Wireless Access Topology

A wireless access point (AP), such as the Cisco Aironet series, provides a bridged connection for mobile enduser clients into the LAN. Authentication is absolutely necessary, due to the ease of access to the AP. Encryption is also necessary because of the ease of eavesdropping on communications. Scaling can be a serious issue in the wireless network. The mobility factor of the WLAN requires considerations similar to those given to the dial-up network. Unlike the wired LAN, however, you can more readily expand the WLAN. Though WLAN technology does have physical limits as to the number of users who can connect via an AP, the number of APs can grow quickly. As with the dial-up network, you can structure your WLAN to allow full access for all users, or provide restricted access to different subnets among sites, buildings, floors, or rooms. This capability raises a unique issue with the WLAN: the ability of a user to roam among APs. Simple WLAN A single AP might be installed in a simple WLAN (Figure 2-4). Because only one AP is present, the primary issue is security. An environment such as this generally contains a small user base and few network devices. Providing AAA services to the other devices on the network does not cause any significant additional load on the ACS. Figure 2-4 Simple WLAN

Campus WLAN In a WLAN where a number of APs are deployed, as in a large building or a campus environment, your decisions on how to deploy ACS become more complex. Depending on the processing needs of the installation, all of the APs might be on the same LAN. Figure 2-5 shows all APs on the same LAN; however, the APs might also be distributed throughout the LAN, and connected via routers, switches, and so on. Figure 2-5 Campus WLAN

Placement of the RADIUS Server

From a practical standpoint, the RADIUS server should be inside the general network, preferably within a secure subnet designated for servers, such as DHCP, Domain Name System (DNS), and so on. You should avoid requiring RADIUS requests to travel over WAN connections because of possible network delays and loss of connectivity. Due to various reasons, this type of configuration is not always possible; for example, with small remote subnets that require authentication support from the enterprise. You must also consider backup authentication. You may use a system that is dedicated as the RADIUS secondary. Or, you may have two synchronized systems that each support a different network segment but provide mutual backup if one fails. Refer to the documentation for your RADIUS server for information on database replication and the use of external databases.

Number of Users
In all topologies, the number of users is an important consideration. For example, assuming that an ACS can support 21,000 users, if an wireless access point can support 10 users, then a given ACS could support 2,100 wireless access points in a WLAN environment. The size of the LAN or WLAN is determined by the number of users who use the LAN or WLAN:

Size
small LAN medium-sized LAN large LAN 1 to 3,000

Users

3,000 to 25,000 25,000 to 50,000

very large LAN or WLAN

over 50,000

A total of 589 access points were installed at a cost of almost 350,000 including VAT. The project took 6 months to complete. The cost breakdown is as follows: 589 x Wireless Access Points WISM for 6500s 480 x Power Injectors 52 x 3560 Switches Access Point Location Software Consultancy Sub Total VAT TOTAL 120,000 57,000 8,000 66,000 12,000 32,000 295,000 51,625 346,625

4 Usage The greatest usage currently is access from laptops and wireless-enabled mobile telephones. During working hours there are 700 devices connected on average.

Laptop configuration uses a facility introduced with Windows XP which autoconfigures wireless connections, and is automatic for laptops that are running Windows Vista or Windows 7. Although the Windows XP version did not work very well, it appears to be reliable on Windows Vista and Windows 7. It is also available for other Windows operating systems such as Windows Server 2008. Further details can be found at: http://technet.microsoft.com/enus/library/cc730957.aspx.

Configuration information is published for people who still run Windows XP on their laptops. No information is provided for other operating systems such as Linux or Mac OS X but users of these operating systems can use the information published for Windows XP to configure their devices.

The Windows XP information takes the form of a step by step guide to connecting to the secure wireless network (PHOENIX-NET-SECURE). The main configuration settings are:

Set Network Authentication to WPA Set Data Encryption to AES Set EAP Type to Protected EAP (PEAP) Untick the Validate server certificate Set Select Authentication Method to Secured password (EAP-MSCHAP v2) Tick Secured password (EAP-MSCHAP v2) Tick Automatically use my Windows logon name and password (and domain if any)

After making these changes the laptop will automatically connect to the secure wireless network with the users credentials and the default login script will run. However, on some laptops running Windows XP the login script fails. This seems to be due to incompatibilities with some network cards and drivers. A manual workaround (running GPUPDATE /FORCE) is provided in the Windows XP instructions and seems to correct the problem.

Users connecting to the Guest Network using a laptop are told that information sent across the network may not be secure and are then presented with a login window as shown below.

Similarly someone connecting to the wireless network using an iPhone will be presented with a login window similar to that shown below. A similar window will also appear on a Windows Mobile or an Android phone but will not work on Nokia devices.

Once connected, users can access the Internet and any services that would be accessible from an Internet connected PC.

All staff and students can connect to the secure wireless network if they prefer. The University publishes configuration settings for this network but modern operating systems such as Windows 7 can connect automatically. Credentials are asked for on the initial connection to the secure network and, if valid, are cached for future use on operating systems that support that feature. The login procedure follows the standard login process for Microsoft Windows. This is to make it easier for users and is equally easy on Macs.

The standard Connect to Wireless Network window (as shown below for Windows 7) is displayed and users select PHOENIX-NET-SECURE.

The login window (as shown below) is then displayed. As can be seen, no modifications have been made to the standard enterprise login window.

If the device is a Windows device and configured with a local username and password, that is the same as the users University username and password, then these credentials will be used and no prompt will be issued.

No pre-shared keys of any kind are used. This is to make the process more familiar to users and more secure.

Users can print from their wireless connected laptops but the method (which is described in Appendix 2) is not ideal. It is expected that a soon-to-be-deployed printer accounting system will resolve this. Currently, staff and students need to create an account on their laptop with the same username as they use on the University workstations. They then print using that account and can release it at the printers using their University username. This facility is not available to guests at the moment as they do not have University accounts.

When a member of staff has a visitor, they can request a guest account for the wireless service. This is not required for academic visitors who can use eduroam but is useful for other types of visitor. The request is made using the Service Desk software used to report faults and request changes. Service Desk staff use the Cisco Guest Server to provide short term access to visitors and other guests of the University. The Guest Server is a RADIUS server with a GUI front end enabling service desk staff to create accounts on request with minimal effort.

Accounts can be created by Service Desk staff up to 7 days in advance and last for between 1 and 7 days before they expire. However, an account can be extended for a further 5 days if necessary. These limits are for the University Service Desk staff only and the Network Team can create accounts with any lifespan they choose. Once an account has expired it is removed from the system automatically.

As shown, it has a management and monitoring facility with the capability to report by user or by device. It is possible to create batches of guest users for seminars and group visits if required.

All the necessary information to enable staff, students and visitors to use the wireless network, including printing from wireless connected laptops and requesting guest accounts, is available in the University portal.