CAMPUS WIRELESS

INFRASTRUCTURE PROPOSAL

IET – Communications Resources

10/22/04
BACKGROUND

UC Davis introduced its wireless network in December, 2001 with a pilot program in King Hall,
Memorial Union and Shields Library. Since that time, occupants of these facilities have assumed
responsibility for the local access points while IET continued to provide central authentication via
Kerberos and Distauth services. Many more access points were added in these locations and other
departments have elected to install their own wireless networks – some using centralized
authentication and others using their own methods for security. IET currently provides central
authentication services for 63 department owned access points and another 8 that IET owns and
manages.

At present, the existing campus user authentication system is being stressed and does not offer a
number of necessary network security features. Additionally, the existing architecture is not
scalable and will inhibit performance and future growth. There is also no corresponding network
management system for the wireless network as there is with the wired network. There is
therefore no easy way to monitor the wireless access points (WAPs) or to obtain any statistics on
usage or traffic patterns which assist in engineering and upgrading the network.

The 802.11g WAPs and NIC cards are now widely available and in many cases included as part of
laptop computers. Wireless 802.11b phones are also available and phones are being developed
with dual chip sets that allow for 802.11 networking as well as cellular technology. This
technology is making its way into Personal Digital Assistants, security systems, equipment
location devices, and Facilities control systems. Widespread development and dependence upon
wireless end user devices continues to increase. These developments coupled with increasing
rates of departmental wireless deployments is stressing existing IET systems and creating a
number of security issues.

IET has developed a three-step action plan to address the issues surfacing with wireless network
deployments and access:

Action #1: IET will immediately upgrade the wireless firewall infrastructure so that it is scalable,
secure, and capable of handling the growing demand being placed upon it by increasing numbers
of departmental wireless access points.

Action #2: Upon completion of Action #1, IET will be ready to segment the wireless network and
revise the authentication system to include encryption via 802.1x for additional security. In
preparation for this subsequent work, IET is soliciting the TIF’s review of the proposed
architecture and options included within this document. Upon solidification of architecture, IET
will proceed with implementation.

Action #3: IET proposes a sustainable future direction for wireless network deployments.

Details on each of these actions are provided in the balance of this document.

2
 WIRELESS INFRASTRUCTURE ACTION PLAN

ACTION #1: Replacement of the existing wireless authentication and firewall system with a
more scalable and robust solution.

IET reviewed the set of issues associated with the current infrastructure limitations and through
consultation with campus administrators, wireless equipment vendors, and technical staff, developed
a set of requirements that could be used to guide equipment procurements.

ƒ Firewall/Authentication System General Requirements: The firewall and authentication

system must be a scalable solution capable of integrating with campus central
authentication services (Distauth/Kerberos) to allow only authorized user access to the
wireless networks, must support multiple VLANs and Gigabit Ethernet speeds in order to
integrate seamlessly into the campus wired network and must provide the capability to
apply network security filters to protect the campus from malicious activity originating
from wireless networks. Specific requirements the system must support include:

• Web-based authentication (via a captive portal) to campus Distauth and

Kerberos systems
• DHCP relay services
• 802.1q VLAN trunking
• Gigabit Ethernet fiber optic interfaces
• Operates with any Wireless Access Point
• Supports 802.1x authentication
• Supports VPN tunnels
• Restricts traffic based upon protocol
• Provides protection from Denial of Service attacks

ƒ Management System General Requirements: The wireless management system must be

able to support more than one manufacturer’s access points, and provide sufficient
evidence of the development of further access point support from more vendors in the
future. The management system must have hooks that tie it to the overall network
management system, HP Openview. It does not need to be integrated with the gateway
or firewall, and a standalone system is preferred. The management system must be able
to use SNMP traps to set alarms on access points, push centralized configurations to
multiple access points on the network, provide traffic and usage reports per access point,
provide rogue access point detection/reports, provide real-time client information for the
entire network or per access point, track a particular user on the network by Mac address
or username, and provide the tools to disconnect them from network if necessary.

3
A comprehensive vendor review was conducted to select platforms that met the above
requirements. Within this review, vendors were classified into two groups: switched or
centralized gateway. Some vendors offered both options, and all of them offered a number of
authentication/authorization and WLAN management services. Some offered proprietary access
points to promote their features, while others supported a number of different manufacturers’
access points. The review also considered some independent AP management vendors that do not
sell gateway/firewall products, but only sell wireless lan management software.

