anticipated number of users. Roaming within the zone will be possible. User lists will be maintained by the departments either through web-based forms and eventually via personnel management systems available through an enterprise directory and roles database. such access would require encryption and authorization.1x to campus Radius servers (yet to be deployed). All traffic destined to or originating from the general use wireless networks will pass through the wireless gateway. General use wireless LANs will be hauled through the “wired” network on a designated VLAN and terminated at the wireless gateway. Users will be presented with a web-page with a username and password prompt and authentication will take place using existing campus Distauth and Kerberos services. The wireless gateways will provide web-based authentication services and security filtering for general-purpose users including guests and visitors.1x has the advantage of working within the existing traffic engineering models in that access to default gateways remains at the BDF routers rather than being hauled to a choke point such as a wireless gateway.Distribution of General Use Wireless Access The architecture will support the establishment of general use wireless LANs throughout the core campus. Authentication/Authorization/Accounting Systems AAA systems will be deployed to restrict wireless access to authorized users. Users connecting to departmental VLANs via a wireless connection will authenticate via 802. Centrally managed access points located within a department’s offices/spaces or departmentally managed access points would be eligible for this service. Wireless gateways are designed to be connected to the “wired” network and can be deployed either centrally at the NOC or distributed throughout the data network within appropriate ADF’s or BDF’s. Any campusaffiliated user with a valid Kerboros username and password will be permitted to access general use wireless LANs. but roaming between the zones will not. Providing wireless access to department VLANs from any location on campus is beyond the capabilities of any wireless access point product and would severely impact the capability of the Network Operations Center to manage the overall data network. This 7 . It is anticipated that each geographic zone of wireless coverage will deploy one or more wireless gateways depending on the density of the wireless user population. Additional coverage zones will also be supported outside the core campus for selected areas.

1x. 802.1x will remove the need for the use of registered MAC addresses for access to an IP address via DHCP. By choosing to use 802. The interface will be similar to the Kerberos password 8 .11i overall encryption standard. augmented by web-based authentication to meet the needs of various clients and user groups. The NOC currently deploys and manages a number of wireless access points.leverages the performance and bandwidth capacity of the existing “wired” network as the speed of wireless networks continues to increase.1x implementation: 802. Deploy and test wireless gateway system. In principle. The only place encryption takes place is during the passing of the Kerberos password.1x services. leaving the Winter quarter for implementation. the proposed architecture recommends this new authentication technology.1x with Dynamic WEP session keys will assure privacy and security for the campus wireless network and its users. There are several outstanding issues that must be addressed in order to prepare the network to support wireless objectives through the proposed architecture: • • • • Campus Radius Servers: New Radius servers must be configured and deployed in order to support 802. and it is built into the 802. This system has been procured and is in the process of being deployed and tested. The Client Interface: Using the 802. this is how wireless access will work following the 802. To mitigate this issue.1x The use of the 802. flexible and secure service offering to the campus. they will be implemented via the 802. As better wireless encryption methods are introduced. but efforts are underway to standardize on the Cisco 1200 model.1x requires the client to authenticate prior to the allocation of an IP and therefore makes MAC address registration moot. Develop processes and tools to permit department network administrators to populate the Radius servers with lists of users authorized to access departmental VLANs via wireless connections. Finalize the specifications for centrally managed wireless access points. Additional Information on Authentication via 802. the campus can be confident of a solid migration path as better encryption methods are developed in the future. Because 802. older and less popular operating systems do not yet have built-in software clients. Today’s existing system does not encrypt the RF portion of a client wireless session.1x client will trigger a client interface to pop up on the client’s screen upon the activation of an 802. All new UCDNet2 Foundry switches support this protocol. Next Steps It is anticipated that campus review for this phase can be completed within two months.1x framework. The proposed architecture and services will meet the requirements for expanded wireless access and UC Davis and will provide a manageable.11 wireless NIC within range of a campus wireless access point.1x is a new protocol.

