Internet Access Service Case Study 2012 Presenter Peter

Internet Access Service Case Study 2012 Presenter: Peter Kurtz, Manager Network & Communication Services • Information & Communication Technology Services

Overview § § § Drivers for Change Project Governance Change Management Internet Quota Recommendation The ITO Implementation Internet Routing Solution Network Design New IAS Features GU Developed Enhancements How did we know it worked? What’s Next ?

Drivers for Change § Old Netcheck system hardware & software EOL § Netcheck system could not scale o Student Nos expected to increase 35, 000 to 40, 000 by 2013 -14 o Internet usage expected to increase by 50% over next 5 years o Major insourced IT services expected to move to the cloud § Internet Client experience could be improved o Staff and students have to manually login/off using web interface o Students can only top up their usage at the Library Cashier o Student and Staff can only obtain basic usage details § Call Accounting & Directory System EOL

Project Org Structure § Governed by a project board with the IT Director as chair » Members included: AD Infrastructure, Client Rep (IT Fac), Service Desk Rep, Project Manager, Service Manager, AD Identity and Authentication » Project Board met once per month and required § Project Team was responsible for implementation » Members included: Proj Mgr, BA, CM, Service Mgr, Tech Lead, Net Eng, SW Eng, Billing Administrator » Weekly Meetings § Evaluation Group » Members included: Proj Mgr, Service Mgr, AD Security, Senior Finance Officer, Tech Ref Grp Chair, Client Rep Research § Technical Ref Group – 10 members, formed as required § Client Ref Group – 12 members, formed as required

Change Management § § Draft CM & Marketing Plan was developed Feedback mechanisms from clients: o o § Student surveys Staff focus workshops, and meetings etc Important issues were identified from feedback: o o Wireless configuration needs to may easier o Faster Access and Log in process o § Quota model could be improved Single Sign On Marketing and Info Sharing Activities o Service name change competition o Posters in library and student labs o Student market days – Lollipop o Staff focus workshops, and meetings etc

Internet Quota Options § Existing quota based on enrolled subjects o Under-Grad/Post 0. 5/0. 75 GB for 40 credit points o 10 -20% of students will go over quota o Usage fits within AARNet usage allowance § Monthly Student Quota – 1. 2 GB o Double existing avg quota o 5 -15% of students will go over quota o Best case usage will fit in AARNet usage allowance o Worst case 10 TB over @ $2 = extra $20 K pa § Unlimited Quota o 0% of students will go over quota o Best case usage will fit in AARNet usage allowance o Worst case could cost up to $250 K extra for 1 st yr

Quota Recommendation § Monthly Quota (1. 2 GB), instead of quota based on credit points o No student cohort will be worse off than credit point system o Easy to provision, easy to support, No complex quota calculation o No rollover monthly model that mirrors home ISPs o Heavy internet users contribute by purchasing additional quota o Self supporting (including VC’s current contribution) financially viable model § Service Limiting o Changed from blocked to shaped (64 Kbps) § Adopt AARNet off Peak Access for Staff and Students o From 9 pm to 7 am weekdays students and staff all Internet traffic will be free § Reduce No User Types o Easier to support and easier for students to understand

ITO - Top Customer Requirements 1. Seamless Internet access using multiple access methods (802. 1 X / Web) over different OS (Windows, Mac and Linux) 2. Automate quota threshold notifications for client groups 3. Provide a unified billing package for voice/data services 4. Self Help portal to provide online quota purchases 5. Display real time usage details online and via email 6. Shape access where Internet quota has been exceeded 7. Provide voice and data billing reports to users and supervisors

ITO - Top Tech & Support Requirements 1. Handle and process Internet traffic at speeds of 10 G+ 2. Support AARnet's Internet charging model (on-net, off-net and off-peak) 3. Inspect & identify Internet traffic down to the protocol level – multicast & IPv 6 4. IAS solution can be deployed behind a load-balancing solution (F 5 Big. IP LTM) 5. Open Standards - APIs and MIBs for integration with GU NMS 1. Be available 24 hrs a day, 7 days a week 2. Account for Internet traffic in the event of a disruption 3. Support regular updates of the underlying operating systems 4. Vendor support resources within Australia 5. Well established troubleshooting, escalation & problem resolution

