Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen NSRC & University of Oregon...
-
Upload
ernest-lane -
Category
Documents
-
view
213 -
download
0
Transcript of Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen NSRC & University of Oregon...
![Page 1: Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen NSRC & University of Oregon hervey@nsrc.org Dale Smith University of Oregon & NSRC.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cef5503460f949be701/html5/thumbnails/1.jpg)
Campus NetworkingBest Practices
Session 5: Wireless LAN
Hervey AllenNSRC & University of Oregon
Dale SmithUniversity of Oregon & NSRC
![Page 2: Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen NSRC & University of Oregon hervey@nsrc.org Dale Smith University of Oregon & NSRC.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cef5503460f949be701/html5/thumbnails/2.jpg)
Wireless LAN
• Provide wireless network across your campus that has the following characteristics:– Authentication – only allow your users– Roaming – allow users to start up in one
section of your network, then move to another location
– Runs on your campus network
![Page 3: Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen NSRC & University of Oregon hervey@nsrc.org Dale Smith University of Oregon & NSRC.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cef5503460f949be701/html5/thumbnails/3.jpg)
Border Router
Core Router
REN switch
Firewall/
Traffic Shaper
Core Servers
Wireless Authentication
Gateway
![Page 4: Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen NSRC & University of Oregon hervey@nsrc.org Dale Smith University of Oregon & NSRC.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cef5503460f949be701/html5/thumbnails/4.jpg)
Network Access Control (NAC)
![Page 5: Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen NSRC & University of Oregon hervey@nsrc.org Dale Smith University of Oregon & NSRC.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cef5503460f949be701/html5/thumbnails/5.jpg)
Enterprise Identity Management
• Processes and Documentation of users.– Now you must deal with this.– What to use as the back-end user store?
• LDAP• Active Directory• Kerberos• Other?
– Will this play nice with future use?• email, student/staff information, resource access, ...
![Page 6: Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen NSRC & University of Oregon hervey@nsrc.org Dale Smith University of Oregon & NSRC.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cef5503460f949be701/html5/thumbnails/6.jpg)
Identity Management Cont.
• An example of such a project can be seen here:– http://ccadmin.uoregon.edu/idm/
• This is a retrofit on to an already retrofitted system.
• Learn from others and try to avoid this situation if possible.
![Page 7: Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen NSRC & University of Oregon hervey@nsrc.org Dale Smith University of Oregon & NSRC.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cef5503460f949be701/html5/thumbnails/7.jpg)
A Wireless Captive Portal
![Page 8: Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen NSRC & University of Oregon hervey@nsrc.org Dale Smith University of Oregon & NSRC.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cef5503460f949be701/html5/thumbnails/8.jpg)
The Wireless Captive Portal
• Previous example was very simple.• A Captive Portal is your chance to:
– Explain your Acceptable Use Policies– Decide if you must authenticate, or– Allow users on your network and monitor for
problems instead (alternate solution).– Anything else? Branding?
![Page 9: Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen NSRC & University of Oregon hervey@nsrc.org Dale Smith University of Oregon & NSRC.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cef5503460f949be701/html5/thumbnails/9.jpg)
What's Happening?
• remember our initial network diagrams...?• Do you think our hotel built their own
solution?• Probably not...
![Page 10: Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen NSRC & University of Oregon hervey@nsrc.org Dale Smith University of Oregon & NSRC.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cef5503460f949be701/html5/thumbnails/10.jpg)
Commercial Solutions• Aruba http://www.arubanetworks.com/
• Bradford Networks– http://www.bradfordnetworks.com/
• Cisco NAC Appliance (Clean Access)– http://www.cisco.com/en/US/products/ps6128/
• Cisco Wireless LAN Controllers– http://www.cisco.com/en/US/products/hw/wireless/
• Enterasys http://www.enterasys.com/
• Vernier http://www.verniernetworks.com
![Page 11: Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen NSRC & University of Oregon hervey@nsrc.org Dale Smith University of Oregon & NSRC.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cef5503460f949be701/html5/thumbnails/11.jpg)
Open Source Solutions
• CoovaChilli (morphed from Chillispot)– http://coova.org/wiki/index.php/CoovaChilli– Uses RADIUS for access and accounting.– CoovaAP openWRT-based firmware.