doubling as a security control measure. the system will generate a Kerberos username and password and email it to the departmental representative with additional wording explaining the department’s 9 . o Web form will offer a limited selection of guest permits to the wireless network spanning 7 to 90 days. the demand for guest access will only increase. creating a new Web based guest/visitor gateway for those authorized to access it. (See Exhibits 1C and 1D). provides a distributed gateway architecture that does not require a single management gateway “box”. conference visitor or group.1x is still new and not commonly used by everyone. affiliation. MAC address. This system will provide the following: o A single web site accessible only to authorized department representatives (similar to the TIF IP page) o Information and policy guidelines for guest access along with appropriate IET contacts for more information. The proposed system will update the existing wireless Web based access. and length of stay. operating on a distinct SSID without MAC address filtering. and will be created via an encrypted RF link to the access point for authentication to take place. the proposed authentication will provide a campus wide solution that may serve as a model for future distributed authentication systems on campus. (up to a quarter) o Once completed by the Network Representative.1x authentication scheme and “smart” access points. Wireless access has created a higher demand for guest network services that requires a streamlining of current guest access procedures. Network administrators have expressed a need for a better process. Using the campus RADIUS (software will be upgraded to support new encryption algorithms).1x does not create an easy path for the single guest. phone number. utilizing the 802. managed by IET is cumbersome and undocumented by design. With the significant roll out of wireless services recommended in this paper. Access: The proposed wireless solution. The current guest access process. Kerberos. utilizing 802.“username/password” GUI. o A web based form that will require the authorized departmental representative to submit a request for guest access for any individual as long as they provide the guest’s name. See Exhibit 1B for a detailed description of the gateway authentication process. and an MS password-store server system. email address. (See Exhibit 1B) Guest Access: The recommended wireless network configuration utilizing 802.1x authorization /authentication provides a distributed firewall architecture and does not require a centralized firewall solution. This project will include the development and deployment of a web-based wireless guest access authorization system that will maintain department accountability and at the same time provide a streamlined approach to guest authorization.1x. Firewall: The proposed wireless solution. that will double as a backup access system for campus users who may have problems during the transition to 802. as 802.

and give an organizational name. It will become obsolete once this proposal has been implemented. 10 . For comparison purposes. Exhibit 1D—New Wireless Authentication 802.1x for non-Microsoft clients.accountability for the use of this guest account and basic information on how to access the guest wireless network. as third party clients for other operating systems such as Mac and LINUX are readily available. o The site will require the conference sponsor to complete information regarding who they are. The following Exhibits outline the four authentication methods: • • • • Exhibit 1A—Existing Wireless Authentication. o This information will be emailed to IET for review and approval. Exhibit 1C—New Wireless Authentication 802. and local contact. our current authentication system is shown as a baseline. phone number. CEVS will screen the conference clients for their need for wireless access. A group Kerberos username and password will be issued to the CEVS representative to share with the conference participants. address. General network information and security documentation will accompany the username and password information.1x is already built into Windows XP and Windows 2000.1x for Microsoft clients. Exhibit 1B—Wireless Gateway Authentication. The new website will route large conference groups (50 or more) to the appropriate section to register a large group for wireless access. as 802. Large group wireless access will be managed on the wireless system in the following way: o The request will be coordinated with the Campus Events and Visitor Services (CEVS). Large group access will not be automatically approved. o The CEVS representative will access the web based system and request a group authorization with CEVS as the sponsor or the co-sponsoring campus department. length of stay. For campus and guest clients using Kerberos Password and Web Page Redirection.

the PIX firewall opens network access for the IP assigned in step 4. The Secureweb Server over an encrypted connection prompts the user for a Kerberos username and password. the KDC authenticates the user and passes this through the Secureweb server back to the user with a special webpage redirect that tells the user they have successfully authenticated. The user types in his username and password which is passed to the SECUREWEB server and forwarded to the Kerberos server (KDC) for authentication.ucdavis. Upon successful authentication. 8.edu) c. 5. 11 . 12. 6. Secureweb (DistAuth) b. When the user clicks on LOG ON HERE. The AP detects the RF and immediately bridges the connection over an unencrypted link to the Cisco PIX firewall in the NOC. 7. If the username and password are correct. The process is as follows: 1.ucdavis. DHCP 4. 11. 2. The user clicks on CONNECT TO WIRELESS NETWORK.edu. WLS (wireless.ucdavis. All clients must register the MAC address of their wireless NIC before they can authenticate on the network.EXHIBIT 1A Existing Wireless Authentication For all clients The current wireless authentication system uses the campus distributed authorization system (DistAuth) on the Secureweb server and Kerberos passwords on the KDC server.web server. he is redirected through an encrypted secure socket layer link (SSL) to the https://secure. 3. Though the user has an IP address he cannot go anywhere except http://wireless. 10.edu. 9. The PIX firewall allows the DCHP server to assign an IP address to all client machines with registered MAC addresses. The user opens his browser and types in http://wireless. The PIX firewall has been configured to allow network access for the following servers: a. User inserts their wireless network interface card (NIC) into their computer and activates it in an area served by a campus access point (AP).

EXHIBIT 1A Existing Wireless Authentication DHCP Server UCDNET SecureWeb Server PIX Fire wall Populate Kerberos Password Kerberos Server WLS Web Server Mothra Server CI C SO I ONE T 2 0 0 AR 1 I WI E L S S C C E S R E A ONT PI Wireless Access Point 12 .