The ITO § Invitation to Offer (GU 009/10) provision of Internet Access Service § Issued in Oct 2010, 50 companies interested in ITO § Short listed 3 Respondents § Thorough evaluation process § Negotiations entered into with one integrator for supplying Cisco hardware and Obsidian’s Billing System § GITCv 5 contract signed with Dimension Data in 4 th August 2011

Why Cisco / Obsidian? § TCO Very Competitive: Capital & Maintenance support Important if Griffith heads down open Internet access path § Cisco SCE proven 10 GB capability in the University environment § Integrated Data and Voice Billing System § Seamless Login for all devices § OS clients were not required for all devices – Windows, Mac etc § Self service functionality all available from existing front end § Completely web front end for management and report generation § Australian company for software § Develop value adds such as i. Phone application § Accept code enhancement / changes from customers

Implementation Plan Mammoth scope – divided in to manageable phases § § § Phase 1 – Replacement Critical features for start of Semester » New SCE » New plan for students – Shaped & Free hours » Self service portal (usage, top sites visited etc. ) § SNMP+. 1 x auto login Phase 2 – Differentiators » Integration with printing account for quota top up » Credit card top up capability » Additional management reports & Alerts » Enable JAWS capability Phase 3 – Value Adds » Real time staff usage monitoring (no urls) for Managers » App for iphone, anroid and blackberry » Public WIFI

IAS System Design • Network Design redundant SCEs, 1 x 10 G, 1 x 1 G, NAT Wireless

Internet Access Methods Wireless Login using Radius Accounting packet -> Jet Active Directory Login using SNMP Trap packets -> Jet Captive Portal Web Login -> Jet

Service Control Engine • 10 G Capable Throughput • Rate limit users and protocols • Detailed Usage reports • Current Bug with IPv 6

SCE Performance Test • With AARNet’s help we were able to push Griffith Internet Link to over 7 Gbps

GU System Enhancements AD (SNMP) § Griffith uses SNMP Authentication traps from AD to facilitate an automated network level internet access system log-in when a user authenticated to AD DHCP Logout § Microsoft SNMP traps are not able to accurately determine when a user is no longer authenticated through AD. To overcome this Griffith uses Syslog notification form its Infoblox DHCP appliances to A custom services API interface to log out a user from the internet access system when their DHCP lease expires. SOE log-out executable § To further ensure a user has the correct session when logging in Griffith runs a small 13 Kb native windows application that does a JSON call the API server requesting the current user to IP address mapping form the Cisco Subscriber Manager. If the local IP/user mapping does not match the user is logged out from the Internet Access System and a captured portal log-in page is then used to authenticate the user.

GU System Enhancements Cont’ Radius Caching Daemon § § § § GU Wireless network regularly has over 5500 concurrently connected users When users roam need to they re-authenticate to the Wireless LAN controllers These radius requests were heavily overloading the IAS radius service. To overcome the issue Griffith developed a c++ radius caching daemon that sits between the Radiator service and the IAS radius service. The process effective holds radius Alive and Stop request for a period of time. (currently 1 hour) if a new start or alive is intercepted the counter for that sessions in restarted. If no packets arrive to update the session then a log-out is sent to the Internet Access Service. The caching daemon reduced the amount of packets being sent to the IAS radius servers by 80%. The daemon also works around a few bugs in the current Cisco controller code where radius packets are sent in the wrong order. We are working closely with Cisco to resole the issue. “All enhancements written by Dale Blakemore”

Internet Usage - My Account § Internet Quota usage and charges § Detailed Internet usage showing URL history § Internet application (protocol) usage report

My Account for Students § § Online Credit Card Purchases Online Credit Transfers Email alert at ‘ 200 MB quota remaining’ Email alerts at ‘No quota remaining’