Reviews were conducted for the following vendors:

Switched/Edge Vendors
ƒ Trapeze Networks
ƒ Reef Edge, Inc.
ƒ Aruba Wireless Networks
ƒ Vernier Networks

Gateway Vendors
ƒ Aruba Wireless Networks
ƒ Reef Edge, Inc.
ƒ Bluesocket
ƒ Vernier Networks
ƒ Perfigo
ƒ Cisco Systems

Management Vendors
ƒ Airwave
ƒ WaveLink
ƒ AirMagnet

Upon completion of the review, Airwave was selected as the management vendor and Bluesocket
was selected to replace the existing Cisco PIX firewall. The purchases have been made and
installation is expected to be complete before the start of Winter quarter. Funds expended for this
phase by IET are currently at $44,594.00 for equipment and software.

The total cost for the purchase, programming and installation of the security and wireless LAN
management system, is provided below:

Bluesocket wireless gateway & spare $ 23,692

Airware wireless management $ 32,749
Wireless management server $ 5,000
Radius Servers $ 10,000
Spare WAPs $ 6,000
Cost of programming time for 802.1x $ 40,000
Cost for configuration (gateway/management) $ 10,000
Promotion/Signage/Advertising $ 5,000
TOTAL $132,441

4
Note: As the density of wireless users grows beyond approximately 500 in any given campus
area, it will be necessary to augment the infrastructure by an additional localized gateway at an
approximate expense of $12,000.

ACTION #2: Segmentation of the Network and Implementation of 802.1x Authentication

The development and approval of an architectural model that provides the foundation for
expanding wireless services throughout the campus is the primary objective of this phase. All
design and development efforts begin with a definition of the requirements to be met. The
requirements that the UC Davis wireless architecture must meet are defined as follows:

• The wireless architecture must support ubiquitous (or near ubiquitous) coverage of the
campus for general use wireless access. The architecture will support the goal of general-
purpose wireless LANs being made available for use to any university-affiliated user
throughout the core campus and in selected areas outside the core campus.
• It must provide the means for university departments to extend wireless connectivity into
departmental VLANs. For this case, wireless coverage will be limited to departmental
spaces.
• The wireless architecture will provide a centrally managed component offering
authentication, authorization and accounting (AAA) services, network security/encryption
services as well as traffic and equipment management. The architectural model will
provide for the co-existence of the centrally managed component with departmentally
managed wireless LANs.
• Centrally managed AAA services will support a variety of client systems through web-
based and 802.1x authentication.

A wireless architecture that meets these requirements must address concerns such as the capability
of the “wired” network to support widespread wireless services, the flexibility and availability of
authentication systems and the features of the wireless network components themselves. The
architecture currently proposed leverages existing infrastructure and experience while proposing
enhancements that provide a range of flexible services to support the objectives and requirements
listed above.

The proposed wireless architecture incorporates the following characteristics, components and
services:

Categories of Wireless Access

Access to wireless networks will vary depending upon the users being served and upon the
capabilities of the wireless client being used. General use wireless LANs will be accessible to any
university-affiliated user, will not incorporate encryption technology and will require
authentication via a web-based interface. This category of access is intended to provide a
relatively simple method of acquiring wireless access that is not dependent upon client hardware
and software. Nearly any wireless capable device can establish an authenticated network
connection to general use wireless LANs.

5
Departmental users who wish to directly connect to their department VLANs via a wireless
connection would constitute a second category of users. Access to department VLANs would be
accomplished through an encrypted connection after authentication and authorization via 802.1x.
Authorization in this case would require the incorporation of a user specific permit allowing the
user to join the department VLAN through the wireless connection.

Guests and visitors would be considered as a third category of users that would access the general
use wireless LANs but could have specific restrictions placed upon their network access. Other
categories of access can be defined and accommodated including classroom access and emergency
operations.

Centrally Managed Wireless Networks

In order to provide the required security and flexible authentication services, network components
must be capable of supporting encryption, 802.1x authentication and multiple VLANs. The
current “wired” data network has the bandwidth capacity to support the widespread deployment of
wireless access points throughout the campus and has the features required to the deliver multiple
VLANs to wireless network components but does not have the capability to provide encryption
services. Leveraging the current capabilities of the wired network while providing the required
wireless services is best accomplished through the use of wireless access points that provide
encryption.

