On Thu, Nov 21, 2002 at 11:37:14AM -0700, Daniel, Colin wrote:
:
> Do you use WEP and if so what level of encryption?
A: No. We have over 100,000 potential users. Handing them all the same
shared-secret password and expecting it to be kept secret would be a
bit of a stretch. Anyone who knows the WEP password would be able to
see all other packets, so the whole scheme falls apart. We can't use
any of the proprietary encryption systems, because we have so many
users all purchasing their own equipment. Many laptops and some
palmtops have wireless pre-installed, so there is no way to control
which brand people are using.
> Do you use a Radius server or another means of authentication?
A: We have set up a firewall system that separates our wireless LANs from
the main campus backbone. In order to gain access to the campus
network (and the greater Internet), users must first authenticate using
an HTTPS web page. The firewall forwards the authentication request to
our X.500 database. We will be using RADIUS for that forwarding, so
that individual departments can augment the system using their own
databases. That way, the department can provide limited connectivity
to 'guests'.
> Do you use DHCP and if so is it open or reserved?
A: We provide open DHCP from the firewall unit. Anyone can get a DHCP
address, but they cannot use the address to access the campus network
until they have authenticated. They *can*, however, access the local
wireless LAN. This is a compromise that we had to make, due to the
limitations of 802.11. We will be looking at 802.1x, WPA, and other
forms of access management as they become commonly available.
Note that we are not particularly worried about DoS attacks that do
things like drain the DHCP IP pool. There are so many ways to disrupt
wireless LANs that it seemed pointless to worry about this one.
> Do charge a fee for wireless access and if so how much?
A: No direct fees.
> Which vendor did you select for your wireless infrastructure?
A: We have not. Our campus is very large, and many departments went ahead
and purchased gear. Our infrastructure must accommodate a wide variety
of Access Points and clients.
> If you have any additional information/suggestions/warnings I would greatly
> appreciate the advice.
When we started our project there were few viable options for access
management, so we built our own. We are now looking seriously at some
commercial options and some Open Source projects such as NoCatAuth.
Some things to consider when you look for Access Points:
- Some vendors have recommended that we purchase expensive, high-end
Access Points, perform site surveys, and carefully place the Access
Points in optimal locations. There are several drawbacks to this
approach:
a. We must either use APs that support power over CAT5, or we need to
run separate conduit for both electrical and network wiring.
b. There are often �sthetics issues relating to "optimal locations"
(Us: "We'd like to put a beige box with blinky lights in your
atrium."
Them: "I don't think so...").
c. There are often firecode (plenum) issues in "optimal locations".
d. There are often risks of theft in "optimal locations".
e. We cannot use the features of the high-end APs because they are,
typically, proprietary. There is no way to support proprietary
systems given the diversity of the clients.
Instead, we have found that it is effective to purchase a larger number
of cheap (but reliable) APs, and place them in less-than-optimal
locations, such as wiring closets, kiosks, etc. Ten cheap APs in poor
locations can often do as good a job, or better, than half that many in
"optimal" locations.
- The more APs you put in (cheap or otherwise) the more individual bits of
network infrastructure you need to maintain, monitor, upgrade, etc. It
can be a big pain. If you are in a position to make all of the units
the same, do it. Note, however, that the vendors have a habit of
changing things. One brand we use (and like) changed its internal CPU,
OS, management interface, etc. after we already had a large number of
units installed. They just came out with a new model and all the old
stuff was instantly obsolete. Ick.
What's worse is that some of the vendors are making noises now that
suggest that when the next full-blown pile of standards is available
all of the older APs will have to be pulled. Things like the
higher-speed 802.11g, new authentication and encryption schemes... these
may require new hardware.
That's another reason to buy cheap. It won't hurt as much if/when the
units need to be replaced.
I hope that's of some use.
If you are interested in the commercial vendors we are looking at, ping me
offline: [EMAIL PROTECTED]
Chris -)-----
--
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)----- [EMAIL PROTECTED]
OnLineBook -- http://ubiqx.org/cifs/ -)----- [EMAIL PROTECTED]
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/memdir/cg/.
