IntroductionIntroduction

Trinity guest network project objectiveTrinity guest network project objective

College wireless network overviewCollege wireless network overview

Public wireless/hospitality internet accessPublic wireless/hospitality internet access

Guest network access challengesGuest network access challenges

Guest access solutionGuest access solution

IP3 NetAccess subscriber gatewayIP3 NetAccess subscriber gateway

Outcomes and future developmentsOutcomes and future developments

Trinity Guest Network ProjectTrinity Guest Network Project

Objective: To facilitate the connection of Objective: To facilitate the connection of short stay authorized Guests to the short stay authorized Guests to the College data wireless (mandatory) and College data wireless (mandatory) and wired (desirable) network.wired (desirable) network.

Examples of authorised Guests:Examples of authorised Guests:- Conference delegatesConference delegates- Visiting academics and Library readersVisiting academics and Library readers- VIPs, sales representatives, contractorsVIPs, sales representatives, contractors- Summer accommodation visitorsSummer accommodation visitors

College wireless network overviewCollege wireless network overview Size and locationsSize and locations

– 750 users last academic year750 users last academic year– Approx 145 APs in 50 locations, main Campus, St James, Approx 145 APs in 50 locations, main Campus, St James,

Dartry, D’Olier Street, Foster Place/College Green complexDartry, D’Olier Street, Foster Place/College Green complex

College wireless network overview College wireless network overview (cont)(cont)

Enterprise class based on Cisco Structured Wireless Enterprise class based on Cisco Structured Wireless Aware Network (SWAN).Aware Network (SWAN).

Secure Secure – 802.1X/EAP authentication via Radius/AD802.1X/EAP authentication via Radius/AD– Dynamic 128bit encryptionDynamic 128bit encryption– MAC address registrationMAC address registration– VLAN’ed VLAN’ed

Clients Clients – 802.1X compatible802.1X compatible– College AD domain, OS patches, AV, high supportCollege AD domain, OS patches, AV, high support

Internet connectivity limited, LAN based services Internet connectivity limited, LAN based services availableavailable

Public wireless hotspots/Hospitality Public wireless hotspots/Hospitality Guest Internet accessGuest Internet access

Low security Low security Any wireless client adapter will connect Any wireless client adapter will connect Little wireless client configuration to connectLittle wireless client configuration to connect Full or almost full internet accessFull or almost full internet access Connection established using a prepaid access Connection established using a prepaid access

code or credit card via a web based login portalcode or credit card via a web based login portal Connectivity and session management is usually Connectivity and session management is usually

controlled by a wireless gateway device controlled by a wireless gateway device providing a reliable controlled connectionproviding a reliable controlled connection

Guest network access challengeGuest network access challenge

To provide an reliable network service to guests with the To provide an reliable network service to guests with the following characteristicsfollowing characteristics– Low client configurationLow client configuration– Access code/portal authenticationAccess code/portal authentication– Compatibility for most hardware and software typesCompatibility for most hardware and software types– Low user support requirementsLow user support requirements– Feature rich in terms of internet availabilityFeature rich in terms of internet availability

Benefit from existing extensive infrastructureBenefit from existing extensive infrastructure Protect College’s other data networks and reputation Protect College’s other data networks and reputation

from intentional/unintentional misuse of guest networkfrom intentional/unintentional misuse of guest network

Guest access Guest access solutionsolution

Provide public wireless hotspot/hospitality type Provide public wireless hotspot/hospitality type connectivity features using the existing campus connectivity features using the existing campus network infrastructurenetwork infrastructure

This is achieved by “overlaying” a Guest enabled This is achieved by “overlaying” a Guest enabled network on the existing campus network using network on the existing campus network using VLAN technology and an internet gateway VLAN technology and an internet gateway devicedevice

A number of internet gateway devices were A number of internet gateway devices were evaluatedevaluated

Devices evaluated:Devices evaluated:

Bluesocket WG5000 wireless gateway Bluesocket WG5000 wireless gateway (August 2004).(August 2004).www.bluesocket.comwww.bluesocket.com

Cisco Building Broadband Services Cisco Building Broadband Services Manager (BBSM) ver 5.3. (May 2005). Manager (BBSM) ver 5.3. (May 2005). www.cisco.comwww.cisco.com

IP3 NetAccess NA1500 internet gateway IP3 NetAccess NA1500 internet gateway (July 2005). (July 2005).

www.ip3networks.comwww.ip3networks.com

Primary evaluation criteria:Primary evaluation criteria:

VLAN based guest client discovery*.VLAN based guest client discovery*. Ability to generate its own access codes to Ability to generate its own access codes to

facilitate Guest authentication*.facilitate Guest authentication*.

Session and bandwidth control, logging and Session and bandwidth control, logging and accounting. accounting.

Ease of integration with existing campus network Ease of integration with existing campus network infrastructure, must support min. 1000+ users.infrastructure, must support min. 1000+ users.

Customisable login portals, DHCP Customisable login portals, DHCP (NAT/PAT) ,SMTP, support for RADIUS (NAT/PAT) ,SMTP, support for RADIUS authentication. authentication.