The AP sees the RF and immediately bridges the connection over an unencrypted link to a wireless gateway or firewall in the NOC.edu. The unauthenticated user opens his browser and the wireless gateway directs the browser to http://wireless.ucdavis. as long as the machine has a registered MAC address. User inserts a wireless network interface card (NIC) into his computer and activates it in an area served by a campus access point (AP). 7. If the username and password are correct. The user clicks on CONNECT TO WIRELESS NETWORK. 13 . he is redirected through an encrypted secure socket layer link (SSL) to the https://secure. DHCP 4.EXHIBIT 1B Wireless Gateway Authentication Using Kerberos Password and Web Page Redirection for all clients & guests 1. The firewall allows the DCHP server to assign an IP address to the client machine from the Wireless VLAN. 9.edu) c.web server. 10. 11. 8. The user types in his username and password which is passed to the SECUREWEB server and forwarded to the Kerberos server (KDC) for authentication. the KDC authenticates the user and passes this through the Secureweb server back to the user with a special webpage redirect that tells the user they have successfully authenticated. The Secureweb Server over an encrypted connection prompts the user for a Kerberos username and password. 3. Secureweb (DistAuth) b. Upon successful authentication. 6. the PIX firewall opens network access for the IP assigned in step 4. WLS (wireless. 2.ucdavis. The firewall has been configured to allow network access for the following servers: a. When the user clicks on LOG ON HERE. 5.

EXHIBIT 1B Wireless Gateway Authentication DHCP Se rve r UCDNET Se cure We b Se rve r Gatewayw/ Web Page Redirection Ke rbe ros Se rve r WLS We b Se rve r Pop ulate Kerberos Password M othra Se rve r I S CCOA RONE 1 2 0 I T I WR E L E S A C C S S P I T I S E ON Wire le s s Acce s s Point 14 .

Microsoft Clients In this scenario the AP is an active part of the authentication process and not simply a bridge to other authenticating systems. the client sets up a Dynamic WEP Key encrypted session between the client and the AP based on standard key exchange settings set by NOC. Upon being fully authenticated on UCDNet. 3.) 1. 2. 9.1x client for Extensible Authentication Protocol/ Transport Layer Security (EAP/TLS) and Password Authentication Protocol (PAP). a DHCP request assigns a wireless LAN IP address to the user’s machine. The user configures his/her wireless 802. …. 7. 10. Radius forwards an authentication approval to the client through the AP. 5. 6. 15 . The AP passes the username/password from the client over an encrypted connection to the Radius Server. The software client prompts the user to type in his/her username and password and forwards it to the AP.Macintosh.EXHIBIT 1C New Wireless Authentication 802. Linux. Once the port is open for traffic.1x and immediately uses TLS encryption to set up a secure connection. The AP bridges network traffic to the client and opens a network port for user network access. When the user activates his/her wireless network interface card (NIC) in an area served by a campus wireless AP. 8. it detects the AP with 802. The AP acts as a Radius client in actively authenticating the user on the network and the user’s password is never sent over the network. 4. EAP-TLS (Non-MS Client .1x Non. The Radius server decrypts the username/password from the client and uses it as a proxy for Kerberos Authentication (KDC). The user is now on a fully encrypted private and secure connection.

1x EAP-TTLS (PAP) 16 .1x Authentication .EXHIBIT 1C Wireless 802.Non-MS Clients IWLS Permit Authorization Table Populate Kerberos Password Mothra Server Kerberos Authentication Radius Server Kerberos KDC UCDNET C I C OI ON E 1 2 0 S AR T 0 I WI E E S A C E S P O N T RL I Radius Client Radius Tunnel Wireless Access Point 802 .

5. 2. The user is now on a fully encrypted private and secure connection. a DHCP request assigns a wireless LAN IP address to the client machine. 4. 10. 8. PEAP security protocol for Microsoft Operating Systems 1. Upon being fully authenticated on UCDNet.1x using Protected Extensible Authentication Protocol (PEAP). The client prompts the user for a username/password but only passes the username to the AP which then forwards it to the Radius Server. 11. If the response from the client is valid. The user configures his client for 802. The password is held at the client which creates a hash of the password (or an algorithmic representation of the password). The AP seeing an authenticated response from Radius opens the port for the user to gain access to UCDNet. Upon activation of a wireless NIC within his computer in an area of the campus served by a campus wireless AP. 7.1x Microsoft Clients In this scenario the AP is an active part of the authentication process and not simply a bridge to other authenticating systems. The AP acts as a Radius client in actively authenticating the user on the network and the user’s password is never sent over the network. sends a password challenge to the client. The Radius server upon recognizing the username. 6. 17 . Radius authenticates the user through the AP. PEAP uses Challenge Handshake Authentication Protocol (CHAPv2) developed by Microsoft. the client sets up a Dynamic WEP Key encrypted session between the client and the AP based on standard key exchange settings set by NOC. The client uses the password hash to decrypt the challenge from Radius and sends a response using CHAPv2. 9. Once the port is open for traffic. the computer’s 802.EXHIBIT 1D New Wireless Authentication 802.1x client sets up an encrypted communication link to the AP using Transport Layer Security (TLS). 3.

