Monday, May 19, 2008

A cure for the 802.11 ABC's

Every week, some industry publication calls me to discuss the latest wireless acronym. Questions abound such as "are you implementing 802.1x on your 802.11a/b/g networks? How about EAP-FAST supplicants? IPSec VPN over wireless? TKIP, MIC, LEAP? How do you feel about the future of 802.11n....w,x,y,z?

It's dizzying.

Users want something simple - just open a laptop and be connected to the internet. If they can do it in a hotel why is the corporate enterprise any different?

At BIDMC and Harvard Medical School, I need to support several wireless use cases ranging from insecure wireless internet access for visitors with unmanaged virus-infected laptops to highly secure wireless access for trusted users of corporate managed devices.

With thousands of PCs, Macs, Linux variants all needing wireless access, what can a CIO do to navigate the 802.11 ABC's and create a sustainable, supportable solution?

After months of experimentation by my teams, we found an approach that meets the needs of our users, provides reasonable security, and keeps help desk calls to a minimum.

Before I discuss our solution, a few comments on what did not work.

Although supplicants worked fine on PCs, support for Macs and Linux machines was problematic and a support challenge.

Configuring complex wireless protocols such as TKIP/MIC/EAP-FAST on Red Hat Enterprise Linux required expert engineers.

Using IPSec VPN's on any platform was very invasive to the operating system and tended to cause errors, instability and calls to the help desk.

After ruling out these technologies, we implement something very simple.

For the visiting user who wants access to the internet and nothing more, we created an 802.11a/b/g SSID which offers access only to the public internet and sits outside the firewall. Any laptop - PC, Mac or Linux (such as Red Hat Fedora) can pick up this SSID without any configuration. Just open up the lid and you're on the internet. We do show an "appropriate uses" page when users first open their web browser to discourage violations of the Digital Millenium Copyright Act, but no login or configuration is required.

Once on the internet, any user on any platform can access secure resources behind the firewall via an SSLVPN. The SSLVPN (Juniper) works in any browser, on PCs, Macs, and Linux-based laptops with identical features, no client and few support issues.

For our power users who are willing to accept a minimal amount of configuration to get behind the firewall without SSLVPN, we created an SSID that uses WPA and PEAP. For Mac users, no configuration is necessary, just open the laptop lid and sign in to the network using enterprise (Active Directory) credentials. For PC users, a small amount of configuration is necessary depending on the driver used for wireless (Windows, Intel, IBM etc.). For Linux, a custom driver may need to be downloaded, which makes the solution less than perfect, but most Linux users are happy with SSLVPN, so calls to the help desk are limited.

The bottom line - two SSIDs, one unsecured with a simple "appropriate uses page" and one with WPA/PEAP, provides a wireless solution that works everywhere for anyone.

One caveat - after hours guest network support is tricky, especially for private laptops, because we have no control over 1) who is using the system 2) what they are doing on the system 3) the integrity of the laptop software and drivers. One misbehaving user and/or laptop driver can wreak havoc on other local users.

As more and more mobile devices provide support for wide area networks, users are likely to be able to connect to their choice of high speed EDGE, EVDO and eventually WiMax, making guest connectivity to 802.11 in public places less important. The current Verizon commericial is about getting out of the jail of your Wi-Fi internet cafe. Staying connected will become easier and easier.


Jurvis LaSalle said...

Do your WAPs support multiple networks or do you have double the APs to provide both networks?

John Halamka said...

We use Cisco's LWAPP access points. The public and private networks run over the same access points, but we have two different internet connections - Sprint for guests, and Harvard's network for secure users.

Unknown said...

Did you consider not broadcasting the guest SSID. We'd like to limit access to true visitors by supplying a one page instruction guide but we're now discovering that non broadcasted SSID's can be problematic with clients using the Windows zero configuration tool.