WLANconcept at TUT

1
WLAN-concept at TUT

• Janne Hukkanen

2
Outline

• WLAN concept development at TUT
• Coverage areas
• Different ways to access network
• Access requirements
• WLAN network architecture
• TUT WLAN in future
• FUNET roaming

3
WLAN concept development at TUT

• Started in 2002, before that there existed
  several independent WLAN-networks among different
  departments
• Caused uninteroperability because of different
  HW/SW-solutions
• A project was cooperated with ICEFIN Kärki-hanke
  and tietohallinto
• The goal of project was to create one organized
  WLAN-consept to the whole campus-area

4
contd

• WLAN-networks main purpose was not to replace
  existing wired network but to increase
  flexibility and mobility
• It also makes possible for user to achieve access
  to network in such places where there arent
  wired network available
• gt reduce costs compared to new wired network
  areas (cabeling, switch ports etc.)

5
Coverage area in campus

• Main building
• - library, entries in 1. and 2. floor
• Konetalo building
• - entry in 1.floor, lecture halls K1702, K1703,
  K1704 and K1705(partly)
• Festia building
• - entry in 1. floor, lecture halls Festia pieni
  Sali 1 and 2, Festia iso Sali (upper parts)

6
contd

• Rakennustalo building
• - entries in 1. and 2. floor, lecture hall Rg202
• Sähkötalo building
• - entries in 1. and 2. floor, lecture halls
  S1-S4(upper parts)
• Tietotalo building
• - entries in 1. and 2. floor, lecture- ,
  excercise -, and groupwork halls in 2. floor
• Tamppi areena - sportcenter
• (infromation taken from Haavi, perhaps not
  updated)

7
Different ways to access network

• There are four different roles to access
  network and they all provides different security
  and service levels
• 1. Student Access
• 2. Employee Access
• 3. Guest Access
• 4. Roaming Access

8
1. Student Access

• Student enters access zone, terminal receives
  public IP address
• student launches WWW browser and tries to
  retrieve WWW page, access controller diverts the
  request to the SSL-protected autentication page
• student enters autentication information(username_at_
  domain) and password, access controller verifies
  autentication from roaming proxy or some other
  autentication server
• Student gains possibly limited access to network
• if the terminal does not respond to certain
  number of subsequen pings (in TUT DHCP
  respond/request) it is considered logged out and
  a new autentication is needed

9
2. Employee Access

• Employee enters access zone and terminal recieves
  a public IP address
• employee initiates VPN connection to known VPN
  terminator and autenticates via means available
  to VPN solution used
• employee gains the secured full access to
  department intranet and possibly also virtual IP
  address from trusted network
• chosen VPN solution may be configured to decide
  when the user has logged out from the access zone
  or employee itself can logout by terminating VPN
  connection

10
3. Guest Access

• Guest enters access zone
• guest launches WWW browser, on autentication page
  there is link and instructions for guest access
• the host or some authorized person approves guest
  registration and selects the validy time for
  guests account
• guest gains access to network with guest account
• works similiar as student acccount, except in
  case of a new autentication after validy time ends

11
4. Roaming Access

• similiar procedure as in student/employee access,
  except when roaming user has entered his
  autentication information and password, then
  access controller verifies autentication from
  roaming proxy
• now roaming user has acccess to the network and
  he may use it like the student or initiate own
  VPN connection
• same logout procedure as in student/employee
  access

12
Access requirements from terminal point of view

• When an individual user wants to access the
  network via WLAN connection, he needs a WLAN
  network card which supports 802.11b standard
  and is Wi-Fi interoperable
• Web browser which is able to use TLS/SSL-security
  (like Mozilla, Netscape, Opera, Internet
  Explorer)
• If user wants to use windows network services,
  then he needs to use VPN-software and establish a
  VPN connection
• And of course a valid intranet - username and
  password
• The procedure of access the network has described
  earlier

