Penn State Wireless 2.0 and Related Services for Network Administrators



Similar documents
UTM10 in multi-ssid, multi-vlan network with WMS5316. Network diagram

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

How to Configure a BYOD Environment with the DWS-4026

VLANs. Application Note

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

Layer 2 / Layer 3 switches and multi-ssid multi-vlan network with traffic separation

RAP Installation - Updated

IdentiFi and Eduroam Roaming Wireless Service Integration CONFIGURATION GUIDE

Controller Management

FSM73xx GSM73xx GMS72xxR Shared access to the Internet across Multiple routing VLANs using a Prosafe Firewall

Wireless Local Area Networks (WLANs)

Developing Network Security Strategies

Apple Airport Extreme Base Station V4.0.8 Firmware: Version 5.4

estadium Project Lab 8: Wireless Mesh Network Setup with DD WRT

MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

NXC5500/2500. Application Note. Captive Portal with QR Code. Version 4.20 Edition 2, 02/2015. Copyright 2015 ZyXEL Communications Corporation

WiNG 5.X How-To Guide

Configuration of Cisco Autonomous Access Point with 802.1x Authentication for Avaya 3631 Wireless Telephone

APPENDIX 3 LOT 3: WIRELESS NETWORK

Mobility System Software Quick Start Guide

NETE-4635 Computer Network Analysis and Design. Designing a Network Topology. NETE Computer Network Analysis and Design Slide 1

Configuring Security Solutions

Quick Installation Guide of WLAN Broadband Router

XenMobile Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Wireless Router Quick Start Guide Rev. 1.0a Model: WR300NQ

Cisco TrustSec How-To Guide: Guest Services

Configuration Guide. How to Configure the AP Profile on the DWC Overview

Installation of the On Site Server (OSS)

Deploying Cisco Basic Wireless LANs WDBWL v1.1; 3 days, Instructor-led

What is VLAN Routing?

EAP350 EAP350. Long Range Ceiling Mount Access Point PRODUCT OVERVIEW

Table of Contents. Product Overview...4 Package Contents...4 System Requirements... 4 Introduction...5 Features... 7

Unified Access Point (AP) Administrator s Guide

Unified Access Point Administrator's Guide

Optimum Business SIP Trunk Set-up Guide

Virtuelle WLAN Controller Alcatel Lucent Wireless LAN Instant AP

Case Study - Configuration between NXC2500 and LDAP Server

TotalCloud Phone System

YO-301AP POE AP Datasheet

Configuring Network Address Translation (NAT)

Best Practices for Outdoor Wireless Security

Welch Allyn Acuity Network installation. Best practices

Application Note Gigabit Ethernet Port Modes

Configuring Routers and Their Settings

A Division of Cisco Systems, Inc. GHz g. Wireless-G. User Guide. Access Point with Power Over Ethernet WIRELESS WAP54GP. Model No.

Lab Organizing CCENT Objectives by OSI Layer

Secure Networks for Process Control

SmartRG Residential Gateways. April 30, 2012 Version 2.0

Ruckus Wireless ZoneDirector Command Line Interface

Wireless Best Practices For Schools

Welch Allyn Connex, VitalsLink by Cerner, and Connex CSK Network installation. Best practices overview

Design and Implementation Guide. Apple iphone Compatibility

WLAN Outdoor CPE For 2.4G. Quick Installation Guide

Table of Contents. Product Overview...4 Package Contents...4 System Requirements... 4 Introduction...5 Features... 7

How to configure your Thomson SpeedTouch 780WL for ADSL2+

Application Note User Groups

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG 5 How-To Guide. Firewall. June 2011 Revision 1.0

Meraki Wireless Solution Comparison

Table of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example

Robust security is a requirement for many companies deploying a wireless network. However, creating a secure wireless network has often been

Ruckus-Bradford Interop Setup

EAP300. Long Range Ceiling Mount Access Point PRODUCT OVERVIEW

EAP350. Long Range Ceiling Mount Access Point PRODUCT OVERVIEW

Evolving Network Security with the Alcatel-Lucent Access Guardian

Connecting to the Internet. LAN Hardware Requirements. Computer Requirements. LAN Configuration Requirements

