University of Tennessee Implements 802.1x

Tennessee won't use digital certificates, because it doesn't want to deal with encryption keys, Hanset says. Instead, the university will use TTLS (Tunneled Transport Layer Security) to authenticate the servers. "It's like SSL, and you don't need a PKI [public key infrastructure]," he says. Meanwhile, Hanset and his IT team will monitor the unsecured segment by MAC address, the same way the university blocks unauthorized usage today.

Tennessee went wireless in 2001, before it was trendy to do so on most college campuses (see "The Hard Sell," below). When the 27,000-student campus launched the wireless network with some donated Agere Systems wireless equipment, students, faculty and staff had to authenticate themselves to the security server; the entire process was encrypted. Not long after that initial security architecture fell flat, Tennessee switched to Proxim Orinoco AP-2000s. They came with standard 802.1x security support and expansion slots for upgrades to 802.11a and 11g.

The total cost of the 802.11b WLAN infrastructure was $2.5 million, plus deployment labor. Users buy their own adapter cards. "If you pay for a wired port, you get wireless for free," Hanset says.

The WLAN is split into large virtual LANs to avoid IP-address contention with the campus' wired network. "With a wireless VLAN, you don't even have to touch the building's wired subnet," Hanset says.

Unwired CampusTennessee's WLAN spans all 130 campus buildings and supports about 2,000 students, faculty and staff daily. More than 8,000 users are registered on the 802.11b network, which runs at up to 11 Mbps. "But we really get only 5 Mbps," Hanset says. "You use the wired network if you're looking for speed."

Wireless users generally don't connect at the full data-transfer rate because the connections are shared and performance dissipates as users move farther away from access points.

Today, users join the WLAN through a registration server that's integrated with an LDAP directory. Once they're registered, they can access the network anytime from anywhere on the WLAN. Registration won't be so convenient with the new 802.1x security architecture, however: Each time students open their laptops, they'll have to reauthenticate. "That's an annoyance," Hanset admits. The only way around that is to save settings, which defeats the purpose of authentication, he says.

Wireless security breaches at Tennessee have been similar to those on most campuses--a rogue wireless access point smuggled into a dorm, or an occasional war driver cruising campus. One popular method of hijacking Tennessee's airwaves is to tap into a WLAN "leak" from one of the university's buildings using a powerful antenna. "If you're in the line of sight, you can get broadband with this shortcut," Hanset says.

Hanset and his team detect these incidents by monitoring the bandwidth consumption of registered users. But what if the culprit isn't registered? You can't catch him, Hanset says, but you can time-out the session. "We can detect this by behavioral analysis" and by the user's MAC address, he says.Speaking of bandwidth, some of the university's large classes are restricted in what they can do with the 802.11b WLAN. An intro class of 200 students, for instance, can't all download the professor's broadcast slides at the same time.

"When peaks of demand are synchronized, it's very demanding on the WLAN," Hanset says. "They complain about the slowness due to the congestion. It's limiting what instructors can do and limiting collaborative classrooms."

To remedy that, Hanset says the university eventually will add support for 802.11a and 802.11g, both running at up to 54 Mbps. The good news about 802.11g is that it's backward-compatible with 802.11b. The bad news is that if an 802.11b user needs to talk to the network, the access point has to switch between the two protocols, and the throughput reverts to 802.11b's 11-Mbps limit.

Meanwhile, 801.11a would work well for Tennessee's densely populated areas--especially classrooms--because it operates at 5 GHz, compared with 2.4 GHz for b and g. The lower frequency is commonly used in cordless telephones and other consumer electronic equipment, often causing interference.

"We're already advising students to use a and g," Hanset says. And Tennessee has added 802.11a and g cards to some of its access points.Power Trip

Power Trip

Not surprisingly, electrical power is a big piece of the WLAN. "No student's laptop battery can sustain a full day of classes," Hanset says. So the university runs Power over Ethernet, where both power and data run over the same Category 5 cable to the access point. "We use 100 percent Power over Ethernet injectors all over campus," Hanset says.

This lets the IT department remotely manage power: It can reboot an access point automatically, without having to physically unplug it.

Next for Proxim's WLAN is integrating voice and data. "Then," Hanset says, "users can roam between cellular and WLAN with new cell phones and reduce their cost per-minute."Tell us about you Network and we may profile it in a future issue. Send e-mail to [email protected] or call (516) 562-5914.

Philippe Hanset: Senior Network Engineer; University of of Tennessee, Knoxville.

Philippe Hanset, 38, is a senior network engineer at the university. His responsibilities include designing, implementing, managing and supporting the university's wireless LAN, as well as configuring the new security architecture based on 802.1x. Hanset has been with the university for five years and in IT for 14. He holds an M.S. degree in computer science from the university.

If I knew then what I know now:"Use secure applications, and leave networks to transfer packets freely. Standards, standards, standards."

Most bizarre breach of the wireless LAN:"A person was spoofing MAC addresses on a permanent basis with one-digit increments. Our monitoring scripts detected it and spotted the access point. A longtime colleague and friend found the culprit, who was hiding in the campus library. The expression on his face when he was found was worth every moment of that chase. Turns out he was a computer science major testing a few of his inventions. No harm done."

Biggest myth about university WLAN security:"It's an oxymoron."Biggest mistake made in technology circles today: "Clickable attachments."

Best advice I've ever gotten: "Don't make yourself indispensable."

Biggest bet I've ever made: "A bet with a scientist colleague on whether it was a full moon one evening. She won an invitation to a Moroccan restaurant, and now we're married with three kids."

Hanset's rant on security: "I'm for a balanced ratio of security and convenience. Users should be aware of the dangers when they join networks. It should be the duty of universities to educate people on safe computing."

For fun: "Playing with my kids, bicycling, coaching soccer."Wheels: "A 1983 Volvo. My other 'car' is a bicycle."The University of Tennessee's WLAN has come a long way since it was first mandated by a visionary former university president.

"He called my boss and said, 'I need a wireless plan in three days,' " says Philippe Hanset, senior network engineer at the Knoxville-based university. "In 18 months, the entire university was wireless."

Wireless caught the president's attention after some earlier successful pilots in the architecture, computer science and business administration departments, and he had some available funding.

With the WLAN now an integral part of campus life, security awareness has become a hot button. In fact, the university administration, under a new president, called on IT to resecure the WLAN. Hanset and his colleagues spent more than a year analyzing wireless security gateways and decided they came with too much overhead.

"We design networks to increase bandwidth, but gateways tend to slow down traffic," Hanset says.802.1x with EAP-TTLS offered both authentication and encryption with little bandwidth drain. "Basically, we got seduced by 802.1x because it's local to the access point's distributed CPU and you get encryption over the air for free in the process," Hanset says.

Although university officials found 802.1x's authentication, encryption and availability for the access points impressive, they expressed concern about support.

"What [the administration] and I feared most was the support issues of 802.1x supplicants on different computers with different OSs," Hanset says. "But we'll have to live with the support issues and adapt."