UBC Wireless Network - Background:
UBC Wireless Network - Background Basic component in 2001 of the University Networking Program (UNP) and E-Strategy
RFP completed to choose vendor and integrator
Initial scope completed in 2 years, on time and within budget
20% of $30.6M wired network capital project
Installation of 1200 IEEE 802.11b Cisco 1131 APs, 200 distribution switches
150+ buildings, covering 600 acres
Fiber, gigabit Ethernet core network (4x4507, 2x6509)
Wireless authentication gateway/routers (4xColubris CN3500)
RADIUS authentication servers (2xLinux Servers with Radiator)
AP Manager platform (Cisco WLSE)
Wireless Network Management Systems (2xLinux Servers with WNMS, syslog, DHCP)
Website for wireless.ubc.ca
Upgrade in 2004 to Support newer radios
1400 Cisco AP1200 supporting IEEE 802.11g
Wireless Network - Current State:
Wireless Network - Current State Upgrade completed in 2006 to ‘Next Generation’ – Cisco Airespace
Technology shift to smart central controllers rather than intelligent APs
Entered agreement with Cisco to install appliance controllers (4x4404 controllers) with transition to 6509 Wireless Service Modules (WiSM)
8 WiSM blades in production with a failover configuration Equals 16 controllers, each controller can support 150 APs. Each WiSM blade is capable of supporting up to 300 APs each.
New software management tools for large installations
AirMagnet – RF Surveyor and Management
Cisco WCS – Entire Network Monitoring, AP Stats, User Stats
Airwave Enterprise – Much like WCS but offers more flexibility
Authentication systems upgraded to address number of users
2xColubris CN5500 for UBCV, 2xCN3500 at UBCO, CN3500 at VGH
SSIDs in use
ubc, ubcsecure, ubcdevice, telephony, FatPort, eduroam
Coverage - Point Grey, Robson Square, Kelowna (UBCO), VGH andamp; DHCC (through partnership with Vancouver Coastal Health Authority)
Wireless Network Services Overview:
Wireless Network Services Overview
Lessons Learned:
Lessons Learned Utilization
High user adoption 1,400 unique users / day in 2003 to nearly 10,000 in March 2007
Challenging for management tools – time to push out config changes, db size
SSID: open
WEP authentication not offered False illusion of security, easily cracked in a few minutes
Open authentication to UBC LDAP services (Campus Wide Login, CWL) with SSL encryption
Easier to use for most users - 80% default to Windows wireless networking
No security or encryption between client and AP
Users are informed on portal to use encryption for applications (UBC VPN service, ssh)
Website documentation provided on ubcsecure
SSID: ubcsecure (802.1x, WPA,TKIP,PEAP)
Slow adoption, more setup steps needed by PC user.
No third party client supplicants or installations – this is not supportable
Application security is still needed
Early Windows Vista incompatibilities – may be fixed by a radiator 3.17 upgrade
Security Success Factors and Issues :
Security Success Factors and Issues Physical Security of APs
Generally APs are hidden from view or locked in enclosures
Management software helps to alert missing APs
RF Management
UBC RF Policy in place
Necessary to enable effective policies for interference and rogue APs
Enforcement is difficult
Housing areas are generally not covered with wireless – too much interference from other devices
Management software
Required for AP management
Campus IT Security and Appropriate Use Policies
Dedicated Implementation and Operational Teams
Regular service meetings from all support areas
FatPort pilot project
Extending secure network access for UBC community
Removes the need to provide guest / conference UBC accounts and billing
Future:
Future Extending Coverage - campus
Mesh technologies being explored mainly for outdoor and small remote sites
Roaming capabilities to be maintained
Extending Coverage – off campus – eduroam project
Confederation policies between participating organizations required
Increase ubcsecure use
Awareness campaigns needed for value of security
Newer client OS’es are helping to make this easier
RF Telephony deployments
Possibly increasing the deployment of wi-fi phones
Waiting for 3-way and 4-way phones (cellular/802.11b/g/a)
Funding
Presently there are no client costs - further central funding needs to be secured.