Wireless Networking Case StudyBy Mark Aughenbaugh and John Call | Posted 2011-04-26 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Best practices guide a wireless deployment at BYU-Hawaii, meaning no trouble in paradise.
The 2,500 students and 500 faculty and staff at Brigham Young University–Hawaii live and learn in one of the most beautiful places on earth. What is not always so pretty, especially for the university’s small IT team, is the deployment of new campus-wide technology projects.
Our IT team constantly assesses the latest technology to help protect the campus network and its 3,000 users. With the goal of continuously improving network security, we sought to add greater authentication and authorization to campus resources through the deployment of 802.1X access control. The challenge was finding the right solutions to best facilitate ease of deployment and limit disruption of service to our users.
A key driver for this security upgrade was the fact that BYU–Hawaii’s open wireless network could easily be accessed by anyone on or near the campus. Our CTO, Jim Nilson, challenged the IT team to find a solution that worked with our existing infrastructure and was cost effective.
In addition to the obvious hazards of having anyone and any machine connect to the network, another big issue was being able to capture important information about the wireless users accessing the campus network. Previously, the team had no way of knowing who was on the network, or how the network was being utilized. For example, it is important to identify users who might be doing something inappropriate using network resources. All BYU–Hawaii students are required to sign an honor code of conduct. If someone violates a conduct policy, such as downloading inappropriate material, the IT team needed a way to identify the student as required by the Honor Code Office. With no way to identify users, reporting violators was next to impossible.
To address these issues, the team wanted to first secure the wireless network, with the long-term goal being to authenticate users on the wired network as well. They decided the best way to do this was to deploy 802.1X authentication, which is the IEEE Standard for port-based Network Access Control. This would provide a more secure authentication mechanism for approved users and devices attempting to connect to the network.
Since BYU–Hawaii’s network is made up of a mixture of 240 access points from Cisco and Xirrus, a key best practice for the 802.1X capability to function properly was to select a new authentication solution that worked in this multi-vendor environment.
Being a Cisco customer, BYU–Hawaii had tried to use the Cisco Clean Access solution to secure its wireless network, but found usability and reliability issues difficult to manage. With the Cisco solution, anyone could still connect to the network as a guest. Cisco Clean Access also required significant effort for configuration and profile management. It was clear to the IT team that if we were going to successfully deploy 802.1X, we needed something else.
After learning about new access control solutions at an annual EDUCAUSE conference on the mainland, BYU–Hawaii conducted a competitive bakeoff between Cisco’s latest version of Clean Access, Impulse Point’s Safe-Connect, and Avenda’s eTIPS identity-based policy platform. The goal for the new solution was for it to successfully operate in an 802.1X environment with Cisco and Xirrus access points, Cisco switches and a variety of users’ devices, which range from laptops and smartphones to gaming consoles.