The use of “smart” wireless access points for managed wireless services provides the range of
flexibility needed to support general access and department specific access needs. Managed
wireless access points will meet IET specifications and will be capable of supporting multiple
VLANs, 802.1x authentication and rotating WEP encryption keys.

One unencrypted VLAN will be deployed as a general use wireless LAN within a geographically
defined area or zone, and will be advertised via beacon broadcasts. Additional VLANs configured
on these access points will require encryption (keys delivered through the authentication process)
and will not be advertised via beacon broadcasts. In this model, when users activate their wireless
network interface, the general use VLAN will be automatically listed as an available connection.
Connections to other available networks (such as department VLANs) will have to be explicitly
requested by the user in order to gain access. It should be noted that in order to provide a cost-
effective centrally managed service it is likely that wireless access points from a single vendor will
be required.

Department Managed Wireless Networks

Departments will have the option of deploying and managing their own wireless access points.
These access points can be incorporated into the general use wireless LANs or can be configured
as a wireless component of the department’s VLANs. Where the department opts to incorporate
their access points into a general use VLAN, centrally managed authentication services can be
provided. Where a department opts to manage their own wireless access points, centrally
managed authentications services can be provided if the access points deployed meet IET
specifications.

6
Distribution of General Use Wireless Access

The architecture will support the establishment of general use wireless LANs throughout the core
campus. Due to the size of the coverage areas and the anticipated number of users, the core
campus will be divided into geographic zones with each zone serviced by a distinct general use
wireless LAN. Roaming within the zone will be possible, but roaming between the zones will not.
Additional coverage zones will also be supported outside the core campus for selected areas.

Distribution of Departmental Wireless Access

Centrally managed wireless access points can be programmed to provide direct access to
department VLANs. As indicated previously, such access would require encryption and
authorization. Centrally managed access points located within a department’s offices/spaces or
departmentally managed access points would be eligible for this service. Providing wireless
access to department VLANs from any location on campus is beyond the capabilities of any
wireless access point product and would severely impact the capability of the Network Operations
Center to manage the overall data network.

Wireless Gateways

The network infrastructure will support the deployment of centrally managed wireless gateways to
control and monitor access to general use wireless LANs. The wireless gateways will provide
web-based authentication services and security filtering for general-purpose users including guests
and visitors. It is anticipated that each geographic zone of wireless coverage will deploy one or
more wireless gateways depending on the density of the wireless user population. Wireless
gateways are designed to be connected to the “wired” network and can be deployed either
centrally at the NOC or distributed throughout the data network within appropriate ADF’s or
BDF’s. General use wireless LANs will be hauled through the “wired” network on a designated
VLAN and terminated at the wireless gateway. All traffic destined to or originating from the
general use wireless networks will pass through the wireless gateway.

Authentication/Authorization/Accounting Systems

AAA systems will be deployed to restrict wireless access to authorized users. Any campus-
affiliated user with a valid Kerboros username and password will be permitted to access general
use wireless LANs. This will be accomplished through a web-page re-direct performed by the
wireless gateway device. Users will be presented with a web-page with a username and password
prompt and authentication will take place using existing campus Distauth and Kerberos services.

Users connecting to departmental VLANs via a wireless connection will authenticate via 802.1x to
campus Radius servers (yet to be deployed). Radius groups containing lists of authorized users
will be established for participating departments. User lists will be maintained by the departments
either through web-based forms and eventually via personnel management systems available
through an enterprise directory and roles database. Authentication via 802.1x has the advantage of
working within the existing traffic engineering models in that access to default gateways remains
at the BDF routers rather than being hauled to a choke point such as a wireless gateway. This

7
leverages the performance and bandwidth capacity of the existing “wired” network as the speed of
wireless networks continues to increase.

Next Steps

It is anticipated that campus review for this phase can be completed within two months, leaving
the Winter quarter for implementation. There are several outstanding issues that must be
addressed in order to prepare the network to support wireless objectives through the proposed
architecture:

• Campus Radius Servers: New Radius servers must be configured and deployed in order to
support 802.1x services.
• Finalize the specifications for centrally managed wireless access points. The NOC
currently deploys and manages a number of wireless access points, but efforts are
underway to standardize on the Cisco 1200 model.
• Deploy and test wireless gateway system. This system has been procured and is in the
process of being deployed and tested.
• Develop processes and tools to permit department network administrators to populate the
Radius servers with lists of users authorized to access departmental VLANs via wireless
connections.