Chapter 2 Configuring Your Wireless Network and Security Settings

Wireless Robust Security Networks: Keeping the Bad Guys Out with i (WPA2)

Conceptronic 150N Wireless LAN Access Point User s Manual Version: 1.0

DSL-2600U. User Manual V 1.0

Configuring Wireless Security on ProSafe wireless routers (WEP/WPA/Access list)

JOB READY ASSESSMENT BLUEPRINT COMPUTER NETWORKING FUNDAMENTALS - PILOT. Test Code: 4514 Version: 01

Cloud-based Wireless LAN for Enterprise, SMB, IT Service Providers and Carriers. Product Highlights. Relay2 Enterprise Access Point RA100 Datasheet

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

VLAN 802.1Q. 1. VLAN Overview. 1. VLAN Overview. 2. VLAN Trunk. 3. Why use VLANs? 4. LAN to LAN communication. 5. Management port

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

Access Point Configuration

Mikrotik Router OS - Setup and Configuration Guide for Aradial Radius Server

Setting up IP address distribution in a LAN

Deployment Guide: Cisco Guest Access Using the Cisco Wireless LAN Controller

Wireless-N Access Point with Power Over Ethernet

Unified Access Point Administrator s Guide

User Manual Network Interface

Linksys Wireless G WRT54G

Creating your fi rst CloudTrax network

A Division of Cisco Systems, Inc. GHz g. Wireless-G. Access Point with SRX. User Guide WIRELESS WAP54GX. Model No.

Top-Down Network Design

Web Authentication Proxy on a Wireless LAN Controller Configuration Example

Microsoft Lync Certification Configuration Guide for WiNG 5.5

WiNG5 DESIGN GUIDE By Sriram Venkiteswaran. WiNG5 Wireless Association Filters. How To Guide

WiFi Security Assessments

To configure firewall policies, you must install the Policy Enforcement Firewall license.

Key Features. Multiple Operation Modes ENH500 can operate into four different modes with Access Point, Client Bridge, Client Router and WDS Mode.

MSC-131. Design and Deploy AirDefense Solutions Exam.

white paper Motorola s Wireless network Indoor/Outdoor Solution

Transcription:

The following document provides details about the operation and configuration parameters for Penn State Wireless 2.0 and Visitor Wireless. It is intended for Penn State network administrators who are considering a new wireless assist LAN or are looking for information about how the services work. The document is divided into seven sections: 1. Concept of Operation 2. LAN Diagrams 3. VLAN Information 4. Network Security 5. Hardware Requirements 6. Administrative Requirements 7. Configuring a New Wireless Assist LAN 1. Concept of Operation Penn State Wireless 2.0 provides two SSIDs on a single wireless LAN infrastructure. The psu SSID uses WPA2-Enterprise (AKA 802.11i) for authentication and encryption, while the psuwirelesssetup SSID is an open SSID used for client configuration and provides no access to the internet. Both SSIDs must be broadcast in order to minimize problems with client connections. To segregate client traffic on the two SSIDs from each other as well as from management/radius traffic, the wireless access point must tag each client s traffic with an appropriate VLAN based on the SSID to which that client is associated. Customarily, client traffic associated with the psu SSID is tagged with VLAN 991, and psuwirelesssetup client traffic is tagged with 993, but the need to isolate growing wireless networks means other VLANs may need to be used. Confirm the VLANs configured for your wireless assist connection with the TNS staff assigned with the delivery of wireless LAN interface. Network management& RADIUS traffic must also be on its own VLAN. If the TNS wireless LAN interface will provide the wireless LAN hardware addresses, the customer must provide TNS with the subnet to be used & TNS will provide each customer with their own VLAN tag for that traffic. Customers whose wireless LAN hardware addresses are provided via some other network interface must provide their own VLAN tag. In that case the switch port connected to the TNS wireless LAN interface should not be a member of the management VLAN. Each University Park hub site will have at least one TNS provided aggregation switch. All clients connected to the same SSID on a LAN connected to the same aggregation switch will share the same subnet. This architecture will mitigate the problem of wireless clients roaming between LANs with different subnets; however, due to rare instances at UP where adjacent buildings have fiber routed to different hub sites, the problem may not be totally eliminated. If you become aware of a situation where clients within a building roam between WLANs on different subnets, please contact the TNS NOC so that steps may be taken to eliminate the problem. In addition to Penn State Wireless 2.0, the TNS wireless aggregation switches are capable of distributing Visitor wireless. When customers opt to include visitor wireless, the wireless LAN Rev. 7/17/2012 1

