Transcript Slide 1
Introduction Trinity guest network project objective College wireless network overview Public wireless/hospitality internet access Guest network access challenges Guest access solution IP3 NetAccess subscriber gateway Outcomes and future developments Trinity Guest Network Project Objective: To facilitate the connection of short stay authorized Guests to the College data wireless (mandatory) and wired (desirable) network. Examples of authorised Guests: - Conference delegates Visiting academics and Library readers VIPs, sales representatives, contractors Summer accommodation visitors College wireless network overview Size and locations – 750 users last academic year – Approx 145 APs in 50 locations, main Campus, St James, Dartry, D’Olier Street, Foster Place/College Green complex College wireless network overview (cont) Enterprise class based on Cisco Structured Wireless Aware Network (SWAN). Secure – 802.1X/EAP authentication via Radius/AD – Dynamic 128bit encryption – MAC address registration – VLAN’ed Clients – 802.1X compatible – College AD domain, OS patches, AV, high support Internet connectivity limited, LAN based services available Public wireless hotspots/Hospitality Guest Internet access Low security Any wireless client adapter will connect Little wireless client configuration to connect Full or almost full internet access Connection established using a prepaid access code or credit card via a web based login portal Connectivity and session management is usually controlled by a wireless gateway device providing a reliable controlled connection Guest network access challenge To provide an reliable network service to guests with the following characteristics – Low client configuration – Access code/portal authentication – Compatibility for most hardware and software types – Low user support requirements – Feature rich in terms of internet availability Benefit from existing extensive infrastructure Protect College’s other data networks and reputation from intentional/unintentional misuse of guest network Guest access solution Provide public wireless hotspot/hospitality type connectivity features using the existing campus network infrastructure This is achieved by “overlaying” a Guest enabled network on the existing campus network using VLAN technology and an internet gateway device A number of internet gateway devices were evaluated Devices evaluated: Bluesocket WG5000 wireless gateway (August 2004). www.bluesocket.com Cisco Building Broadband Services Manager (BBSM) ver 5.3. (May 2005). www.cisco.com IP3 NetAccess NA1500 internet gateway (July 2005). www.ip3networks.com Primary evaluation criteria: VLAN based guest client discovery*. Ability to generate its own access codes to facilitate Guest authentication*. Session and bandwidth control, logging and accounting. Ease of integration with existing campus network infrastructure, must support min. 1000+ users. Customisable login portals, DHCP (NAT/PAT) ,SMTP, support for RADIUS authentication. Evaluation Outcome: Bluesocket Cisco WG 5000 BBSM 5.3 IP3 NA1500 NetAccess VLAN based client discovery* YES NO YES Ability to generate own access codes* NO YES YES All other features YES YES YES Guest overlay architecture Internet Firewall IP3 IDS appliance Enterprise Network Wired Guest (VLAN 14) Wireless Wired Staff/Student Guest (VLAN 14), Authentication: etc OPEN Wireless Staff/Student Authentication 802.1X/EAP IP3 NetAccess subscriber gateway Access Control, Billing, and Subscriber Management Solution Flash-based Network Appliance 802.1Q VLAN support. Internal Access Code Generation & Authentication Custom Login Portals. Integrated DHCP, Firewall, & Web Servers RADIUS AAA support Supports VPN Pass-Through. IP3 NetAccess manages Guest Internet Connections 1. Guest connects to wired/wireless network, (SSID: TCDguest) 2. Guest client obtains DHCP assigned private IP address, opens Web browser, IP3 redirects to custom login screen. 3. Guest enters guest access code 4. IP3 provides authentication & accounting 5. IP3 manages bandwidth, access code duration. IP3 NetAccess Internet, E-mail, VPN, etc. Portal groups: Combination of the following: – Assigned (Guest) VLAN – Assigned (customised) login portal – Payment method (access code) – Product (eg 512K bandwidth) Portal Groups Portal groups cont’d Portal Groups – VLAN’s Portal Groups – Login portal Portal Groups – login portal Portal Groups – Payment methods Portal groups - Products Portal Groups – Products contd Access codes - overview: Created using access code generator. Codes may be valid between a fixed start/end date or allow a one-off session from time of activation. The generated access codes can be exported from the IP3 appliance in .CSV format. The exported codes are then merged with a customised TCD access code token template before printing. Codes are printed from a standard LaserJet colour printer using Avery business card labels. Access codes - generation Access codes generation contd Access codes - tokens Outcomes Over 500 guest users have been facilitated since the system was rolled out in August 2005 – – – – – First trial end July, Maths Lattice conference (55) Production end Aug, Eurographics 2005 (>200) Sept., BA conference (BA press users fallback) Sept., EDNO, Maths, Nursing Studies many individual requests Outcomes (cont) I wanted to say that the wireless access in the printing house worked flawlessly yesterday. Our international evaluation panel and the SFI and IDA minders plugged in, retrieved their e-mail and I think this helped enormously in getting across an image of a professional organization with it's act together. One of the panellists from a University in the South of England commented that he'd never be able to get this kind of service in his home University!. So the day was a big success from our point of view..Thanks Again, Future Developments There has been much interest from the College community in this new service, strong demand is anticipated during 05/06 academic year Automate process of distributing access codes Using other authentication methods and additional VLAN’s to provide: – Quarantine/basic services network – PDA and handhelds – Facilitate Eduroam visitors