The proposed architecture and services will meet the requirements for expanded wireless access
and UC Davis and will provide a manageable, flexible and secure service offering to the campus.

Additional Information on Authentication via 802.1x

The use of the 802.1x with Dynamic WEP session keys will assure privacy and security for the
campus wireless network and its users. Because 802.1x is a new protocol, older and less popular
operating systems do not yet have built-in software clients. To mitigate this issue, the proposed
architecture recommends this new authentication technology, augmented by web-based
authentication to meet the needs of various clients and user groups.

In principle, this is how wireless access will work following the 802.1x implementation:

802.1x will remove the need for the use of registered MAC addresses for access to an IP address
via DHCP. 802.1x requires the client to authenticate prior to the allocation of an IP and therefore
makes MAC address registration moot. As better wireless encryption methods are introduced,
they will be implemented via the 802.1x framework. Today’s existing system does not encrypt the
RF portion of a client wireless session. The only place encryption takes place is during the passing
of the Kerberos password. By choosing to use 802.1x, the campus can be confident of a solid
migration path as better encryption methods are developed in the future. All new UCDNet2
Foundry switches support this protocol, and it is built into the 802.11i overall encryption standard.

ƒ The Client Interface: Using the 802.1x client will trigger a client interface to pop up on
the client’s screen upon the activation of an 802.11 wireless NIC within range of a
campus wireless access point. The interface will be similar to the Kerberos password

8
 “username/password” GUI, and will be created via an encrypted RF link to the access
point for authentication to take place.

ƒ Access: The proposed wireless solution, utilizing the 802.1x authentication scheme and
“smart” access points, provides a distributed gateway architecture that does not require a
single management gateway “box”. Using the campus RADIUS (software will be
upgraded to support new encryption algorithms), Kerberos, and an MS password-store
server system, the proposed authentication will provide a campus wide solution that may
serve as a model for future distributed authentication systems on campus. (See Exhibits 1C
and 1D).

ƒ Firewall: The proposed wireless solution, utilizing 802.1x authorization /authentication

provides a distributed firewall architecture and does not require a centralized firewall
solution. (See Exhibit 1B)

ƒ Guest Access: The recommended wireless network configuration utilizing 802.1x does
not create an easy path for the single guest, conference visitor or group, as 802.1x is still
new and not commonly used by everyone. With the significant roll out of wireless
services recommended in this paper, the demand for guest access will only increase. The
proposed system will update the existing wireless Web based access, creating a new Web
based guest/visitor gateway for those authorized to access it, operating on a distinct SSID
without MAC address filtering, that will double as a backup access system for campus
users who may have problems during the transition to 802.1x. See Exhibit 1B for a
detailed description of the gateway authentication process.

The current guest access process, managed by IET is cumbersome and undocumented by
design, doubling as a security control measure. Network administrators have expressed a
need for a better process. Wireless access has created a higher demand for guest network
services that requires a streamlining of current guest access procedures. This project will
include the development and deployment of a web-based wireless guest access
authorization system that will maintain department accountability and at the same time
provide a streamlined approach to guest authorization. This system will provide the
following:

o A single web site accessible only to authorized department representatives

(similar to the TIF IP page)
o Information and policy guidelines for guest access along with appropriate IET
contacts for more information.
o A web based form that will require the authorized departmental representative
to submit a request for guest access for any individual as long as they provide
the guest’s name, affiliation, phone number, email address, MAC address, and
length of stay.
o Web form will offer a limited selection of guest permits to the wireless network
spanning 7 to 90 days. (up to a quarter)
o Once completed by the Network Representative, the system will generate a
Kerberos username and password and email it to the departmental
representative with additional wording explaining the department’s

9
 accountability for the use of this guest account and basic information on how to
access the guest wireless network.

The new website will route large conference groups (50 or more) to the appropriate
section to register a large group for wireless access. Large group wireless access will be
managed on the wireless system in the following way:

o The request will be coordinated with the Campus Events and Visitor Services
(CEVS). CEVS will screen the conference clients for their need for wireless
access.
o The CEVS representative will access the web based system and request a group
authorization with CEVS as the sponsor or the co-sponsoring campus
department.
o The site will require the conference sponsor to complete information regarding
who they are, and give an organizational name, address, phone number, length
of stay, and local contact.
o This information will be emailed to IET for review and approval. Large group
access will not be automatically approved.

