Mobile Computing and SecurityAuthenticated Network Access (ANA)

Jon PetersAssociate Director

Dave PackhamManager of Network Engineering

NetComUniversity of Utah

Copyright David Packham and Jon Peters, 2001. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or

to republish requires written permission from the author.

•University of Utah, located in Salt Lake City

•Department of Network & Communication Services (NetCom) responsible for campus network backbone, phone service, security, email, help desk, phone operators

•Hosting the 2002 Winter Olympic opening and closing ceremonies, and the athletes’ residence village

Background

Purpose of Presentation

• Authentication through a firewall.

• Authenticated network access (ANA).

Driving Need

Driving Need

OC-12c GigEthernet

OC-12c

OC-12c

OC-3c/12cOC-12c

C-12c

CiscoLS1010

ATMSwitch

Cisco 6509Building

AggregationSwitch

BuildingAggregation

Switch

GIG

BACKBONE

R

Fort Douglas StudentVillage Distribution Node

Ballfield #1

Ballfield #2

Ballfield #3

Ballfield #4

Ballfield #5

Ballfield #6

Conner Road #1

Conner Road #2

Conner Road #3

Guest House #1

Eleven Acres #1

Eleven Acres #2

Eleven Acres #3

Eleven Acres #4

Eleven Acres #5

Village Center #1

Village Center #2

Upper Chapel #1

Upper Chapel #2

Upper Chapel #3

48 10bT ports

48 10bT ports

72 10bT ports

68 10bT ports

68 10bT ports

68 10bT ports

143 10bT ports

145 10bT ports

180 10bT ports

190 10bT ports

171 10bT ports

264 10bT ports

219 10bT ports

286 10bT ports

210 10bT ports

176 10bT ports

176 10bT ports

169 10bT ports

169 10bT ports

166 10bT ports

3,036 10bT ports

1000bFX LinksBuilding switch to

Building AggregationAccess Switch

Fort Douglas StudentVillage Data Network

Access andAuthorization

Services

Cisco 6509Building

AggregationSwitch

Driving Need

Driving Need

Design Requirements

• Security

• Performance

• Scaling

• Cost

• Global authentication database model

• Minimum client side configuration

• Multi-platform support

Authentication through a firewall

R

Laptop computer WWW/DNS

Firewall

DHCP

Ethernet

LDAPServer

Authentication through a firewall

• Security

• Performance

• Scaling

• Cost

Authenticated Network Access (ANA) Components

• (2) redundant HSRP router capable of supporting multiple interfaces or virtual sub-interfaces and the ability to associate a user supplied MAC address per each interface.

• (2) redundant DHCP servers with (2) network interface cards each.

• (2) redundant LDAP server with (2) network interface cards.

• (2) redundant WWW/DNS server with (2) network interface cards.

• (2) redundant VLAN policy server with (2) network interface cards.

• Fully switched network capable of spanning certain vlans throughout the mobile computing area.

ANA

R

DHCP-1

WWW/DNS

DHCP-2

LDAP

VMPS

priv

ate

net

wor

k

Laptop computer

R

Internet/Intranet

Campus DNS

Campus Switch/Router ANA login Switch/Router

155.101.29.100.10.f6.05.b1.00

155.101.29.100.10.f6.05.b1.00

ANA Process

• Initial connection

• Authentication to network

• Continuance of lease

• Link down or release of IP address

ANA Client

ANA Client connects to ANA controlled

Cisco switch

ANA Controlled Switch

?

To which VLAN should this port

belong?

ANA Controlled Switch Cisco VPS1100

Place port in default VLAN for VTP

domain.

ANA Controlled SwitchCisco VPS1100

ANA Client

ANA v3

Client requests and receives a DHCP address

SDPROLIANT 1850R

ANA Client

Client requests authentication page

by launching a browser

ANA v3Cisco VPS1100

ANA v3 commands the VPS server to

place the switch port into a new VLAN

SDPROLIANT 1850R

VPS server places the switch port into the

VLAN assigned to the port via ANA v3

ANA Controlled SwitchCisco VPS1100

ANA Client

Client has full access to open network

ANA

• Security – switched, logged, VPN usable• Performance - < 30k• Scaling – 50,000 S/F/S. +- 5000/day• Cost – Log linear• Global authentication, NID, LDAP, modular• Minimum client side configuration – NONE!• Multi-platform support – Linux/PDA/Mac

Daily Graphs

Long Term Graphs

Summary of Activity

• Average Number of Visits per Day on Weekdays 468• Average Number of Hits per Day on Weekdays 32,956• Average Number of Visits per Weekend 1,009• Average Number of Hits per Weekend 49,250• Most Active Day of the Week Wed• Least Active Day of the Week Mon• Most Active Date October 01, 2000• Number of Hits on Most Active Date 58,379• Least Active Date September 20, 2000• Number of Hits on Least Active Date 5,624• Most Active Hour of the Day 18:00-18:59• Least Active Hour of the Day 06:00-06:59

Current Development Plan

• Addition of wireless networks and other devices.

• Addition of remote access users through VPN’s.

• Bandwidth and usage notifications.

• Post login licensed software download.

Email Address ANA@Utah.EDUWeb Server – http://www.netcom.utah.edu/ana

Current Development TeamDave Packham

Steve ScottJustin Kim

Andrew ReichMindy Sartor

Past Team MembersJohn Storm

Kyle MalloryAlexander Quilter