Campus Networking Best Practices. Session 5: Wireless LAN



Similar documents
Campus Network Best Practices: Core and Edge Networks

Campus Network Best Practices: Core and Edge Networks

pfsense and beyond Chris Buechler - cmb@pfsense.org

RAP Installation - Updated

Troubleshooting and Maintaining Cisco IP Networks Volume 1

Mikrotik Router OS - Setup and Configuration Guide for Aradial Radius Server

Network Virtualization Network Admission Control Deployment Guide

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

BSD Firewalling with pfsense. NYCBSDCon 2010

Penn State Wireless 2.0 and Related Services for Network Administrators

How to Configure a BYOD Environment with the DWS-4026

Palo Alto Networks User-ID Services. Unified Visitor Management

Copyright Chip Andrews & Cody Benson This work is the intellectual property of the author. Permission is granted for this material to be shared

Network Security 1 Module 4 Trust and Identity Technology

Network Documentation & Netdot

User Identification (User-ID) Tips and Best Practices

Unified Threat Management Systems (UTMS), Open Source Routers and Firewalls. Tim Hooks Scott Rolf

Secure IP Address Management Layer 2 Network Access Control Solution

CTS2134 Introduction to Networking. Module Network Security

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

Error and Event Log Messages

NXC5500/2500. Application Note. Captive Portal with QR Code. Version 4.20 Edition 2, 02/2015. Copyright 2015 ZyXEL Communications Corporation

User-ID Best Practices

Lab Configuring Access Policies and DMZ Settings

VLANs. Application Note

Setting up IP address distribution in a LAN

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

Cisco - Configure the 1721 Router for VLANs Using a Switch Module (WIC-4ESW)

The All-in-One, Intelligent NXC Controller

Routing Security Server failure detection and recovery Protocol support Redundancy

Configuration Aid To Ingate Firewall/SIParator - Using Your Own SIP Domain. Lisa Hallingström Paul Donald

Campus Experiences. Johan van Reijendam Stanford University

Lab Developing ACLs to Implement Firewall Rule Sets

Using Cisco UC320W with Windows Small Business Server

Configure ISE Version 1.4 Posture with Microsoft WSUS

Enabling NAT and Routing in DGW v2.0 June 6, 2012

The All-in-One, Intelligent WLAN Controller

RuggedCom Solutions for

Open Source Enterprise VPN Solution with OpenVPN and OpenBSD

WAN Failover Scenarios Using Digi Wireless WAN Routers

Policy Management: The Avenda Approach To An Essential Network Service

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

Application Note Secure Enterprise Guest Access August 2004

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

Palo Alto Networks GlobalProtect VPN configuration for SMS PASSCODE SMS PASSCODE 2015

How To - Implement Clientless Single Sign On Authentication with Active Directory

pfsense and beyond Chris Buechler - cmb@pfsense.org Scott Ullrich - sullrich@pfsense.org

Layer 2 / Layer 3 switches and multi-ssid multi-vlan network with traffic separation

DIGIPASS Authentication for Cisco ASA 5500 Series

Integration with IP Phones

Controlling Ashly Products From a Remote PC Location

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

ACL Compliance Director FAQ

The Bomgar Appliance in the Network

Gigabit SSL VPN Security Router

Lucent VPN Firewall Security in x Wireless Networks

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses

Computer Networking. Definitions. Introduction

How To Use Cisco Identity Based Networking Services (Ibns)

VIA CONNECT PRO Deployment Guide

Session Title: Exploring Packet Tracer v5.3 IP Telephony & CME. Scenario

External authentication with Astaro AG Astaro Security Gateway UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

Deploy and Manage a Highly Scalable, Worry-Free WLAN

Virtualized Open-Source Network Security Appliance

IdentiFi and Eduroam Roaming Wireless Service Integration CONFIGURATION GUIDE

SCOPE DOCUMENT. Trade Name IT- Network Systems Administration Post- Secondary DATE OF DISTRIBUTION VIA WEBSITE

Top-Down Network Design

How To Extend Security Policies To Public Clouds

CompTIA Security+ (Exam SY0-410)

Level: 3 Credit value: 9 GLH: 80. QCF unit reference R/507/8351. This unit has 6 learning outcomes.

Edgewater Routers User Guide

Symantec VIP Integration with ISE

The Ultimate WLAN Management and Security Solution for Large and Distributed Deployments

TECHNICAL WHITEPAPER. Author: Tom Kistner, Chief Software Architect. Table of Contents

Firewall Defaults and Some Basic Rules

Is Your Network Ready for the ipad?

H0/H2/H4 -ECOM100 DHCP & HTML Configuration. H0/H2/H4--ECOM100 DHCP Disabling DHCP and Assigning a Static IP Address Using HTML Configuration

8 Steps for Network Security Protection

SSL-TLS VPN 3.0 Certification Report. For: Array Networks, Inc.

