Presentation is loading. Please wait.

Presentation is loading. Please wait.

Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen NSRC & University of Oregon Dale Smith University of Oregon & NSRC.

Published byErnest Lane Modified over 9 years ago

Similar presentations

Presentation on theme: "Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen NSRC & University of Oregon Dale Smith University of Oregon & NSRC."— Presentation transcript:

1 Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen NSRC & University of Oregon hervey@nsrc.org Dale Smith University of Oregon & NSRC dsmith@uoregon.edu

2 Wireless LAN Provide wireless network across your campus that has the following characteristics: –Authentication – only allow your users –Roaming – allow users to start up in one section of your network, then move to another location –Runs on your campus network

3 Border Router Core Router REN switch Firewall/ Traffic Shaper Core Servers Wireless Authentication Gateway

4 Network Access Control (NAC)‏

5 Enterprise Identity Management Processes and Documentation of users. –Now you must deal with this. –What to use as the back-end user store? LDAP Active Directory Kerberos Other? –Will this play nice with future use? email, student/staff information, resource access,...

6 Identity Management Cont. An example of such a project can be seen here: –http://ccadmin.uoregon.edu/idm/ This is a retrofit on to an already retrofitted system. Learn from others and try to avoid this situation if possible.

7 A Wireless Captive Portal

8 The Wireless Captive Portal Previous example was very simple. A Captive Portal is your chance to: –Explain your Acceptable Use Policies –Decide if you must authenticate, or –Allow users on your network and monitor for problems instead (alternate solution). –Anything else? Branding?

9 What's Happening? remember our initial network diagrams...? Do you think our hotel built their own solution? Probably not...

10 Commercial Solutions Aruba http://www.arubanetworks.com/ Bradford Networks –http://www.bradfordnetworks.com/ Cisco NAC Appliance (Clean Access)‏ –http://www.cisco.com/en/US/products/ps6128/ Cisco Wireless LAN Controllers –http://www.cisco.com/en/US/products/hw/wireless/ Enterasys http://www.enterasys.com/ Vernier http://www.verniernetworks.com

11 Open Source Solutions CoovaChilli (morphed from Chillispot)‏ –http://coova.org/wiki/index.php/CoovaChilli –Uses RADIUS for access and accounting. –CoovaAP openWRT-based firmware.

12 Open Source Solutions cont. m0n0wall –http://m0n0.ch/wall/ –Embedded firewall appliance solution built on FreeBSD. –Entire configuration is stored in an xml file. –Sample Captive Portal Configuration Screen: http://m0n0.ch/wall/images/screens/services_captiveportal.png –Supported on low-end PC hardware, such as Soekris and ALIX platforms.

13 A Home-grown Solution University of Oregon Captive Portal –NoCat for Captive Portal http://nocat.net/ –Access control mechanism: IP+Mac Address –IPTables+IPSets http://www.shorewall.net/ipsets.html IPSets are a high-speed matching module extension for IPTables.

14 A Home-grown Solution cont. Why this solution? –Partially historical and timing related. –Access control with IP+Mac Address allows for hashing on the IP address vs. a linear search on Mac addresses. At 4,000 addresses this became a problem. –Some sample IPTables+IPSets rules are available with the tutorial materials on-line.

15 Other Considerations Access Control Technology Possibilities –DHCP control ==> NetReg –MAC Address Filtering ==> Switches/Routers/Firewalls –IP Address Filtering ==> Routers/Firewalls –IP+Mac Address ==> software-based w/ IPTables+IPSets –Cookie ==> CAS, OpenID/LDAP –IP+Mac+Username(cookie) ==> some commercial solutions –Port VLAN Assigment

16 Terminology/Projects CAS –Central Authentication System –http://www.ja-sig.org/products/cas/ NetReg –Automated DHCP Registration System –http://netreg.sourceforge.net/ OpenID –Single digital identity across multiple networks –http://openid.net/

17 What to Do? Review the options presented here, both commercial and Open Source. Review the various projects associated to understand how this all ties together. Devise a plan for your user identities, their storage and the processes around them. For sites under 3-4,000 users you might consider CoovaChilli or m0n0wall.

18 How it Ties Together Wireless Captive Portals bring together a number of issues: –Network design (VLANs to direct traffic to a single point – the captive portal solution). –Longer-term user identity considerations. –Costs, such as commercial software, hardware, Open Source solutions or even your own solution. –AUPs, Acceptable Use Policies – you might need to decide what they are to present them to your users on your captive portal.

19 Resources Excellent Presentation on Network Access Control: –http://nsrc.org/workshops/2008/ait- wireless/kemp/network-security-nac-html.html Wireless Security Workshop at AIT: –http://nsrc.org/workshops/2008/ait-wireless/ –Includes lots of presentations and exercises.

20 Questions?

Download ppt "Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen NSRC & University of Oregon Dale Smith University of Oregon & NSRC."

Similar presentations

Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.

Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Www.sown.org.uk Southampton Open Wireless Network The Topology Talk.

Southampton Open Wireless Network The Topology Talk.
IP Masquerading Homes and Businesses: When you only have one IP but you have LOTS of machines.

IP Masquerading Homes and Businesses: When you only have one IP but you have LOTS of machines.
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
Presented by Serge Kpan LTEC 4550.020 Network Systems Administration 1.

Presented by Serge Kpan LTEC Network Systems Administration 1.
Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.

Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta.
Brandeis University Network Registration Joshua West 03/15/2011 LTS Staff Meeting.

Brandeis University Network Registration Joshua West 03/15/2011 LTS Staff Meeting.
1 Installing a Wireless Network for University Members Oliver Gorwits, Roger Treweek Oxford University Computing Services

1 Installing a Wireless Network for University Members Oliver Gorwits, Roger Treweek Oxford University Computing Services
Campus Networking Best Practices Session 2: Layer 3 Dale Smith University of Oregon & NSRC

Campus Networking Best Practices Session 2: Layer 3 Dale Smith University of Oregon & NSRC
Networking Components

Networking Components
Andrew Fuqua 3/4/2015 LTEC 4550. A network HUB is a device that is used to link multiple devices over a network. The HUB is not a great choice when shopping.

Andrew Fuqua 3/4/2015 LTEC A network HUB is a device that is used to link multiple devices over a network. The HUB is not a great choice when shopping.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)

These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (

Similar presentations

Ads by Google