EXHIBIT 1D Wireless 802.1 80 x Wire le ss Access Point PEAP (MS-CHAP) 18 .1x Authentication .MS Clients IWLS Permit MS-Password Hash Populate M S-Password Hash MS Password Store Authorization Table Mothra Serve r Radius Serve r UCDNET C I C OI O N T 1 2 0 S AR E 0 I WI E E S A C E S P O N T RL I Radius Clie nt Radius Tunnel 2 .

The access point must be a “smart” access point. developing installation estimates. and what network speeds and characteristics they will need. and 802. will continue to provide consulting support in specifying access points.11b/g and 802. such as a special management switch. it is important to preserve flexibility in any plans for future wireless or wired network developments. If wireless LANS are fast enough then this may not be an issue for the majority of users. where they can receive more information on how to authenticate and connect to the campus wireless system.1x authentication scheme with dynamic WEP session keys for privacy and increased security. In order to build out the wireless infrastructure in necessary areas quickly as possible. the campus sign committee designed “Wireless Here” signs so campus constituents can quickly and easily identify wireless “hot spots. All of this information will be . This will help IET in managing potential frequency interference problems and also assist with quantifying the campus-wide wireless assets. Given the current ambiguity. IET will continue with its information and education campaign regarding wireless services.ucdavis. This growth must be managed and adhere to specific standards. It must have the capability of handling special external antennas to boost the signal if required by the design.3af [REQUIRES DISCUSSION WITH JOHN BRUNO ON IMPLICATIONS OF DEPARTMENT OWNED ACCESS POINTS PLACING POWER DEMANDS IN TELECOMM CLOSETS – THIS WAS NOT AS MUCH AN ISSUE WHEN IET WAS OWNING THE ACCESS POINTS].” The signs direct users to the wireless.Attachment 3 ACTION #3: Adopting a sustainable future direction for wireless deployment It is premature to assume that wireless LANs will remove the need for wired LAN connections and it is unlikely that any such replacement would occur within the next five years. which is able to manage itself without the need of another edge device.edu Web site. Much will depend on future applications. Most recently. Wireless LANs currently use shared bandwidth and so have lesser throughput than wired connections. Lastly. Another factor in wireless adoption rates is whether or not individuals are willing to sacrifice network speed in exchange for the advantages of mobility. tagging transmissions to different VLANs by SSID. IET. and installing access points as requested. to detect rogue access points not registered on the network. it must be supported and upgradeable by the manufacturer for the next 3 years. it is important that responsibility for growth remain with departments. There are also flyers available in various wireless locations on campus (currently the MU and the libraries) that give users clear instructions on using the system. through Communications Resources. the power-over-Ethernet standard 802. IET will also advertise the availability of a new on-line wireless registration process so that departments may register their access points.11a. It must have the capability to handle multiple SSIDs. IET strongly encourages departments to adopt the following standard with respect to access points: Access Points must support 802. It must be able to be put in promiscuous mode via a management program.

the campus wireless deployment plan outlined in this paper provides a cost effective. IET will revise its telecommunications standards for new buildings to include the wiring infrastructure to support the installation of departmental access points in convenient locations and in sufficient quantities to provide complete in-building coverage. secure deployment using the latest standards-based wireless authentication protocols and prepares the campus for the future. Having the expenses associated with authentication and security imbedded within the existing services removes the barrier for departments to utilize centralized services and encourages greater campus network security. The telecommunications master planning effort should inform discussions on the feasibility and potential timeframe for such a transition. .1x. Planning the future is always difficult. as this is a new technology. However. It is entirely possible that the wireless network will need to evolve over time into a completely centrally provisioned service. cohesive campus area network. IET will address wireless development within the context of the campus telecommunications master planning effort.Attachment 3 updated with instructions on using 802. Demands for closer functional integration with the wired network and the convergence of wireless voice and data services are likely drivers for a central wireless network. Planning a wireless network with changing standards and venture capital funded untested vendors is risky business. IET will include the expenses associated with the operation and maintenance of the wireless infrastructure in its 2005-06 rate proposal. just as Network 21 integrated hundreds of disparate local area networks into a single. [DISCUSS WITH JOHN IF HE WANTS TO PROPOSE CAPITAL PROJECT FUNDING FOR THE ACCESS POINTS] This will reduce the costs that departments must bear to install access points. and it requires some knowledge to use it correctly. should it occur.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->