Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Network access at St John's College Cambridge

111 visualizaciones

Publicado el

A presentation from Jisc's wireless mobility event on 27 February 2019.

Publicado en: Educación
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Network access at St John's College Cambridge

  1. 1. Network Access at St John’s College Cambridge
  2. 2. Background For authentication we had been using Bradford Campus Manager. For various reasons we wanted a change. We needed to expand our existing wireless service from hotspots to complete coverage in all College properties. This seemed like a good opportunity to review how we handled access to and monitoring of our network.
  3. 3. What did we want to be able to do? • Staff • Fellows • Johns Grads & Ugrads • Cambridge University eduroam users • Other eduroam users Make eduroam our primary offering for network access but still maintain the ability to segregate different types of users onto different networks:
  4. 4. What did we want to be able to do? • We wanted to be able to have to ability to segregate these different types of visitors should we choose to. • We also wanted a system that required minimal admin by college departments. Provide a simple to use guest access system for visitors, contractors, conferences and Bed & Breakfast guests.
  5. 5. What did we want to be able to do? •  This came about partly because of an incident with a prominent college member accidentally sending their Macbook screen to another persons TV screen . •  The second reason was because we wanted to be able to say “yes you can connect that and here is how” rather than “no you can’t use that and this is why.” To do something about Home networking devices such as AppleTV, Amazons Firestick, wireless printers etc
  6. 6. Why did we choose Aruba? Compatibility with Cambridge University Wireless Technology Managing Home Networking (MDNS/ Bonjour) devices. Aruba
  7. 7. Our solution We purchased Aruba wireless controllers and Wireless Access Points. Over several years we rolled Aruba AP’s to cover the main college site, hostels on the main network and remote hotels on broadband connections. For monitoring & troubleshooting we purchased Airwave. To handle authenticationnetwork access we purchased Clearpass.
  8. 8. We set up 3 permanent SSIDs using different authentication methods: •  Eduroam – 802.1x •  St Johns Visitors – passphrase and mac-authentication. •  St Johns WiFi – passphrase and mac-auth. We advertise that this is for non-eduroam capable devices only. At the start of the academic year and in a few locations throughout the year we also have a “Device Registration” SSID – open but restricted to certain web pages All of the connections through all of the SSIDs are handled by Clearpass.
  9. 9. Device Registration SSID brings up the Clearpass hosted web page opposite. Taking the links in order from top to bottom: 1)  Links to the UIS signup page so that they can collect their University details. 2)  Links to the UIS eduroam token page. 3)  Links to a College web page with information about eduroam and non-eduroam devices 4)  Links to a College web page with information about how to register their devices for accessing the wired network
  10. 10. eduroam User connects to SSID eduroam Radius request sent to wireless controller Request forwarded to radius server – Clearpass Clearpass queries a University managed LDAP system. The output of this query is used to allocate an internal role used by Clearpass The request is proxied to the University radius servers If authenticated the previously allocated role is used as an attribute in the radius reply. The controller uses the added attribute to put the device onto the appropriate connection.
  11. 11. Clearpass role assignments – first applicable match Query ldap on radius username. If valid, check attribute GroupName. Is the GroupName “johns- st-johns-fellows” YES Assign group number and group name as attribute Set Clearpass Role to “Fellows” Is the GroupName “johns- st-johns-staff” YES Assign group number and group name as attribute Set Clearpass Role to “SJC- Staff” Is the GroupName “johns- undergrads” YES Assign attribute UnderGrad Set Clearpass Role to “SJC- Junior-Members” Is the GroupName “johns- grads” YES Assign attribute UnderGrad Set Clearpass Role to “SJC- Junior-Members” Does the Username contain @cam.ac.uk but is not a member of any listed groups YES Set Clearpass Role to “Eduroam”