must be able to support an additional VLAN/SSID pair. The SSID for Visitor wireless is attwifi and the VLAN tag is 360. This SSID must be broadcast. Finally, Wireless Assist LAN administrators are free to provide additional SSIDs on the same wireless LAN hardware provided those SSIDs comply with Penn State policies and client traffic does not use the TNS wireless LAN interface. To further assist in understanding Penn State wireless 2.0, the following three diagrams show the physical architecture and logical architecture of the network. Rev. 7/17/2012 2

2. LAN Diagrams Rev. 7/17/2012 3

Rev. 7/17/2012 4

3. VLAN Information The following section describes the functions and requirements of the various VLANs associated with wireless 2.0 and visitor wireless. Some installations will not require all four VLAN types. The VLAN tags provided are the tags used by TNS for each VLAN. Customers may use other VLAN tags within their networks, so long as the interface to any TNS maintained equipment is as specified. psu client VLAN (commonly 991) VLAN for wireless clients connected to psu SSID One subnet for all wireless clients connected to the psu SSID for all interfaces on the same aggregation switch. Clients must connect using 802.1X (EAP-TTLS-PAP) Once connected, ACLs are consistent with accountable LANs Connected clients receive an internet-resolvable IP address Rev. 7/17/2012 5

Requires measures to ensure the client MAC address to IP address relationship is known at all times. psuwirelesssetup client VLAN (Commonly 993) VLAN for wireless clients connected to psuwirelesssetup SSID One subnet for all wireless clients connected to the psuwirelesssetup SSID for all interfaces on the same aggregation switch. Connected clients can access only DHCP, DNS, & work.psu.edu Connected clients receive a non-internet-resolvable IP address Clients not configured to use the "psu" SSID can connect to the "psuwirelesssetup" SSID and use a web browser to go to http://wireless.psu.edu/, where they will find instructions and software needed to connect to "psu". attwifi client VLAN (360) VLAN for wireless clients connected to attwifi SSID Participation in Visitor wireless is optional Subnet and routing provided by AT&T. One VLAN per campus location Management VLAN VLAN for LAN equipment management and RADIUS authentication traffic. Customers may use other interfaces for this traffic. Each customer using the TNS wireless LAN interface for LAN management will have their own management VLAN tag and subnet. The VLAN tag will be assigned by TNS prior to installation. VLAN must not be available from AP wireless interfaces. 4. Network Security It is vital for network security that the wireless security mechanisms as well as the VLAN membership for all network interfaces be properly configured. Improper wireless security configuration could allow unauthenticated clients to connect to the psu SSID. Additionally, improper VLAN configurations could allow clients associated to the psuwirelesssetup or attwifi SSID, which do not require authentication, to access the unrestricted IP addresses on the psu client VLAN. As such, it is critical that your wireless LAN configuration be thoroughly tested for proper functionality prior to deploying or converting your wireless assist LAN. One additional requirement for responsible network administration is the ability to identify which network client was using which IP address at a given time. This is not necessary for the "psuwirelesssetup" (which does not have access to the internet) or "attwifi" (for which AT&T is responsible). For clients connected to the psu SSID, the access point provides the required encryption, but there is no single component capable of logging the user to IP address relationship. For clients that connect to and use the psu SSID in the conventional manner, the combined logs of the RADIUS authentication server and the DHCP server can be used to determine that relationship. However, should a client at any time choose to self-assign an IP Rev. 7/17/2012 6

