Big WLAN on Campus

The recent adoption of authentication and encryption standards for wireless LANs has calmed IT nerves to the extent that many enterprises are now planning giant wireless build-outs. Because large universities have been dealing with the problems of large wireless networks longer than most other enterprises, there is a lot of learn from that sector.

In fact, "the bulk of the general market installations today" -- sites with more than 1,000 access points (APs) -- are in universities, according to Lynn Lucas, Proxim's vice president of product management. Proxim had an early focus on providing wireless equipment to universities starting with their pre-802.11b RangeLAN 2 equipment that ran at 2 Mbps.

Indeed, some colleges and universities started installing massive WLANs as early as the late 1990s. These networks often must handle a tremendous amount of heterogeneity, which, in turn requires both strong central management and flexible solutions. As a result, many universities have developed their own best practices from the chaos of protocols, devices, and operating systems that they've had to support.

That's why IT managers in enterprises that are just now starting to plan large WLAN build-outs can go back to college and learn some important lessons.

Management ToolsIn the early days of large-scale WLANs, companies contended with sometimes unreliable hardware and firmware, even from major vendors that were still learning how to build APs that could handle strong radio frequency, network, and computational demands. This problem has declined dramatically, with most universities interviewed viewing hardware failure as practically a non-problem.

For instance, Lev Gonick, vice president of information technology services at Cleveland's Case Western University, experienced virtually no access point deaths in switching nearly 1,500 Cisco units from 802.11b to 802.11g radios this last summer.

"The management is more about monitoring traffic loads, monitoring for rogue access points, and updating firmware to take advantage of new software capabilities," said Proxim's Lucas. While she has a vested interest, real-world IT managers echo her view.

Whether using a home-brew management tool, Cisco's Wireless LAN Solution Engine (WLSE) for Cisco-only networks or, for heterogeneous networks, AirWave Management Platform (AMP) or Wavelink Mobile Manager, a centralized management console is the only way to handle a network of any scale, managers agree. (Click here for a review of the current versions of Wavelink Mobile Manager and AirWave).

Such a console is particularly important for deployment, several managers noted. Tom Zeller, telecommunications technical adviser at Indiana University, said his team will install 600 access points in the next year."We have a team of people out in the field all the time with walkie-talkies, adding switches, replacing switches, adding access points," Zeller said. He added that their use of AMP makes it simple to grow and upgrade the network.

Unauthorized or parasitic access points are as much an issue for universities as corporations, and IT managers rely on their centralized tools to alert them to activities that might compromise network security. In interviews, Cisco and Proxim emphasized that their rogue detection software tied in with certain switches would allow their software to turn off an Ethernet port that powered a rogue AP.

VLAN And VPN Or Bust

Universities and colleges that have large WLANs tend to have a major issue in common with corporate enterprises: managing virtual private networks (VPNs) through a firewall into one giant virtual local area network (VLAN).

This approach is a giant, functional hack that has started to grab hold and shake some institutions that are seeing problems as user sessions, bandwidth, and networks scale.

With a VPN/VLAN approach, the WLAN is outside a firewall through which access is granted only to VPN sessions. The VLAN is needed for non-switched WLANs to provide seamless roaming with the same IP across access points and the whole campus. This is especially critical for low-latency or high-bandwidth applications like streaming video or voice over IP.This becomes unwieldy because the larger the VLAN, the greater the amount of broadcast traffic which, on a wireless network, can have a severe impact on empty time slots, choking bandwidth and increasing latency.

Indiana University's Zeller originally put all users at both the smaller Indianapolis and larger Bloomington campuses on the same VLAN. "We knew that when we did that three years ago, it wouldn't last forever," he said. The WLAN is now split into three subnets: one in Indianapolis and two in Bloomington divided by geography.

VPN access also places limits on guests, who are common at such institutions. Zeller said that, even worse, guests who need to use a VPN tunnel back to their home enterprise must employ a wired connection. And some guests come with equipment that doesn't include or support VPN client software.

Some schools place MAC (Media Access Control) layer access restrictions on top of that, but registering MAC addresses brings its own hassles and can be easily circumvented.

"We no longer bother to register MAC addresses," said Case Western's Gonick.Gonick described that process as "very cumbersome" without much benefit. He spearheaded OneCleveland, a project that offers open access to guests and the Cleveland community to Case Western's network. This bypasses the guest access problem by restricting that open network to just Internet access and public university resources.

The University of Tennessee at Knoxville doesn't authenticate at all, and relies on a process of checking for a combination of MAC, IP address, and signal strength that allows them to spot spoofed addresses and take action, according to Philippe Hanset, network architect there.

802.1X On The Horizon

All the institutions interviewed confirmed the more general industry trend of bringing wireless users in from the cold - instead of sitting outside the firewall - through the use of the 802.1X authentication protocol.

Combined with WPA and WPA2 (TKIP and AES encryption keys), academic IT managers agreed that 802.1X authentication is now robust enough to let them gradually drop their VPN concentrators.

"There is a transition afoot: we barely ever see dedicated VPN terminated wireless any more," said Jeremy Stieglitz, Cisco's product manager for WLAN security.Case Western will probably deploy 802.1X for both wired and wireless networks as a tool to reduce the amount of money and staff time spent managing VPN concentrators on both kinds of LANs, Gonick said. VPNs will remain de rigueur for remote dial-up and broadband, however.

The migration path for universities and colleges is particularly complicated given the diversity of hardware and software. Unlike many enterprises, IT personnel can't order specific platform, clients, and configurations by fiat; tenure has its privileges, and IT staff must support not just professors' whims but a range of student equipment.

"Given that we're a large university, we don't dictate what people are using, and they're using every possible device," said Zeller of Indiana University.

While 802.1X support with a variety of secured authentication protocols, such as Protected EAP, is built into Windows XP and Mac OS X 10.3, other platforms require installation of free or commercial software. This makes it impossible to simply turn off VPNs and turn on 802.1X.

University of Tennessee's Hanset described a fascinating path that his institution - with 1,250 APs and 12,000 registered users - will take by adding additional virtual WLAN networks through the use of separate SSIDs or WLAN network names. UT will offer four SSIDs with associated VLANs: one for guests, entirely separate from campus network traffic; one for 802.1X; one for MAC-based filtering through their existing system; and one for VoIP.Voice, VoWLAN, And Video

The current generation of WLAN hardware and management software has allowed thousands of higher educational institutions to provide Internet and intranet access across their campuses.

And, just like corporations, the next challenge involves building a logical and physical infrastructure that provides seamless authentication and roaming with low-latency and user-free handoff for voice and streaming video.

Glenn Fleishman is a freelance journalist based in Seattle who edits the daily Weblog Wi-Fi Networking News.