How to add a SIP server How to register a handset

How to Set Up a Wireless Network. How to configure a wireless network for a computer science programming contest using PC 2

8 Steps For Network Security Protection

FSM73xx GSM73xx GMS72xxR Shared access to the Internet across Multiple routing VLANs using a Prosafe Firewall

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

The All-in-One, Intelligent WLAN Controller

Quick Installation Guide

APPENDIX 3 LOT 3: WIRELESS NETWORK

Networking Basics for Automation Engineers

Configuring DHCP Snooping

1 You will need the following items to get started:

Virtuelle WLAN Controller Alcatel Lucent Wireless LAN Instant AP

Efficient and easy-to-use network access control and dynamic vlan management. Date: F r e e N A C. n e t Swisscom

On-boarding and Provisioning with Cisco Identity Services Engine

Edgewater Routers User Guide

Transcription:

Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen NSRC & University of Oregon hervey@nsrc.org Dale Smith University of Oregon & NSRC dsmith@uoregon.edu

Wireless LAN Provide wireless network across your campus that has the following characteristics: Authentication only allow your users Roaming allow users to start up in one section of your network, then move to another location Runs on your campus network

Border Router Firewall/ Traffic Shaper REN switch Core Router Wireless Authentication Gateway Core Servers

Network Access Control (NAC)

Enterprise Identity Management Processes and Documentation of users. Now you must deal with this. What to use as the back-end user store? LDAP Active Directory Kerberos Other? Will this play nice with future use? email, student/staff information, resource access,...

Identity Management Cont. An example of such a project can be seen here: http://ccadmin.uoregon.edu/idm/ This is a retrofit on to an already retrofitted system. Learn from others and try to avoid this situation if possible.

A Wireless Captive Portal

The Wireless Captive Portal Previous example was very simple. A Captive Portal is your chance to: Explain your Acceptable Use Policies Decide if you must authenticate, or Allow users on your network and monitor for problems instead (alternate solution). Anything else? Branding?

What's Happening? remember our initial network diagrams...? Do you think our hotel built their own solution? Probably not...

Commercial Solutions Aruba http://www.arubanetworks.com/ Bradford Networks http://www.bradfordnetworks.com/ Cisco NAC Appliance (Clean Access) http://www.cisco.com/en/us/products/ps6128/ Cisco Wireless LAN Controllers http://www.cisco.com/en/us/products/hw/wireless/ Enterasys http://www.enterasys.com/ Vernier http://www.verniernetworks.com

Open Source Solutions CoovaChilli (morphed from Chillispot) http://coova.org/wiki/index.php/coovachilli Uses RADIUS for access and accounting. CoovaAP openwrt-based firmware.

Open Source Solutions cont. m0n0wall http://m0n0.ch/wall/ Embedded firewall appliance solution built on FreeBSD. Entire configuration is stored in an xml file. Sample Captive Portal Configuration Screen: http://m0n0.ch/wall/images/screens/services_captiveportal.png Supported on low-end PC hardware, such as Soekris and ALIX platforms.

A Home-grown Solution University of Oregon Captive Portal NoCat for Captive Portal http://nocat.net/ Access control mechanism: IP+Mac Address IPTables+IPSets http://www.shorewall.net/ipsets.html IPSets are a high-speed matching module extension for IPTables.

A Home-grown Solution cont. Why this solution? Partially historical and timing related. Access control with IP+Mac Address allows for hashing on the IP address vs. a linear search on Mac addresses. At 4,000 addresses this became a problem. Some sample IPTables+IPSets rules are available with the tutorial materials on-line.

Other Considerations Access Control Technology Possibilities DHCP control ==> NetReg MAC Address Filtering ==> Switches/Routers/Firewalls IP Address Filtering ==> Routers/Firewalls IP+Mac Address ==> software-based w/ IPTables+IPSets Cookie ==> CAS, OpenID/LDAP IP+Mac+Username(cookie) ==> some commercial solutions Port VLAN Assigment

Terminology/Projects CAS Central Authentication System http://www.ja-sig.org/products/cas/ NetReg Automated DHCP Registration System http://netreg.sourceforge.net/ OpenID Single digital identity across multiple networks http://openid.net/

What to Do? Review the options presented here, both commercial and Open Source. Review the various projects associated to understand how this all ties together. Devise a plan for your user identities, their storage and the processes around them. For sites under 3-4,000 users you might consider CoovaChilli or m0n0wall.

How it Ties Together Wireless Captive Portals bring together a number of issues: Network design (VLANs to direct traffic to a single point the captive portal solution). Longer-term user identity considerations. Costs, such as commercial software, hardware, Open Source solutions or even your own solution. AUPs, Acceptable Use Policies you might need to decide what they are to present them to your users on your captive portal.

Resources Excellent Presentation on Network Access Control: http://nsrc.org/workshops/2008/aitwireless/kemp/network-security-nac-html.html Wireless Security Workshop at AIT: http://nsrc.org/workshops/2008/ait-wireless/ Includes lots of presentations and exercises.

Questions?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information