A group Kerberos username and password will be issued to the CEVS representative to
share with the conference participants. General network information and security
documentation will accompany the username and password information.

The following Exhibits outline the four authentication methods:

• Exhibit 1A—Existing Wireless Authentication. For comparison purposes, our current

authentication system is shown as a baseline. It will become obsolete once this proposal
has been implemented.
• Exhibit 1B—Wireless Gateway Authentication. For campus and guest clients using
Kerberos Password and Web Page Redirection.
• Exhibit 1C—New Wireless Authentication 802.1x for non-Microsoft clients, as third party
clients for other operating systems such as Mac and LINUX are readily available.
• Exhibit 1D—New Wireless Authentication 802.1x for Microsoft clients, as 802.1x is
already built into Windows XP and Windows 2000.

10
 EXHIBIT 1A

Existing Wireless Authentication

For all clients

The current wireless authentication system uses the campus distributed authorization system
(DistAuth) on the Secureweb server and Kerberos passwords on the KDC server. All clients must
register the MAC address of their wireless NIC before they can authenticate on the network.

The process is as follows:

1. User inserts their wireless network interface card (NIC) into their computer and activates it
in an area served by a campus access point (AP).
2. The AP detects the RF and immediately bridges the connection over an unencrypted link to
the Cisco PIX firewall in the NOC.
3. The PIX firewall has been configured to allow network access for the following servers:
a. Secureweb (DistAuth)
b. WLS (wireless.ucdavis.edu)
c. DHCP
4. The PIX firewall allows the DCHP server to assign an IP address to all client machines
with registered MAC addresses.
5. Though the user has an IP address he cannot go anywhere except
http://wireless.ucdavis.edu.
6. The user opens his browser and types in http://wireless.ucdavis.edu.
7. The user clicks on CONNECT TO WIRELESS NETWORK.
8. When the user clicks on LOG ON HERE, he is redirected through an encrypted secure
socket layer link (SSL) to the https://secure.web server.
9. The Secureweb Server over an encrypted connection prompts the user for a Kerberos
username and password.
10. The user types in his username and password which is passed to the SECUREWEB server
and forwarded to the Kerberos server (KDC) for authentication.
11. If the username and password are correct, the KDC authenticates the user and passes this
through the Secureweb server back to the user with a special webpage redirect that tells the
user they have successfully authenticated.
12. Upon successful authentication, the PIX firewall opens network access for the IP assigned
in step 4.

11
 EXHIBIT 1A

Existing Wireless Authentication

DHCP
Server

UCDNET

SecureWeb Server

PIX
Fire wall

Populate Kerberos
Kerberos Server
Password

WLS Web Server

Mothra Server

C IS C
O IA O
RNET 2
1 0 0 I WIR E L
ESSC
ACES O
PNI T

Wireless
Access
Point

12
 EXHIBIT 1B

Wireless Gateway Authentication

Using Kerberos Password and Web Page Redirection for all clients & guests

1. User inserts a wireless network interface card (NIC) into his computer and activates it in an
area served by a campus access point (AP).
2. The AP sees the RF and immediately bridges the connection over an unencrypted link to a
wireless gateway or firewall in the NOC.
3. The firewall has been configured to allow network access for the following servers:
a. Secureweb (DistAuth)
b. WLS (wireless.ucdavis.edu)
c. DHCP
4. The firewall allows the DCHP server to assign an IP address to the client machine from the
Wireless VLAN, as long as the machine has a registered MAC address.
5. The unauthenticated user opens his browser and the wireless gateway directs the browser
to http://wireless.ucdavis.edu.
6. The user clicks on CONNECT TO WIRELESS NETWORK.
7. When the user clicks on LOG ON HERE, he is redirected through an encrypted secure
socket layer link (SSL) to the https://secure.web server.
8. The Secureweb Server over an encrypted connection prompts the user for a Kerberos
username and password.
9. The user types in his username and password which is passed to the SECUREWEB server
and forwarded to the Kerberos server (KDC) for authentication.
10. If the username and password are correct, the KDC authenticates the user and passes this
through the Secureweb server back to the user with a special webpage redirect that tells the
user they have successfully authenticated.
11. Upon successful authentication, the PIX firewall opens network access for the IP assigned
in step 4.

