Wireless LANs

A Case Study of

Baylor University’s

Wireless Network

Copyright Bob Hartland 2002 This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Baylor University

14,221 Students

1,750 Full Time Employees

80 Buildings

Baylor Vision

Connecting People with Ideas

How are we using Wireless?

Roaming Network Access

Point-to-Point Connectivity

Point-to-Multipoint Connectivity

Wireless Applications

Library Loaner Laptops

EBIC

MBA and EMBA

ResNet access for dorms that are difficult to wire

Mobil network access

Connecting small remote facilities to LAN

Unique Users Over Past Year

Wireless Network Growth

Currently 60 access points installed

Projected to have 210 installed access points by Fall 2002

Current Wireless Coverage

Projected Wireless Coverage

Access Point Installation

Site Survey

2 lines to every location

Power supplied over ethernet cable

Configure AP with proper channel separation

Document – location, coverage area, channel

Wireless Troubleshooting Tools

Access Point management tools

Wireless sniffers

Spectrum analyzers

Documentation

Wireless Test Stations

Security

Who ?

What ?

Where ?

When ?

Wireless Usage Policies

Wireless falls under Computer Usage Policy

Baylor Air-Space Policy for 2.4GHz spectrum

Wireless Network Practices

Firewall blocks connection attempts from the Internet to Wireless hosts

Firewall requires user authentication before allowing access to campus LAN and Internet

Centralized logging server for authentication information

Wireless Authentication -Current Design

Client application

NetAuth

DHCP server

Firewall

RADIUS server

LDAP

Centralized logging

Problems with Current Design

Password is passed in clear text

Maintaining client application for wide range of Operating Systems (Palm Os, Linux, Windows CE…)

Limitations in customizing the firewall’s authentication mechanisms

Modular Design creates configuration issues and multiple points of failure

Needs:

Replace DHCP server, firewall, and client with one device – Wireless Firewall Gateway (WFG)

Took a solution described by a NASA white paper then expanded and customized.

http://www.nas.nasa.gov/Groups/Networks/Projects/Wireless/index.html

DHCP service

Secure Web Site

Firewall

Router

Wireless Authentication – Proposed Design

WFG Log On

The WFG solution addresses the following issues:

Clear text password

Holes in existing solution if a client uses a static IP and/or a falsified MAC address

No client application to maintain – only requirement is a secure web browser

Less expensive to maintain hardware/software

Highly customizable

Contributors:

Bob Hartland

Director for IT Servers and Network Services

Baylor University

Bob_Hartland@Baylor.edu

254-710-2711

Scott Day

Scott_Day@Baylor.edu

• Cori Rhodes

Cori_Rhodes@Baylor.edu

• Jon Allen

Jon_Allen@Baylor.edu

Speaker: Technical:

Questions?

Support Issues

Wide variety of platforms

Non-standard personal machines and cards

Maintaining 200+ access points

Troubleshooting a mobile device

Wireless become default for accessing resources

Air-Space Policy Key Points:

Describe what the policy covers (include reference to FCC documentation) We are concerned with the 2.4GHz range used by 802.11b

Explain why policy is needed

Only way to help guarantee a reliable wireless network.

State that Baylor will conduct regular scans for interference

Prevents redistribution of Baylor’s network

List sanctions or consequences

Students dealt with through the student policies

Work with faculty/staff to eliminate interference

Wireless Test Stations

Guarantee one functional access point

Troubleshooting steps for user to walk through

Near a phone for phone support if necessary

Who Can Access Baylor LAN?

Wireless network name

User Authentication

What Info is Accessible over WLAN?

Username and password

Assume all other WLAN traffic is unsecure

WFG Design Map

Example Coverage Map

Organizational Chart

D ata N etw ork Telephone Broadband V ideo IT Servers

Bob H artlandD ire c to r o f IT S e rve rs a n d N e tw ork in g S e rv ices

D r. R eagan R am sow erC IO

M r. D avid B rooksC F O

D r. R obert S loanP re sid e n t

Design Map

Current NetAuth Application