Introduction Ø Trinity guest network project objective Ø

Introduction Ø Trinity guest network project objective Ø College wireless network overview Ø Public wireless/hospitality internet access Ø Guest network access challenges Ø Guest access solution Ø IP 3 Net. Access subscriber gateway Ø Outcomes and future developments

Trinity Guest Network Project Ø Objective: To facilitate the connection of short stay authorized Guests to the College data wireless (mandatory) and wired (desirable) network. Ø Examples of authorised Guests: - Conference delegates Visiting academics and Library readers VIPs, sales representatives, contractors Summer accommodation visitors

College wireless network overview Ø Size and locations – 750 users last academic year – Approx 145 APs in 50 locations, main Campus, St James, Dartry, D’Olier Street, Foster Place/College Green complex

College wireless network overview (cont) Ø Enterprise class based on Cisco Structured Wireless Aware Network (SWAN). Ø Secure – 802. 1 X/EAP authentication via Radius/AD – Dynamic 128 bit encryption – MAC address registration – VLAN’ed Ø Clients – 802. 1 X compatible – College AD domain, OS patches, AV, high support Ø Internet connectivity limited, LAN based services available

Public wireless hotspots/Hospitality Guest Internet access Ø Low security Ø Any wireless client adapter will connect Ø Little wireless client configuration to connect Ø Full or almost full internet access Ø Connection established using a prepaid access code or credit card via a web based login portal Ø Connectivity and session management is usually controlled by a wireless gateway device providing a reliable controlled connection

Guest network access challenge Ø To provide an reliable network service to guests with the following characteristics – Low client configuration – Access code/portal authentication – Compatibility for most hardware and software types – Low user support requirements – Feature rich in terms of internet availability Ø Benefit from existing extensive infrastructure Ø Protect College’s other data networks and reputation from intentional/unintentional misuse of guest network

Guest access solution Ø Provide public wireless hotspot/hospitality type connectivity features using the existing campus network infrastructure Ø This is achieved by “overlaying” a Guest enabled network on the existing campus network using VLAN technology and an internet gateway device Ø A number of internet gateway devices were evaluated

Devices evaluated: Ø Bluesocket WG 5000 wireless gateway (August 2004). www. bluesocket. com Ø Cisco Building Broadband Services Manager (BBSM) ver 5. 3. (May 2005). www. cisco. com Ø IP 3 Net. Access NA 1500 internet gateway (July 2005). www. ip 3 networks. com

Primary evaluation criteria: Ø VLAN based guest client discovery*. Ø Ability to generate its own access codes to facilitate Guest authentication*. Ø Session and bandwidth control, logging and accounting. Ø Ease of integration with existing campus network infrastructure, must support min. 1000+ users. Ø Customisable login portals, DHCP (NAT/PAT) , SMTP, support for RADIUS authentication.

Evaluation Outcome: Bluesocket Cisco WG 5000 BBSM 5. 3 IP 3 NA 1500 Net. Access VLAN based client discovery* YES NO YES Ability to generate own access codes* NO YES All other features YES YES

Guest overlay architecture Internet Firewall IP 3 IDS appliance Wired Guest (VLAN 14) Enterprise Network Wireless Wired Staff/Student Guest (VLAN 14), Authentication: etc OPEN Wireless Staff/Student Authentication 802. 1 X/EAP

IP 3 Net. Access subscriber gateway Access Control, Billing, and Subscriber Management Solution Ø Flash-based Network Appliance Ø 802. 1 Q VLAN support. Ø Internal Access Code Generation & Authentication Ø Custom Login Portals. Ø Integrated DHCP, Firewall, & Web Servers Ø RADIUS AAA support Ø Supports VPN Pass-Through.

IP 3 Net. Access manages Guest Internet Connections 1. Guest connects to wired/wireless network, (SSID: TCDguest) 2. Guest client obtains DHCP assigned private IP address, opens Web browser, IP 3 redirects to custom login screen. 3. Guest enters guest access code 4. IP 3 provides authentication & accounting 5. IP 3 manages bandwidth, access code duration. IP 3 Net. Access Internet, E-mail, VPN, etc.

Portal groups: Ø Combination of the following: – Assigned (Guest) VLAN – Assigned (customised) login portal – Payment method (access code) – Product (eg 512 K bandwidth)

Portal Groups

Portal groups cont’d

Portal Groups – VLAN’s

Portal Groups – Login portal

Portal Groups – login portal

Portal Groups – Payment methods

Portal groups - Products

Portal Groups – Products contd

Access codes - overview: Ø Created using access code generator. Ø Codes may be valid between a fixed start/end date or allow a one-off session from time of activation. Ø The generated access codes can be exported from the IP 3 appliance in. CSV format. Ø The exported codes are then merged with a customised TCD access code token template before printing. Ø Codes are printed from a standard Laser. Jet colour printer using Avery business card labels.

Access codes - generation

Access codes generation contd

Access codes - tokens

Outcomes Ø Over 500 guest users have been facilitated since the system was rolled out in August 2005 – – – First trial end July, Maths Lattice conference (55) Production end Aug, Eurographics 2005 (>200) Sept. , BA conference (BA press users fallback) Sept. , EDNO, Maths, Nursing Studies many individual requests

Outcomes (cont) I wanted to say that the wireless access in the printing house worked flawlessly yesterday. Our international evaluation panel and the SFI and IDA minders plugged in, retrieved their e-mail and I think this helped enormously in getting across an image of a professional organization with it's act together. One of the panellists from a University in the South of England commented that he'd never be able to get this kind of service in his home University!. So the day was a big success from our point of view. . Thanks Again,

Future Developments Ø There has been much interest from the College community in this new service, strong demand is anticipated during 05/06 academic year Ø Automate process of distributing access codes Ø Using other authentication methods and additional VLAN’s to provide: – Quarantine/basic services network – PDA and handhelds – Facilitate Eduroam visitors