13
 EXHIBIT 1B

Wireless Gateway Authentication

DHCP
Se rve r

UCDNET
Se cure We b Se rve r

Gatewayw/
Web Page
Redirection

Ke rbe ros Se rve r

WLS We b Se rve r
Pop ulate Kerberos
Password

M othra Se rve r

I C
C S OA R
I ONE
T 1 2 0 I WR
I E L E
S S A CC
E S S P IO T
N

Wire le s s
Acce s s
Point

14
 EXHIBIT 1C

New Wireless Authentication 802.1x

Non- Microsoft Clients

In this scenario the AP is an active part of the authentication process and not simply a bridge
to other authenticating systems. The AP acts as a Radius client in actively authenticating the
user on the network and the user’s password is never sent over the network.

EAP-TLS (Non-MS Client - Macintosh, Linux, ….)

1. The user configures his/her wireless 802.1x client for Extensible Authentication
Protocol/ Transport Layer Security (EAP/TLS) and Password Authentication Protocol
(PAP).
2. When the user activates his/her wireless network interface card (NIC) in an area served
by a campus wireless AP, it detects the AP with 802.1x and immediately uses TLS
encryption to set up a secure connection.
3. The software client prompts the user to type in his/her username and password and
forwards it to the AP.
4. The AP passes the username/password from the client over an encrypted connection to
the Radius Server.
5. The Radius server decrypts the username/password from the client and uses it as a
proxy for Kerberos Authentication (KDC).
6. Radius forwards an authentication approval to the client through the AP.
7. The AP bridges network traffic to the client and opens a network port for user network
access.
8. Once the port is open for traffic, a DHCP request assigns a wireless LAN IP address to
the user’s machine.
9. Upon being fully authenticated on UCDNet, the client sets up a Dynamic WEP Key
encrypted session between the client and the AP based on standard key exchange
settings set by NOC.
10. The user is now on a fully encrypted private and secure connection.

15
 EXHIBIT 1C

Wireless 802.1x Authentication - Non-MS Clients

IWLS Permit

Authorization
Table
Populate Kerberos
Password
Radius
Mothra Server Kerberos Server
Authentication

Kerberos KDC

UCDNET Radius
C IS C O IA O
RN E
T1 2
00 I WIR E
L E S A C E S P ON
I T
Client
Radius Tunnel

Wireless
Access 802
Point .1x

EAP-TTLS
(PAP)

16
 EXHIBIT 1D

New Wireless Authentication 802.1x

Microsoft Clients

In this scenario the AP is an active part of the authentication process and not simply a bridge
to other authenticating systems. The AP acts as a Radius client in actively authenticating the
user on the network and the user’s password is never sent over the network.

PEAP security protocol for Microsoft Operating Systems

1. The user configures his client for 802.1x using Protected Extensible Authentication
Protocol (PEAP).
2. PEAP uses Challenge Handshake Authentication Protocol (CHAPv2) developed by
Microsoft.
3. Upon activation of a wireless NIC within his computer in an area of the campus served by
a campus wireless AP, the computer’s 802.1x client sets up an encrypted communication
link to the AP using Transport Layer Security (TLS).
4. The client prompts the user for a username/password but only passes the username to the
AP which then forwards it to the Radius Server. The password is held at the client which
creates a hash of the password (or an algorithmic representation of the password).
5. The Radius server upon recognizing the username, sends a password challenge to the
client.
6. The client uses the password hash to decrypt the challenge from Radius and sends a
response using CHAPv2.
7. If the response from the client is valid, Radius authenticates the user through the AP.
8. The AP seeing an authenticated response from Radius opens the port for the user to gain
access to UCDNet.
9. Once the port is open for traffic, a DHCP request assigns a wireless LAN IP address to the
client machine.
10. Upon being fully authenticated on UCDNet, the client sets up a Dynamic WEP Key
encrypted session between the client and the AP based on standard key exchange settings
set by NOC.
11. The user is now on a fully encrypted private and secure connection.

