1 / 28

WLAN-concept at TUT

Outline. WLAN concept development at TUTCoverage areasDifferent ways to access networkAccess requirementsWLAN network architectureTUT WLAN in futureFUNET roaming. WLAN concept development at TUT. Started in 2002, before that there existed several independent WLAN-networks among different dep

vernon
Download Presentation

WLAN-concept at TUT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. WLAN-concept at TUT Janne Hukkanen

    2. Outline WLAN concept development at TUT Coverage areas Different ways to access network Access requirements WLAN network architecture TUT WLAN in future FUNET roaming

    3. WLAN concept development at TUT Started in 2002, before that there existed several independent WLAN-networks among different departments Caused uninteroperability because of different HW/SW-solutions A project was cooperated with ICEFIN Kärki-hanke and tietohallinto The goal of project was to create one organized WLAN-consept to the whole campus-area

    4. cont’d WLAN-network’s main purpose was not to replace existing wired network but to increase flexibility and mobility It also makes possible for user to achieve access to network in such places where there aren’t wired network available => reduce costs compared to new wired network areas (cabeling, switch ports etc.)

    5. Coverage area in campus Main building - library, entries in 1. and 2. floor Konetalo – building - entry in 1.floor, lecture halls K1702, K1703, K1704 and K1705(partly) Festia – building - entry in 1. floor, lecture halls Festia pieni Sali 1 and 2, Festia iso Sali (upper parts)

    6. cont’d Rakennustalo – building - entries in 1. and 2. floor, lecture hall Rg202 Sähkötalo – building - entries in 1. and 2. floor, lecture halls S1-S4(upper parts) Tietotalo – building - entries in 1. and 2. floor, lecture- , excercise -, and groupwork halls in 2. floor Tamppi areena - sportcenter (infromation taken from Haavi, perhaps not updated)

    7. Different ways to access network There are four different ”roles” to access network and they all provides different security and service levels 1. Student Access 2. Employee Access 3. Guest Access 4. Roaming Access

    8. 1. Student Access Student enters access zone, terminal receives public IP address student launches WWW browser and tries to retrieve WWW page, access controller diverts the request to the SSL-protected autentication page student enters autentication information(username@domain) and password, access controller verifies autentication from roaming proxy or some other autentication server Student gains possibly limited access to network if the terminal does not respond to certain number of subsequen pings (in TUT DHCP respond/request) it is considered logged out and a new autentication is needed

    9. 2. Employee Access Employee enters access zone and terminal recieves a public IP address employee initiates VPN connection to known VPN terminator and autenticates via means available to VPN solution used employee gains the secured full access to department intranet and possibly also virtual IP address from trusted network chosen VPN solution may be configured to decide when the user has logged out from the access zone or employee itself can logout by terminating VPN connection

    10. 3. Guest Access Guest enters access zone guest launches WWW browser, on autentication page there is link and instructions for guest access the host or some authorized person approves guest registration and selects the validy time for guest’s account guest gains access to network with guest account works similiar as student acccount, except in case of a new autentication after validy time ends

    11. 4. Roaming Access similiar procedure as in student/employee access, except when roaming user has entered his autentication information and password, then access controller verifies autentication from roaming proxy now roaming user has acccess to the network and he may use it like the student or initiate own VPN connection same logout procedure as in student/employee access

    12. Access requirements from terminal point of view When an individual user wants to access the network via WLAN connection, he needs a WLAN – network card which supports 802.11b – standard and is Wi-Fi interoperable Web browser which is able to use TLS/SSL-security (like Mozilla, Netscape, Opera, Internet Explorer) If user wants to use windows network services, then he needs to use VPN-software and establish a VPN connection And of course a valid intranet - username and password The procedure of access the network has described earlier

    13. WLAN network architecture Architecture Design Goals Sufficient security emplyees : strongly secured access to department network students : basic authentication and secured limited services guests : host-controlled access roaming users : ability to use VPN to initiate a secure connection to their home network Flexibility, Scalability and Upgradeability - it should be easy to install new services, network elements and upgrades - architecture should not limit the growth of network

    14. cont’d Interoperability, standards, openness - architecture must support both commercial and non-commervial network elements via standard interfaces - preferred to use open standards and interfaces, closed standards should be avoided Usability - basic access procedure should not need any specific client software, hardware or operating system from the user terminal (Web-based access)

    15. Network structure Public access networks, access controllers

    16. cont’d In previous picture intranets and public access networks are separated form each other and intranets has to be protected from unwanted traffic coming from outside Public access networks are available e.g. for students and those networks can be accessed without causing threat to TUT core network or department intranets Public access network has to be taken as hostile as Internet and it has to be considered when designing and configuring firewalls in TUT’s network. In that case public access networks can’t situate inside from the firewall-shielded networks point of view

    17. Public and combined access zones

    18. cont’d In previous picture, public access zone is described as zone where accesses occurs randomly and network ísn’t used that regularly Combined access zone is described as zone where both employees from department and students/guests can gain acces to network The main advance is that there doesn’t have to exist multiple radiopaths to different kind of users One important aspect is that radiopath from user terminal to access point is not encrypted, so it is compulsory to students and employees to use secured protocols like SSL Employees has to use VPN to gain full access to departments intranet

    19. WLAN radio network TUT WLAN concept uses 802.11b – standard and frequency band is 2.4 GHz and it is unlicenced band so it has to take account that many other devices may use same efrequency band and interfere to WLAN network It also has to be considered that heavy wall structures and metallic elements affects attenuation and worst case is that signal absorbes to some material and can’t round it by reflecting from it So it is important to set access point strategically good places so that the coverage area is maximum Next an exampe how it was done in institute of communications engineering

    20. Example of WLAN radio planning five access points with table antenna (2,5 dBi) 1.Floor (orange line) 2.Floor (blue line) real coverage areas much larger and unsymmetrical user terminal accesses 2-3 access points in every position under coverage area short distances between access points supports 802.11g/a standards

    21. TUT WLAN in future WPA/WPA2 – network will be existed in pararrel to current WLAN-network based on 802.11i – standard (enhanced security for MAC-level) uses AES(advanced encryption standard), symmetric block data encryption compatible with IPv6 addresses possibly using 802.11g/a – standards for higher data rates

    22. FUNET Roaming FUNET roaming means that a user is able to gain access in other University’s network by using his home network’s autentication username and password Roaming reduces guest accesses uses common structure and autentication procedures = RADIUS-protocols proxy-function username form is username@realm (e.g. username@tut.fi) based on realm, autentication request goes to the right authentication server works if RADIUS-protocol is used in University’s autentication procedure

    23. Example of hierarchy

    24. Regional Roaming

    25. Non-regional Roaming

    26. cont’d There are all big Universities in finland participating in FUNET roaming - University of Oulu (PanOulu) - University of Turku (SparkNet) - University of Vaasa (Wireless Mobile Vaasa) - Lappeenranta University of Technology (Wireless Lappeenranta Network) - and also in Seinäjoki (WirLab) Now FUNET is also a EDUROAM-member which allows to use roaming in most big Univesities around Europe and Australia!

    27. EDUROAM Participant countries

    28. References http://www.eduroam.org/ http://www.tut.fi/haavi http://www.atm.tut.fi/tut-public-access/ http://www.atm.tut.fi/public-access-roaming/ interview with Karri Huhtanen

More Related