Administrative Reports • Top Users report • Protocols usage reports • Dollar and GB usage by Departments • Managers can view staff dollar and MB usage

Example Jet Report

Griffith App

IAS App – net quota • Internet Usage, Student Quota top up

Open Day - Griffith Public Wi. Fi GU Open Day 12/08/12 Free Wi. Fi for new students Wi. Fi across all campuses From 8 am to 3 pm First time at Griffith § § No of unique devices: 349 No connections: 1058 Data downloaded: 6. 5 Gb Avg session time: 25 min

Where are we now? § 2011 Student Enhancements » » Faster Access & Increased quotas (from 450 M to 1. 2 G per month) No longer cut off when you have used up your quota (Rate limiting) Free off-peak downloads on weekdays My Internet Account: online self-service § Now in 2012 » » » More free downloads - extended off-peak hrs 5 pm-8 am + weekends Immediate quota top ups - Library Lending Counter, any campus Credit Card top ups Able to transfer money for quota from copying & printing accounts Temporary Internet Accounts Access 1 -7 days

Did it work? • New IAS system launched in September 2011 • 155% Increase in off net in May 2012

AARNet Bench Mark Graphs • Off Peak Traffic increased by 300% since launching the Internet Access Service in Sept 2011 • Griffith is well placed by only using 55% of the AARNet off-net (charged) traffic allowance • Griffith is also taking advantage of AARNet’s unmetered traffic service

VC’s Report to Council – June 2012 http: //www. griffith. edu. au/__data/assets/pdf_file/0011/417557/vc-council-report-june-2012. pdf

Student Feedback - IAS § § § Internet Access Quota doesn’t run out Auto log in to the Internet saves time § Speed is good for downloads Just click the website, access is great

Issues & Lessons Learnt § Project delayed because Integrator misplaced the SCE order § Project delayed because extra scope added » Separate Internet Access Accounting Solution for QIBT » Some (1000) active directory login usernames did match Griffith S Numbers § Project delayed because Obsidian Project Management & buggy code / QA Testing § Under specified the number of concurrent users » This caused service outages

Internet Content Filtering • Implemented in Dec 2010 • Combined Webwasher system proxy service • Used Mc. Afee Web Gateway – WG 5500 • Had performance problems

Whats next? § Commission Public Wi. Fi Service for conferences § Jet System performance enhancements » Captive portal speed increase » 64 bit OS Upgrade for Jet Servers § Quota Review – Unlimited Downloads § New Project – On-line Phone and Mobile Billing § Replace Active Directory Login with Wired Dot 1 X

Service Review - Controlled Access vs Open Access § § Benefits of Controlled » SCE ability to report and control usage based on a user » Charging for traffic per user puts a value on the traffic and therefore staff/students are more likely not to miss use downloads. » Supervisors can manage staff usage » Research + high downloads are encouraged to be done out of hours before 8 am after 5 pm. This helps spread the traffic load. » Long term this means AARNet will charge less » QIBT could not have been done with out an accounting system Disadvantages or forecasted cost of Open Access » Current revenue from staff and student top ups is lost » Increased staff usage » Increased student usage » Extra Internet infrastructure – costs over 5 years

Investigate impact of Unlimited Quota • 12000 AARNet Internet Usage Allowance 124 GB • 10000 • 2009 • 8000 • 2010 • 6000 • 2011 • 4000 • 2012 • 2000 • Allowance • 0 • Jan • Feb • Mar • Apr • May • Jun • Jul • Aug • Sep • Oct • Nov • Dec AARNet Internet Usage Allowance 124 GB • 140000 • 120000 • 100000 • 80000 • Allowance • 60000 • Usage • 40000 • 43986 • 48453 • 48607 • 49414 • 51605 • 2007 • 20000 • 2008 • 2009 • 2010 • 2011 • 67998 • 0 • Current usage is %55 of 124 GB quota @ 1. 2 GB • If the student quota opened up expected usage could be 70%-110% • 2012

Projected Usage Models

Questions?