17
 EXHIBIT 1D

Wireless 802.1x Authentication - MS Clients

IWLS Permit

MS-Password
Hash
Populate
M S-Password Hash MS Password Authorization
Store Table

Radius
Mothra Serve r Serve r

Radius
UCDNET C IS C O IA O
RNT
E1 2
00 I WIR E
L E S ACE S P ON
I T
Clie nt
Radius Tunnel

Wire le ss
Access
x
2 .1 Point
80

PEAP
(MS-CHAP)

18
 Attachment 3

ACTION #3: Adopting a sustainable future direction for wireless deployment

It is premature to assume that wireless LANs will remove the need for wired LAN
connections and it is unlikely that any such replacement would occur within the next five
years. Wireless LANs currently use shared bandwidth and so have lesser throughput than
wired connections. If wireless LANS are fast enough then this may not be an issue for
the majority of users. Much will depend on future applications, and what network speeds
and characteristics they will need. Another factor in wireless adoption rates is whether or
not individuals are willing to sacrifice network speed in exchange for the advantages of
mobility. Given the current ambiguity, it is important to preserve flexibility in any plans
for future wireless or wired network developments.

In order to build out the wireless infrastructure in necessary areas quickly as possible, it is
important that responsibility for growth remain with departments. This growth must be
managed and adhere to specific standards. IET strongly encourages departments to adopt
the following standard with respect to access points:

Access Points must support 802.11b/g and 802.11a, the power-over-Ethernet standard
802.3af [REQUIRES DISCUSSION WITH JOHN BRUNO ON IMPLICATIONS
OF DEPARTMENT OWNED ACCESS POINTS PLACING POWER DEMANDS
IN TELECOMM CLOSETS – THIS WAS NOT AS MUCH AN ISSUE WHEN IET
WAS OWNING THE ACCESS POINTS], and 802.1x authentication scheme with
dynamic WEP session keys for privacy and increased security. The access point must be
a “smart” access point, which is able to manage itself without the need of another edge
device, such as a special management switch. It must have the capability to handle
multiple SSIDs, tagging transmissions to different VLANs by SSID. It must have the
capability of handling special external antennas to boost the signal if required by the
design. It must be able to be put in promiscuous mode via a management program, to
detect rogue access points not registered on the network. Lastly, it must be supported and
upgradeable by the manufacturer for the next 3 years.

IET, through Communications Resources, will continue to provide consulting support in

specifying access points, developing installation estimates, and installing access points as
requested. IET will also advertise the availability of a new on-line wireless registration
process so that departments may register their access points. This will help IET in
managing potential frequency interference problems and also assist with quantifying the
campus-wide wireless assets.

IET will continue with its information and education campaign regarding wireless
services. Most recently, the campus sign committee designed “Wireless Here” signs so
campus constituents can quickly and easily identify wireless “hot spots.” The signs direct
users to the wireless.ucdavis.edu Web site, where they can receive more information on
how to authenticate and connect to the campus wireless system. There are also flyers
available in various wireless locations on campus (currently the MU and the libraries)
that give users clear instructions on using the system. All of this information will be
 Attachment 3

updated with instructions on using 802.1x, as this is a new technology, and it requires
some knowledge to use it correctly.

IET will revise its telecommunications standards for new buildings to include the wiring
infrastructure to support the installation of departmental access points in convenient
locations and in sufficient quantities to provide complete in-building coverage.
[DISCUSS WITH JOHN IF HE WANTS TO PROPOSE CAPITAL PROJECT
FUNDING FOR THE ACCESS POINTS] This will reduce the costs that departments
must bear to install access points.

IET will include the expenses associated with the operation and maintenance of the
wireless infrastructure in its 2005-06 rate proposal. Having the expenses associated with
authentication and security imbedded within the existing services removes the barrier for
departments to utilize centralized services and encourages greater campus network
security.

IET will address wireless development within the context of the campus
telecommunications master planning effort. It is entirely possible that the wireless
network will need to evolve over time into a completely centrally provisioned service,
just as Network 21 integrated hundreds of disparate local area networks into a single,
cohesive campus area network. Demands for closer functional integration with the wired
network and the convergence of wireless voice and data services are likely drivers for a
central wireless network. The telecommunications master planning effort should inform
discussions on the feasibility and potential timeframe for such a transition, should it
occur.

Planning the future is always difficult. Planning a wireless network with changing
standards and venture capital funded untested vendors is risky business. However, the
campus wireless deployment plan outlined in this paper provides a cost effective, secure
deployment using the latest standards-based wireless authentication protocols and
prepares the campus for the future.