Transcript PowerPoint

CAEN Wireless Network
College of Engineering
University of Michigan
October 16, 2003
Dan Maletta
CAEN Wireless Design Goals
• Make system interoperable
– Support for multiple platforms: Linux (Intel),
Windows, MacOS. PDAs?
– If you have any wireless network card, it will work!!
• Provide seamless wireless coverage
• Provide an authentication mechanism for entire
University Community that doesn’t require
registration of NIC
• Provide a secure mechanism for transporting
data within wireless network
CAEN Wireless Design Goals
(cont.)
• Provide easy-use procedure for University
community
• Make system scalable
• Provide separate solutions for conference
rooms that allows for easy and fast
network access
• Treat wireless and security separately.
CAEN Wireless Network System
• Supports the above goals
• Coverage now in 11 Buildings (~100APs)
• Authentication and data security provided by a Virtual
Private Network (VPN)
• System currently supports up to 50Mb/s of sustained
throughput and 1500 simultaneous users.
• Users can access wireless for 1st time 24 hours a day.
• Conference room setup being tested in LEC
• Supports TCP/IP only. No IPX or AppleTalk
Overview of Authentication and
Security Setup
• VPN server provides authentication and data security
services
– Server acts as a gateway to “wired” network
– Users install an IPSec client (software) to access VPN
server
– Users then authenticate to VPN server with Kerberos ID
– Data from client machine to server is encrypted (3DES)
• IPSec VPN different than Windows and MacOS
built-in PPTP VPN client.
– Exploring options for how to allow those clients
Wireless system (Diagram)
VPN Server
Border
Router
Wireless
Auth. Servers
Network
10.213.120.x
UofM Network
Wireless
Access Point
Web Server
Internet
User Associates with Network
You are now
associated with
network
CAEN Wireless
VPN Server
Border
Router
Wireless
Network
Auth. Servers
10.213.120.x
SSID: CAEN Wireless
UofM Network
Wireless
Access Point
Web Server
Internet
User Get An IP address from Server
VPN Server
IP address
10.213.120.52
Border
Router
Wireless
Auth. Servers
Network
10.213.120.x
UofM Network
Wireless
Access Point
Web/IP Server
Internet
User Tries to open a Web Page
• User is re-directed to Wireless Network
Web server
– CAEN web page tells user how to gain access to
wired network.
– CAEN web page contains software and instructions
for connecting and installing VPN client.
– After trying to use wireless, user installs software and
reboots computer.
– Wireless network is now available to user with VPN
software.
User Starts VPN Connection and
Authenticates with server
VPN Server
IP address
10.213.120.52
Border
Router
Wireless
Auth. Servers
Network
10.213.120.x
UofM Network
Wireless
Access Point
Web/IP Server
Internet
Tunnel is now Established and User can
now communicate on Internet
VPN Server
IP address :10.213.120.52
Tunnel Addr: 141.213.120.87
Border
Router
Wireless
Auth. Servers
Network
10.213.120.x
UofM Network
Wireless
Access Point
Web/IP Server
Internet
Support
• The CAEN Hotline is answering questions as
users have them
• Web site has an FAQ where we list common
problems
• Hotline has laptops running all 3 OS flavors and
Wireless cards from 7 vendors!!!
• Access Points have identical configurations so low
overhead on configuration issues
• We have redundant servers to handle single
machine failures
What We’ve Seen So Far
• We’re average about 500 sessions per day
for the last two months. Our peak over that
time has been ~110 simultaneous
connections
• No complaints about lack of support for
MacOS 8 and 9.
• A real demand for PDA support
Wireless deployment costs
• Access Points $600.00
• Antennas: $100.00-200.00
• Cable to Access Points from Closets (2
cables): $250.00
• Conduit from cable tray to access point
location: $400.00-1500.00
Wireless build-out model for CoE
• CAEN/CoE is currently covering a number of
computing labs and public spaces
• CAEN/CoE is doing a limited departmental rollout
to cover some classrooms, conference rooms.
• Departments are responsible for purchasing
equipment to cover areas within their department.
• CAEN/CoE performs installation and supports
installed equipment.
What’s worked well
• Windows boxes with Cisco client work well
together
• VPN server is able to keep up and generate
good stats.
• Easy to add access points to the system
What hasn’t been great
• Handhelds
• Open BSD
• Wireless gateways
– Security vs. perceived ease of use
• Guest Access solutions
Guest Access
• Still working on a good guest access solution
• Come to Hotline (2320 Media Union)
– Must be accompanied by person representing them. Must
provide contact information
– Expiration is set for one business week at start of every
week
– Instant access (5 minutes)
• If affiliated with the University, access will be
available at Reference desk on a weekly checkout
basis
Future Plans
• Continue deployment in buildings ~30-40 APs in
next 3 months
• Movian Client support for PDAs (Both Palm and
PocketPC)
– How are people licensing
•
•
•
•
•
Conversion from 3DES encryption to AES
Support for Native windows VPN protocols??
802.11g deployment
WebVPN (SSL-based VPN)
SSH pass-through to login machines
Discussion Items
• 802.1x
– Is anybody looking to use it?
– Microsoft’s announcement of proprietary replacement
• SSL-based VPNs
• 802.11a vs. 802.11g
• Wireless for home use
– Is anyone making recommendation to people
– VPNs or secure access for broadband connections
Check out our wireless site
• http://www.engin.umich.edu/caen/network/
wireless