address, this system of logs by itself is no longer effective. In order to ensure a know MAC to IP relationship, it is necessary for one or more devices on the wireless LAN to participate in this process. The means of accomplishing this function fall into two main categories: logging and enforcement. In logging, a device on the wireless LAN is responsible for keeping time-stamped logs of all changes in the MAC address to IP address relationship for all devices in the psu client VLAN. This is usually accomplished by monitoring and logging all ARP traffic in that VLAN. To reduce the size of the log file it may be useful to parse the full log such that only new and changed relationships are retained. This logging could be accomplished by way of a reliable server with an interface on the psu client VLAN which can monitor and log ARP traffic, or by a network component which can send information about address changes to a log server located elsewhere. Done correctly, the combined RADIUS, DHCP, and ARP logs can be used to identify a network client by their IP address. Enforcement involves one or more network components which monitor DHCP traffic and deny the use of the network to clients which do not receive and use an IP address assigned by the appropriate DHCP server. This feature, sometimes referred to as DHCP snooping, is available on some access points, wireless LAN controllers, and LAN switches. With a properly enforced DHCP assigned IP address, the combined RADIUS and DHCP logs are all that is needed to identify a network client by their IP address. 5. Hardware Requirements Wireless LAN hardware must be capable of all the following in order to support Penn State Wireless 2.0: Support for 802.11g, typically achieved through an 802.11n AP with support for 802.11g enabled. 802.11n coverage in both 2.4GHz and 5GHz is recommended. In order to maximize performance, it is also advisable to disable support for 802.11b data rates. Support WPA2- Enterprise (802.11i) Support at least (2) VLANs and be able to associate an SSID to a VLAN without direction from the AAA infrastructure. Support for additional VLANs may be needed for Visitor Wireless or a private SSID Support radius accounting and be capable of sending start and stop records. Capable of broadcasting at least two SSIDs ( psuwirelesssetup & psu ), and use a unique BSSID for each SSID. Capable of broadcasting a third SSID if Visitor Wireless is desired. Capable of enforcing or logging the relationship between MAC address and IP address for all clients associated with the psu SSID. For administrators wishing to provide additional SSIDs using 802.1X, be capable of directing authentication and accounting traffic on each SSID to a different radius server. 6. Administrative Requirements The University Auditors require that all Penn State wireless LAN s be registered with ITS. It is also necessary for ITS to know the full extent of the psuwirelesssetup and psu network Rev. 7/17/2012 7

coverage in order to provide client support. Additionally, the contract with AT&T for visitor wireless requires that we notify them of which buildings contain Visitor Wireless coverage. You can satisfy all of these needs by visiting http://wireless.psu.edu/wireless.html, clicking the Register my wireless network link, and registering all your wireless networks. Rev. 7/17/2012 8

7. Configuring a New Wireless Assist LAN If the wireless LAN will be managed via the TNS wireless LAN interface, provide TNS with the subnet to be used and a list of IP addresses for acceptable managing host devices. TNS will assign the maintenance VLAN tag. Coordinate the Radius shared secret and network access server (APs or wireless controller) IP addresses with AIT. Configure the APs o Configure IP addresses o Configure the client VLANs, & the management VLAN assigned by TNS (if applicable). o Configure the psu SSID Open Network (broadcast SSID) Unique beacon per SSID Associate with the correct VLAN Use WPA2-Enterprise (AKA, 802.1X with AES or 802.11i) Direct Radius authentication and accounting to radius1.aset.psu.edu on ports 1812 & 1813, respectively. o Configure the psuwirelesssetup SSID Open Network (broadcast SSID) Unique beacon per SSID Associate with the correct VLAN No Security o Configure the attwifi SSID (Visitor wireless only) Open Network (broadcast SSID) Unique beacon per SSID Associate with VLAN 360 No Security At UP locations, configure VLANs on the TNS wireless LAN interface port to the correct clients VLANs & the management VLAN assigned by TNS (if applicable) At non-up locations, configure the uplink ports of the aggregation switch as untagged members of the appropriate VLANs. Configure VLANs on the AP switch ports to the correct client VLANs & the management VLAN. Rev. 7/17/2012 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information