Close this Advertisement
Close this Advertisement

Campus WiFi | Feature

Streamlining Wireless Management at UC Berkeley

  • By Linda L. Briggs
  • 10/28/10

Handling the many wireless devices that must access a campus WiFi network at once is a common challenge in higher education, where the increasing proliferation of wireless devices can raise capacity issues. A related problem is IP address exhaustion, brought on by the tendency of devices such as smart phones to tie up and then fail to relinquish available IP addresses. Many campus wireless networks also need to maintain complex tracking records on who is accessing the wireless network, for budgetary and funding reasons.

To address those issues, and to make network access both easier and more secure for users, the University of California, Berkeley's Electrical Engineering & Computer Science (EECS) department moved late last year to new security appliances from Avenda Systems that help differentiate user access and better manage IP addresses and security. The department is the largest on campus and includes more than 2,400 undergraduates, 400 graduate students, and more than 100 faculty members.

The complex wireless environment within the department supports a variety of connection methods, including an internal wireless network specifically for the department, several portals that require user authentication, and the campuswide wireless network. The networks, all of which are open to users and running the wireless standard 802.11n, which supports devices using the a, b, g and n wireless standards, did not offer any sort of encryption for security purposes.

Security was one of the main reasons for the change to 802.1x, an authentication standard that can be used in either wired or wireless networking. The 802.1x standard provides better security because it uses the stronger WPA2 (WiFi Protected Access) encryption standard rather than the older WPA. The WPA2 standard is part of the 802.11n standard, but must be properly configured on a network in order to work. And WPA2 must use 802.1x for authentication, leading to the move to 802.1x.

The EECS department decided to make the move to the new appliances in order to address some additional complex challenges in managing its wireless network, according to Computing Infrastructure Manager Fred Archibald. In a setup that is not uncommon on college campuses, Archibald was using two directory management systems, LDAP and Active Directory, to manage user authentication and authorization on the wireless network.

The dual-directory design is intended to help with user tracking needs related to budgeting, but it introduced complexities because the wireless network system must support two types of directory management schemes. Under the department's funding model, different members of the department are granted different types of access, Archibald explained, so users need to be first authenticated against Active Directory, then authorized against LDAP. That required a product that could easily handle both types of directories--a capability that Avenda offered.

Adding to the complexity was an IP address exhaustion issue. With the previous authentication scheme on the department's 802.11 network, powered-up mobile devices within reach of the wireless network, even those that weren't in use, could claim and then retain an IP address, eventually leading to address exhaustion. Use of the 802.1x standard helps rectify the IP address exhaustion issue, since 802.1x does not assigned an IP address until both authentication and authorization take place. Thus, wireless devices that are within wireless network range, and able to achieve authentication but not authorization, do not tie up an IP address.

In addressing the wireless issues, Archibald specifically wanted a solution in appliance form, he said, to replace the current appliance, and in order to have a single vendor providing both hardware and software. "We have limited IT staff, and they all wear a lot of hats, so we wanted to get [a vendor] in place who was really good," Archibald said. In choosing appliances from Avenda, he said, he hoped to obtain a solution that could be dropped into place relatively quickly. And with limited IT staff, he specifically wanted a vendor that could be relied upon for support as needed, with responsiveness a key factor.

Testing the new system began 15 months ago, and the appliances went into production a year ago. The department supports about 150 access points--Berkeley overall has close to 10 times that number of APs--using two Avenda appliances in a high-availability configuration should one unit fail. The department's APs are from both Cisco Systems and Aerohive Networks.

If there is a downside to the new network, Archibald said it has to do with increased support. "When it works, it generally works well and is more convenient for users," Archibald said. With 802.1x, users have to authenticate much less--credentials are usually cached after the first use and so authentication can occur transparently.

However, getting clients configured at the start of a school year results in more help desk calls initially, Archibald said. "The initial setup sometime can be a bit of a roadblock because of all the different clients," he said. "Once you get it to work, however, it works really well."

Comments

Thu, Oct 28, 2010 Milan Moravec UC Berkeley

Transparency you can trust. UC Berkeley’s Leadership Crisis
UC Berkeley’s recent elimination of popular sports programs highlighted endemic problems in the university’s management. Chancellor Robert Birgeneau’s eight-year fiscal track record is dismal indeed. He would like to blame the politicians in Sacramento, since they stopped giving him every dollar he has asked for, and the state legislators do share some responsibility for the financial crisis. But not in the sense he means.

A competent chancellor would have been on top of identifying inefficiencies in the system and then crafting a plan to fix them. Competent oversight by the Board of Regents and the legislature would have required him to provide data on problems and on what steps he was taking to solve them. Instead, every year Birgeneau would request a budget increase, the regents would agree to it, and the legislature would provide. The hard questions were avoided by all concerned, and the problems just piled up to $150 million of inefficiencies….until there was no money left.

It’s not that Birgeneau was unaware that there were, in fact, waste and inefficiencies in the system. Faculty and staff have raised issues with senior management, but when they failed to see relevant action taken, they stopped. Finally, Birgeneau engaged some expensive ($3 million) consultants, Bain & Company, to tell him what he should have been able to find out from the bright, engaged people in his own organization.

From time to time, a whistleblower would bring some glaring problem to light, but the chancellor’s response was to dig in and defend rather than listen and act. Since UC has been exempted from most whistleblower lawsuits, there are ultimately no negative consequences for maintaining inefficiencies.

In short, there is plenty of blame to go around. But you never want a serious crisis to go to waste. An opportunity now exists for the UC president, Board of Regents, and California legislators to jolt UC Berkeley back to life, applying some simple check-and-balance management principles. Increasing the budget is not enough; transforming senior management is necessary. The faculty, Academic Senate, Cal. Alumni, financial donators, benefactors and await the transformation.
The author, who has 35 years’ consulting experience, has taught at University of California Berkeley, where he was able to observe the culture and the way the senior management operates.

Add your Comment

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Related Articles

Latest Webinars

More FREE Webinars