alison davis and peter kurtz port based network authentication in a lab environment questnet 2000

Alison Davis and Peter Kurtz

Port Based Network Authentication in a Lab Environment

QUESTNet 2000


Contents

• Introduction

• Overview of QUT’s network

• Technical part of the LAS Project

• Support part of the LAS Project


Introduction

• Laptop Access Project started in 1999

• Provide Laptop Access in QUT Labs

• Faster and better access

• Demand for student labs

• Economic considerations


Overview of the QUT Network

• Potential of 34,000 users - 30K students 4K staff.

• 6000 x PCs / Workstations

• 90 Central Servers, 30 x Faculty Servers

• 2 x WAN ATM Switches

• 3 x Legacy Routers, 4 x ATM Router Engines

• 46 x ATM Switches

• 189 x Ethernet Switches

• 370 x Ethernet Hubs

• 48 x Terminal Servers

• 600 x Digital / Analog Modems


Kelvin Grove Campus

34Mbps

Mt Cootha

QUT Wide Area Network (Voice/Data) - May 2000

Gardens Point Campus

Carseldine Campus

4 x 2Mbps

155Mbps

Margaret St Offices

64k

UQ

34Mbps

PABX

PABX

PABX

PABX

AARNET

DIALINACCESS

6 x 2Mbps

2 x 2Mbps

2Mbps

ATM Switch

Legacy Router

Merivale St

PSTN / ISDN

Peel St

KG Offices (4)

Switch

2Mbps Radio Link

2Mbps Radio Links

GU

34Mbps

USQ Adelaide St

34Mbps


Network Projects 2000

• Installing Accellar router switches into the core of data network.

• VoIP trials

• Carseldine WAN upgrade to155Mbps

• Microwave Links reused for redundancy


QUT Wide Area Network (Voice/Data) - Future

Mt Cootha

Gardens Point Campus

Carseldine Campus

Kelvin Grove Campus

GU 34Mbps

34Mbps

155Mbps

155Mbps155Mbps

34Mbps

6Mbps

12Mbps

ATM Switch

Legacy Router

AARNET

UQ


Current Networking Issues

• High Availability and High Bandwidth Integrating voice over the data network

• Network Performance Wire speed routing IP only backbone

• Network Security Breach Monitoring within the LAN Secure Management LAN Leaf node (port based) authentication


Laptop Access Project Requirements

• Easy to use authenticated laptop access Given technical and financial constraints.

• Network Authentication Use QUT Access username, password.

• Network Access and Performance Same as in a standard public access lab.

• Before Authentication Network access must be completely restricted, including other

unauthenticated ports.


Possible Client End Solutions

• Laptop to switch authentication using: 1. Microsoft(NetBIOS) or NetWare Client 2. Browser or telnet Client 3. Extensible Authentication Protocol - EAP

• Laptop to server authentication Microsoft or Browser client Server requests port movement from default VLAN to

the authenticated VLAN


Network Authentication Process

Laptop/PC

Default Port Virtual LAN

Authenticated Virtual LAN

Central Dynamic Address Allocation Server (DHCP)

Network Gateway (Router)

Alcatel Ethernet Switch

Central AuthenticationServer (RADIUS)

InternalWeb and Telnet Server

12 3


IP, Gateway AddressPrimary DNSSecondary DNS - Switch IP

Network Authentication Process - Detail

DHCP Request Central DCHP ServerDHCP Reply

1

2 SwitchInternalWeb & TelnetServer

DNS [QUTAccess ]

DNS [Switch IP Addr]

Username, Password

Auth Successful

CentralRADIUSServer

FrontEnd forOracleDB

ORACLEDatabase

Stores:QUTAccessUsernamePassword


Current Solution Specifications

• ISC DHCP Server Ver 2.0 Internet Software Consortium - www.isc.org

• RADIUS Server Radiator Open Systems Consultants - www.open.com.au

• Oracle Database ver 8 with perl DBI• ALCATEL Switches

Omnistack 4024,5024, Omniswitch router OSR Current software 4.1.2 GA Standard Telnet, Netscape, IE 4,5 Win95,98,NT,Win2000, MacOS, Linux


Radius Log Processor - snapshot


Alcatel Solution

• Switch authentication reliability software, hardware problems

• Vendor support was good

• Scalability is Costly


Future Direction

• QUT authentication backend change Directory Service replaces oracle db User profile detail VLAN LDAP replace RADIUS

• Goals for switch vendors Authentication before DHCP A solution for Operations Systems apart from Win2K A solution for all L2 Access - Ethernet & Wireless


From the technical detail to the bigger picture…..

• Technical

• Support

• Usage

• Cost effectiveness


What other universities are doing

• User services list March 2000

• University of Melbourne

• CAUDIT list June 2000

Information from 23 universities


Institutional Responses

• Most universities are at least considering laptop access for students (17/23)

9 yes 8 Soon/very small 6 no

• Demand has been much lower than expected• Many see wireless as the future direction


QUT laptop access areas

• Law Library. September 1999

• Graduate School of Business teaching facilities. Semester 1 2000

• Gardens Point Library. June-July 2000

• Student superlab – 350 ports – October 2000


Law library usage statistics

Daily use

1

2

3

4

5

6

21/0

1/00

4/02

/00

18/0

2/00

3/03

/00

17/0

3/00

31/0

3/00

14/0

4/00

28/0

4/00

12/0

5/00

26/0

5/00

9/06

/00

Date

Nu

mb

er

of

use

rs p

er

da

y

#users per day


Law Library usage statistics (cont)

Days used service #Students1 92 33 24 15 17 1

10 111 112 123 1

TOTAL 21


Law library usage statistics (cont)

• 21 students successfully used the service

• 9 students only used it on one day

• 1 student used it on 23 days

• Maximum of 5 users on any one day

• Usage slowly increasing


Support issues

• Hired laptops (preconfigured)• Only connect at QUT laptops (configure

once)• Modem + QUT connection laptops (minor

adjustments)• Work laptops. Major adjustments.• Hire network cards or USB connectors


Promotion

• Signage

• Official launch

• Position

• Competition

• Feedback


What we’ve learnt

• Support

• Demand - convenience

• Promotion

• Equity

• Laptop Security

• Technical - hardware and management


Likely future

• Wireless

• Client software will be inbuilt

• Interchangable with desktops

• Establish cost effectiveness

• Benchmark student access to the university network

alison davis and peter kurtz port based network authentication in a lab environment questnet 2000

Documents

mbps slide

alison davis

authentication network

peter kurtz network

peter kurtz ip

peter kurtz overview

qut network potential

redundancy slide