13
WLAN network architecture

• Architecture Design Goals
• Sufficient security
• emplyees strongly secured access to department
  network
• students basic authentication and secured
  limited services
• guests host-controlled access
• roaming users ability to use VPN to initiate a
  secure connection to their home network
• Flexibility, Scalability and Upgradeability
• - it should be easy to install new services,
  network elements and upgrades
• - architecture should not limit the growth of
  network

14
contd

• Interoperability, standards, openness
• - architecture must support both commercial and
  non-commervial network elements via standard
  interfaces
• - preferred to use open standards and
  interfaces, closed standards should be avoided
• Usability
• - basic access procedure should not need any
  specific client software, hardware or operating
  system from the user terminal (Web-based access)

15
Network structurePublic access networks, access
controllers
16
contd

• In previous picture intranets and public access
  networks are separated form each other and
  intranets has to be protected from unwanted
  traffic coming from outside
• Public access networks are available e.g. for
  students and those networks can be accessed
  without causing threat to TUT core network or
  department intranets
• Public access network has to be taken as hostile
  as Internet and it has to be considered when
  designing and configuring firewalls in TUTs
  network. In that case public access networks
  cant situate inside from the firewall-shielded
  networks point of view

17
Public and combined access zones
18
contd

• In previous picture, public access zone is
  described as zone where accesses occurs randomly
  and network ísnt used that regularly
• Combined access zone is described as zone where
  both employees from department and
  students/guests can gain acces to network
• The main advance is that there doesnt have to
  exist multiple radiopaths to different kind of
  users
• One important aspect is that radiopath from user
  terminal to access point is not encrypted, so it
  is compulsory to students and employees to use
  secured protocols like SSL
• Employees has to use VPN to gain full access to
  departments intranet

19
WLAN radio network

• TUT WLAN concept uses 802.11b standard and
  frequency band is 2.4 GHz and it is unlicenced
  band so it has to take account that many other
  devices may use same efrequency band and
  interfere to WLAN network
• It also has to be considered that heavy wall
  structures and metallic elements affects
  attenuation and worst case is that signal
  absorbes to some material and cant round it by
  reflecting from it
• So it is important to set access point
  strategically good places so that the coverage
  area is maximum
• Next an exampe how it was done in institute of
  communications engineering

20
Example of WLAN radio planning

• five access points with table antenna (2,5 dBi)
• 1.Floor (orange line)
• 2.Floor (blue line)
• real coverage areas much larger and unsymmetrical
• user terminal accesses 2-3 access points in every
  position under coverage area
• short distances between access points supports
  802.11g/a standards

21
TUT WLAN in future

• WPA/WPA2 network will be existed in pararrel to
  current WLAN-network
• based on 802.11i standard (enhanced security
  for MAC-level)
• uses AES(advanced encryption standard), symmetric
  block data encryption
• compatible with IPv6 addresses
• possibly using 802.11g/a standards for higher
  data rates

22
FUNET Roaming

• FUNET roaming means that a user is able to gain
  access in other Universitys network by using his
  home networks autentication username and
  password
• Roaming reduces guest accesses
• uses common structure and autentication
  procedures
• RADIUS-protocols proxy-function
• username form is username_at_realm (e.g.
  username_at_tut.fi)
• based on realm, autentication request goes to the
  right authentication server
• works if RADIUS-protocol is used in Universitys
  autentication procedure

23
Example of hierarchy
24
Regional Roaming
25
Non-regional Roaming
26
contd

• There are all big Universities in finland
  participating in FUNET roaming
• - University of Oulu (PanOulu)
• - University of Turku (SparkNet)
• - University of Vaasa (Wireless Mobile Vaasa)
• - Lappeenranta University of Technology
  (Wireless Lappeenranta Network)
• - and also in Seinäjoki (WirLab)
• Now FUNET is also a EDUROAM-member which allows
  to use roaming in most big Univesities around
  Europe and Australia!

27
EDUROAM Participant countries
28
References

• http//www.eduroam.org/
• http//www.tut.fi/haavi
• http//www.atm.tut.fi/tut-public-access/
• http//www.atm.tut.fi/public-access-roaming/
• interview with Karri Huhtanen