Wireless Networking Case Study

By Mark Aughenbaugh and John Call  |  Posted 2011-04-26

The 2,500 students and 500 faculty and staff at Brigham Young University–Hawaii live and learn in one of the most beautiful places on earth. What is not always so pretty, especially for the university’s small IT team, is the deployment of new campus-wide technology projects.

Our IT team constantly assesses the latest technology to help protect the campus network and its 3,000 users.  With the goal of continuously improving network security, we sought to add greater authentication and authorization to campus resources through the deployment of 802.1X access control.  The challenge was finding the right solutions to best facilitate ease of deployment and limit disruption of service to our users.

A key driver for this security upgrade was the fact that BYU–Hawaii’s open wireless network could easily be accessed by anyone on or near the campus.  Our CTO, Jim Nilson, challenged the IT team to find a solution that worked with our existing infrastructure and was cost effective.

In addition to the obvious hazards of having anyone and any machine connect to the network, another big issue was being able to capture important information about the wireless users accessing the campus network.  Previously, the team had no way of knowing who was on the network, or how the network was being utilized.  For example, it is important to identify users who might be doing something inappropriate using network resources.  All BYU–Hawaii students are required to sign an honor code of conduct.  If someone violates a conduct policy, such as downloading inappropriate material, the IT team needed a way to identify the student as required by the Honor Code Office. With no way to identify users, reporting violators was next to impossible.

To address these issues, the team wanted to first secure the wireless network, with the long-term goal being to authenticate users on the wired network as well.  They decided the best way to do this was to deploy 802.1X authentication, which is the IEEE Standard for port-based Network Access Control.  This would provide a more secure authentication mechanism for approved users and devices attempting to connect to the network.

Since BYU–Hawaii’s network is made up of a mixture of 240 access points from Cisco and Xirrus, a key best practice for the 802.1X capability to function properly was to select a new authentication solution that worked in this multi-vendor environment.

Being a Cisco customer, BYU–Hawaii had tried to use the Cisco Clean Access solution to secure its wireless network, but found usability and reliability issues difficult to manage.  With the Cisco solution, anyone could still connect to the network as a guest.  Cisco Clean Access also required significant effort for configuration and profile management.  It was clear to the IT team that if we were going to successfully deploy 802.1X, we needed something else.

After learning about new access control solutions at an annual EDUCAUSE conference on the mainland, BYU–Hawaii conducted a competitive bakeoff between Cisco’s latest version of Clean Access, Impulse Point’s Safe-Connect, and Avenda’s eTIPS identity-based policy platform.  The goal for the new solution was for it to successfully operate in an 802.1X environment with Cisco and Xirrus access points, Cisco switches and a variety of users’ devices, which range from laptops and smartphones to gaming consoles.

Considering their previous experiences with Cisco’s product, the evaluation ultimately came down to Avenda and Impulse.  In the end, Avenda proved to be feature rich with very competitive technical add-on value and aggressive pricing.  It was also the easiest company to work with, which is a big deal since our IT team consists of only three IT people to support the entire network and nearly 3,000 users.

Avenda was the only solution we found to natively support 802.1X wireless, wired, and VPN for authentication and authorization.  We selected the Quick1X product to help us streamline the configuration of 802.1X variables on the user’s devices, believing that the ability to automate this process would make 802.1X transparent for the end users and cut down on help desk calls.  It was also an important best practice to select components that simplified the creation of policies, accelerated the deployment process, and provided critical reporting, visibility and trouble-shooting tools.

It is important to note than many vendors tell us that in order to make their products work, we have to change how we operate.  Many vendors expected us to manually recreate much of our users’ information, and wouldn’t allow us to leverage group and user attributes already configured in Active Directory databases.  The ability for the solutions selected to integrate with a myriad of data sources, such as Active Directory, allowed us to deploy security in a fashion that best suits our environment, instead of being forced to change the way we do business.

As a result of this upgrade, the IT team quickly began controlling and differentiating access to the network and determining what users were doing once on the network.  Our main goals have been achieved, and now we have the network access visibility that we didn’t have before.  Collecting user information and details about network usage and performance of the campus wireless network now takes only minutes.

The improved visibility from the authentication platform has allowed us to pinpoint configuration issues in the wireless access devices. As a bonus, the new solution has been much better received by users because there are fewer network connection issues – and in IT no news is good news.  For example, users don’t have to re-authenticate when roaming from one part of the campus to another like in the past, which saves time and reduces stress on the students and faculty.

Because the system has works so well on the wireless side, the IT team can start looking at deploying network security for other network access methods.  Looking to the future,  BYU–Hawaii envisions turning on 802.1X authentication across the campus for its wired network, as well.  Another future goal is to enable the system’s comprehensive NAC health check enforcement capabilities.  For example, the IT team would be able to allow access to the network for only those devices with up-to-date virus, spyware, and firewall protection.

In summary, best practices for deploying 802.1X should start with a well thought out plan that includes, but is not limited to, the following considerations:

-    Do your wireless and wired networking devices support 802.1X?
-    Will you have the ability to use your existing identity stores?
-    The AAA/NAC platform should support multi-vendor environments
-    The solution should include a way to easily configure 802.1X variables in a variety of user devices (Windows, Mac OS, Linux)
-    Creating and testing policies should be easy to use and streamline processes
-    The AAA/NAC platform should support a variety of user and device authentication methods
-    Visibility and troubleshooting tools should be included
-    The AAA/NAC platform should provide  guest access management and multiple sponsor roles
-    Find a vendor that shares in your goals

Mark Aughenbaugh is infrastructure director and John Call is a systems and network analyst at BYU–Hawaii.