  12. 12. Proxy Radius Request Accept or reject Radius Reply
  13. 13. Add Enforcement attributes
  14. 14. Wireless role assignments to be included in the Radius Reply •  Return value “Role-Blacklist” Does the endpoint have an attribute Blacklist and does it equal “true”? •  Return value “Static-IP” StaticIP •  Return value “role-eduroam-students” SJC-Junior-Members •  Return value “role-eduroam-fellows” Fellows •  Return value “role-eduroam-staff” Staff •  Return value “role-eduroam-others” User Authenticated
  15. 15. Clearpass Access Tracker
  16. 16. Clearpass Access Tracker
  17. 17. Device Registration SSID brings up the Clearpass hosted web page opposite. Taking the links in order from top to bottom: 1)  Links to the UIS signup page so that they can collect their University details. 2)  Links to the UIS eduroam token page. 3)  Links to a College web page with information about eduroam and non-eduroam devices 4)  Links to a College web page with information about how to register their devices for accessing the wired network 5)  The text at the bottom links to a Clearpass login page where they can register wired devices and non-eduroam devices
  18. 18. Currently we provide the user with a login and password for this system. In the future it is hoped we can develop this to use either Raven or the UIS Active Directory.
  19. 19. The user gives the device a name, selects the device type and enters the devices mac-address
  20. 20. Aruba’s Airgroup •  By utilising a capability on Arubas controllers called “airgroup” combined with Clearpass we create personal airgroup “bubbles”
  21. 21. Personal Airgroup Bubble SJM205
  22. 22. Our instructions ask the user to tick the box “Enable Airgroup” and to enter their own eduroam username into the “Shared with” box
  23. 23. Personal Airgroup Bubble SJM205 sjm205@cam.ac.uk
  24. 24. Other peoples eduroam usernames can also be added to the users Airgroup “Bubble”
  25. 25. “Home” Devices currently connected: •  70 Printers (various manufacturers) •  35 Playstation’s •  29 Amazon Echo’s •  13 Smart TV’s •  12 Google Chromecasts •  12 Xboxes •  12 Amazon Firestick’s •  10 Nintendos •  9 Sonos systems •  7 Google Home’s •  7 Apple TV’s •  3 Now TV Boxes •  2 Sky TV boxes •  1 Sony Camera
  26. 26. Wired Access The Device Registration pages are also used to register wired mac-addresses. Our HP switches were reconfigured to use Clearpass for 802.1x and Mac-Authentication. We tend to find that mac-authentication is easier for the users than wired eduroam.
  27. 27. Wired role assignments to be included in the Radius Reply • Return vlan “5000” Does the endpoint have an attribute Blacklist and does it equal “true”? • Return vlan “100” StaticIP • Return vlan “1000” SJC-Junior-Members • Return vlan “2000” Fellows • Return vlan “3000” Staff • Return vlan “4000” User Authenticated
  28. 28. Guest System
  29. 29. Guest System The Guest system allows visitors to self-register for a period of 1-7 days. This is so that people can get network access without assistance from the Help Desk The username and password is sent by email so it can be used to register other devices. Accounts can be extended for longer periods of time upon request or created in advance of the visitors arrival.
  30. 30. Bed & Breakfast System
  31. 31. Bed & Breakfast System This system is basically a duplicate of the guest system. So far our department has had no interaction with Bed & Breakfast Guests. The Bed & Breakfast SSID is only broadcast over the Access Points in the relevant rooms, the canteen and the bar.
  32. 32. Impact on the Help Desk The start of the Academic year is much quieter than it used to be. •  Around 30 calls for help with “home” devices – Most solved by providing clearer instructions •  Majority of wireless issues are: – Problems with setting up eduroam – Complaints about coverage
  33. 33. Note on coverage issues •  Start with a full survey for the latest technology – ours was focussed on 2.4Ghz and is the cause of some of our coverage complaints. •  Don’t be afraid to re-survey •  400 year old buildings are less annoying than ones built in the 60’s!
  34. 34. 5K Swim! https://www.justgiving.com/fundraising/simon-mallows s.j.mallows@joh.cam.ac.uk sjm205@cam.ac.uk

×