Evaluation Outcome:Evaluation Outcome:

Bluesocket Bluesocket WG 5000WG 5000

Cisco Cisco BBSM 5.3BBSM 5.3

IP3 NA1500 IP3 NA1500 NetAccessNetAccess

VLAN based VLAN based client discovery*client discovery*

YESYES NONO YESYES

Ability to Ability to generate own generate own access codes*access codes*

NONO YESYES YESYES

All other All other featuresfeatures

YESYES YESYES YESYES

IP3

Enterprise Network

Firewall

Guest overlay architectureGuest overlay architecture

Wired Guest (VLAN

14)

WiredStaff/Student

etc

Wireless Guest (VLAN 14),Authentication:

OPEN

Wireless Staff/Student Authentication

802.1X/EAP

Internet

IDS appliance

IP3 NetAccess subscriber gatewayIP3 NetAccess subscriber gateway

Access Control, Billing, and Subscriber Management Solution

Flash-based Network Appliance 802.1Q VLAN support. Internal Access Code Generation & Authentication Custom Login Portals. Integrated DHCP, Firewall, & Web Servers RADIUS AAA support Supports VPN Pass-Through.

1. Guest connects to wired/wireless network, (SSID: TCDguest)

2. Guest client obtains DHCP assigned private IP address, opens Web browser, IP3 redirects to custom login screen.

3. Guest enters guest access code

4. IP3 provides authentication & accounting

5. IP3 manages bandwidth, access code duration.

IP3 NetAccess manages Guest Internet ConnectionsIP3 NetAccess manages Guest Internet Connections

Internet,E-mail, VPN,

etc.

IP3 NetAccessIP3 NetAccess

Portal groups:Portal groups:

Combination of the following:Combination of the following:– Assigned (Guest) VLANAssigned (Guest) VLAN– Assigned (customised) login portalAssigned (customised) login portal– Payment method (access code)Payment method (access code)– Product (eg 512K bandwidth)Product (eg 512K bandwidth)

Portal GroupsPortal Groups

Portal groups cont’dPortal groups cont’d

Portal Groups – VLAN’sPortal Groups – VLAN’s

Portal Groups – Login portalPortal Groups – Login portal

Portal Groups – login portalPortal Groups – login portal

Portal Groups – Payment methodsPortal Groups – Payment methods

Portal groups - ProductsPortal groups - Products

Portal Groups – Products contdPortal Groups – Products contd

Access codes - overview:Access codes - overview:

Created using access code generator.Created using access code generator. Codes may be valid between a fixed start/end Codes may be valid between a fixed start/end

date or allow a one-off session from time of date or allow a one-off session from time of activation.activation.

The generated access codes can be exported The generated access codes can be exported from the IP3 appliance in .CSV format.from the IP3 appliance in .CSV format.

The exported codes are then merged with a The exported codes are then merged with a customised TCD access code token template customised TCD access code token template before printing.before printing.

Codes are printed from a standard LaserJet Codes are printed from a standard LaserJet colour printer using Avery business card labels.colour printer using Avery business card labels.

Access codes - generationAccess codes - generation

Access codes generation - Access codes generation - contdcontd

Access codes - tokensAccess codes - tokens

OutcomesOutcomes

Over 500 guest users have been facilitated since Over 500 guest users have been facilitated since the system was rolled out in August 2005the system was rolled out in August 2005– First trial end July, Maths Lattice conference (55)First trial end July, Maths Lattice conference (55)– Production end Aug, Eurographics 2005 (>200)Production end Aug, Eurographics 2005 (>200)– Sept., BA conference (BA press users fallback) Sept., BA conference (BA press users fallback) – Sept., EDNO, Maths, Nursing StudiesSept., EDNO, Maths, Nursing Studies– many individual requestsmany individual requests

Outcomes (cont)Outcomes (cont)

I wanted to say that the wireless access in the printing I wanted to say that the wireless access in the printing house worked flawlessly yesterday. Our international house worked flawlessly yesterday. Our international evaluation panel and the SFI and IDA minders plugged evaluation panel and the SFI and IDA minders plugged in, retrieved their e-mail and I think this helped in, retrieved their e-mail and I think this helped enormously in getting across an image of a professional enormously in getting across an image of a professional organization with it's act together.organization with it's act together.

One of the panellists from a University in the South of One of the panellists from a University in the South of England commented that he'd never be able to get this England commented that he'd never be able to get this kind of service in his home University!.kind of service in his home University!.

So the day was a big success from our point of So the day was a big success from our point of view..Thanks Again,view..Thanks Again,

Future DevelopmentsFuture Developments

There has been much interest from the College There has been much interest from the College community in this new service, strong demand is community in this new service, strong demand is anticipated during 05/06 academic yearanticipated during 05/06 academic year

Automate process of distributing access codesAutomate process of distributing access codes Using other authentication methods and Using other authentication methods and

additional VLAN’s to provide:additional VLAN’s to provide:– Quarantine/basic services networkQuarantine/basic services network– PDA and handheldsPDA and handhelds– Facilitate Eduroam visitorsFacilitate Eduroam visitors