![Page 12: Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen NSRC & University of Oregon hervey@nsrc.org Dale Smith University of Oregon & NSRC.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cef5503460f949be701/html5/thumbnails/12.jpg)
Open Source Solutions cont.
• m0n0wall– http://m0n0.ch/wall/– Embedded firewall appliance solution built on
FreeBSD.– Entire configuration is stored in an xml file.– Sample Captive Portal Configuration Screen:
http://m0n0.ch/wall/images/screens/services_captiveportal.png
– Supported on low-end PC hardware, such as Soekris and ALIX platforms.
![Page 13: Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen NSRC & University of Oregon hervey@nsrc.org Dale Smith University of Oregon & NSRC.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cef5503460f949be701/html5/thumbnails/13.jpg)
A Home-grown Solution
• University of Oregon Captive Portal– NoCat for Captive Portal
http://nocat.net/
– Access control mechanism:• IP+Mac Address
– IPTables+IPSets http://www.shorewall.net/ipsets.html
• IPSets are a high-speed matching module extension for IPTables.
![Page 14: Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen NSRC & University of Oregon hervey@nsrc.org Dale Smith University of Oregon & NSRC.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cef5503460f949be701/html5/thumbnails/14.jpg)
A Home-grown Solution cont.
• Why this solution?– Partially historical and timing related.– Access control with IP+Mac Address allows for
hashing on the IP address vs. a linear search on Mac addresses. At 4,000 addresses this became a problem.
– Some sample IPTables+IPSets rules are available with the tutorial materials on-line.
![Page 15: Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen NSRC & University of Oregon hervey@nsrc.org Dale Smith University of Oregon & NSRC.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cef5503460f949be701/html5/thumbnails/15.jpg)
Other Considerations
Access Control Technology Possibilities– DHCP control ==> NetReg– MAC Address Filtering ==> Switches/Routers/Firewalls– IP Address Filtering ==> Routers/Firewalls– IP+Mac Address ==> software-based w/
IPTables+IPSets– Cookie ==> CAS, OpenID/LDAP– IP+Mac+Username(cookie) ==> some commercial
solutions– Port VLAN Assigment
![Page 16: Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen NSRC & University of Oregon hervey@nsrc.org Dale Smith University of Oregon & NSRC.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cef5503460f949be701/html5/thumbnails/16.jpg)
Terminology/Projects
• CAS– Central Authentication System– http://www.ja-sig.org/products/cas/
• NetReg– Automated DHCP Registration System– http://netreg.sourceforge.net/
• OpenID– Single digital identity across multiple networks– http://openid.net/
![Page 17: Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen NSRC & University of Oregon hervey@nsrc.org Dale Smith University of Oregon & NSRC.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cef5503460f949be701/html5/thumbnails/17.jpg)
What to Do?
• Review the options presented here, both commercial and Open Source.
• Review the various projects associated to understand how this all ties together.
• Devise a plan for your user identities, their storage and the processes around them.
• For sites under 3-4,000 users you might consider CoovaChilli or m0n0wall.
![Page 18: Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen NSRC & University of Oregon hervey@nsrc.org Dale Smith University of Oregon & NSRC.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cef5503460f949be701/html5/thumbnails/18.jpg)
How it Ties TogetherWireless Captive Portals bring together a
number of issues:– Network design (VLANs to direct traffic to a
single point – the captive portal solution).– Longer-term user identity considerations.– Costs, such as commercial software,
hardware, Open Source solutions or even your own solution.
– AUPs, Acceptable Use Policies – you might need to decide what they are to present them to your users on your captive portal.
![Page 19: Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen NSRC & University of Oregon hervey@nsrc.org Dale Smith University of Oregon & NSRC.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cef5503460f949be701/html5/thumbnails/19.jpg)
Resources
• Excellent Presentation on Network Access Control:– http://nsrc.org/workshops/2008/ait-wireless/kemp/
network-security-nac-html.html
• Wireless Security Workshop at AIT:– http://nsrc.org/workshops/2008/ait-wireless/– Includes lots of presentations and exercises.
![Page 20: Campus Networking Best Practices Session 5: Wireless LAN Hervey Allen NSRC & University of Oregon hervey@nsrc.org Dale Smith University of Oregon & NSRC.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cef5503460f949be701/html5/thumbnails/20.jpg)
Questions?