Shoring Up the Campus Wireless Network

USD takes back its WLAN and makes revenue in the process

• By Bridget McCrea
• 07/16/09

There was a time when anyone could tap into the University of San Diego's campus-wide WLAN. The setup was nice for guests, passersby, and just about anyone else who could pick up the signal and start surfing the 'Net without so much as a password. It wasn't so nice for the school itself, which was essentially "giving away" a service that its own students were paying for through their tuition while also opening up its network to potential threats.

"The system was completely open; anyone could get online," said Charlie Koehler, network systems administrator for the university, which has 8,000 students and a total of 18,000 current wireless user accounts (including faculty, staff, and alumni). In a typical school year, USD hosts about 2,600 users, with 200 to 1,000 of them being guests. "Our entire campus is wireless," he said, "which made our need for a monitored WiFi access system that much more critical."

Adding to the need was the fact that the school hosted numerous summer conferences, all of which found guest speakers requiring Internet access. "We needed something that guests could use, and that was self-provisioning," said Koehler. "So while we want to know who is using our system and for how long, we didn't want to have to do any active monitoring (the school archives the information for future use, should it become necessary)."

A few years ago, the University of San Diego's IT team found what they thought was the answer in a wireless access device from Eleven Wireless, a company that provides such services to hotels and business centers. "It worked, but it wasn't the best solution for us," explained Koehler. "The configuration was all wrong; the solution was hard to maintain; and it was very slow."

The following year USD started exploring options from ID Engines and Bluesocket, the latter of which sells enterprise wireless LAN security and management solutions. "ID Engines won that bakeoff, so to speak, but as soon as we purchased the device [ID Engines] went out of business," said Koehler, who a few months later was approached by yet another vendor, Avenda Systems of Santa Clara, CA.

The third time was the charm, according to Lois Acker, network systems architect for USD. "We started talking to them about our requirements," said Acker. "From there, we built a strong working relationship that centered around our coming up with a requirement, Avenda building a solution for it, and us testing it in our own environment."

From the solution, Acker said the university was looking for an out of band option, and not an inline device. "We wanted an authentication server in which user traffic doesn't pass through the device itself," she explained. The solution also had to offer a self-provisioning option that allowed users to set up their own accounts without outside intervention on a 24/7 basis. "We have a three-person [network] team," said Koehler, "so having something that was really easy to use and low maintenance was important."

USD is using eTips, Avenda's 5000 Series NAC platform. A network access security solution, eTips features include guest access and provisioning, RADIUS authentication, 802.1X support, endpoint device detection and management.

The system, which generates revenues through credit card payments made by guests who are using USD's WiFi system, is easy to maintain and comes with a low cost of ownership, according to Koehler. "It pays for itself," he said. "Schools that use the self-registration and payment options can probably recoup their investment within a year."

To cover its campus, USD purchased an eTIPS appliance that supports 500 simultaneous users. Implementation took about two weeks and found USD's IT team working closely with Avenda to customize the system to the university's needs. "We were on the phone with the vendor for an hour or two every day, just making sure everything looked and operated exactly how we wanted it to," said Koehler.

Once implementation was complete, the objections started pouring in from computer users who were suddenly shut out of the school's WiFi system. "We got quite a few complaints at the outset," said Acker "particularly from the folks who were suddenly being asked for authentication." Helping to assuage the issue, she added, was the fact that those users could set up their own accounts without intervention from the school itself. "Everyone is starting to see this as a good solution."

The university is also benefiting from improved network security and visibility of traffic pattern usage along with other metrics. "We can now respond quickly to any user issues that come up," said Acker. As the school's main radius server, the Avenda solution serves as the chief authentication source for all wireless access. Going forward, Koehler said the system will also play the role of a secondary source for the university's NAC system. "We plan to expand it from our wireless system and into our wired network over the next year."