Streamlining Wireless Management at UC Berkeley

• By Linda L. Briggs
• 10/28/10

Handling the many wireless devices that must access a campus WiFi network at once is a common challenge in higher education, where the increasing proliferation of wireless devices can raise capacity issues. A related problem is IP address exhaustion, brought on by the tendency of devices such as smart phones to tie up and then fail to relinquish available IP addresses. Many campus wireless networks also need to maintain complex tracking records on who is accessing the wireless network, for budgetary and funding reasons.

To address those issues, and to make network access both easier and more secure for users, the University of California, Berkeley's Electrical Engineering & Computer Science (EECS) department moved late last year to new security appliances from Avenda Systems that help differentiate user access and better manage IP addresses and security. The department is the largest on campus and includes more than 2,400 undergraduates, 400 graduate students, and more than 100 faculty members.

The complex wireless environment within the department supports a variety of connection methods, including an internal wireless network specifically for the department, several portals that require user authentication, and the campuswide wireless network. The networks, all of which are open to users and running the wireless standard 802.11n, which supports devices using the a, b, g and n wireless standards, did not offer any sort of encryption for security purposes.

Security was one of the main reasons for the change to 802.1x, an authentication standard that can be used in either wired or wireless networking. The 802.1x standard provides better security because it uses the stronger WPA2 (WiFi Protected Access) encryption standard rather than the older WPA. The WPA2 standard is part of the 802.11n standard, but must be properly configured on a network in order to work. And WPA2 must use 802.1x for authentication, leading to the move to 802.1x.

The EECS department decided to make the move to the new appliances in order to address some additional complex challenges in managing its wireless network, according to Computing Infrastructure Manager Fred Archibald. In a setup that is not uncommon on college campuses, Archibald was using two directory management systems, LDAP and Active Directory, to manage user authentication and authorization on the wireless network.

The dual-directory design is intended to help with user tracking needs related to budgeting, but it introduced complexities because the wireless network system must support two types of directory management schemes. Under the department's funding model, different members of the department are granted different types of access, Archibald explained, so users need to be first authenticated against Active Directory, then authorized against LDAP. That required a product that could easily handle both types of directories--a capability that Avenda offered.

Adding to the complexity was an IP address exhaustion issue. With the previous authentication scheme on the department's 802.11 network, powered-up mobile devices within reach of the wireless network, even those that weren't in use, could claim and then retain an IP address, eventually leading to address exhaustion. Use of the 802.1x standard helps rectify the IP address exhaustion issue, since 802.1x does not assigned an IP address until both authentication and authorization take place. Thus, wireless devices that are within wireless network range, and able to achieve authentication but not authorization, do not tie up an IP address.

In addressing the wireless issues, Archibald specifically wanted a solution in appliance form, he said, to replace the current appliance, and in order to have a single vendor providing both hardware and software. "We have limited IT staff, and they all wear a lot of hats, so we wanted to get [a vendor] in place who was really good," Archibald said. In choosing appliances from Avenda, he said, he hoped to obtain a solution that could be dropped into place relatively quickly. And with limited IT staff, he specifically wanted a vendor that could be relied upon for support as needed, with responsiveness a key factor.

Testing the new system began 15 months ago, and the appliances went into production a year ago. The department supports about 150 access points--Berkeley overall has close to 10 times that number of APs--using two Avenda appliances in a high-availability configuration should one unit fail. The department's APs are from both Cisco Systems and Aerohive Networks.

If there is a downside to the new network, Archibald said it has to do with increased support. "When it works, it generally works well and is more convenient for users," Archibald said. With 802.1x, users have to authenticate much less--credentials are usually cached after the first use and so authentication can occur transparently.

However, getting clients configured at the start of a school year results in more help desk calls initially, Archibald said. "The initial setup sometime can be a bit of a roadblock because of all the different clients," he said. "Once you get it to work, however, it works really well."