alison davis and peter kurtz port based network authentication in a lab environment questnet 2000
TRANSCRIPT
Alison Davis and Peter Kurtz
Contents
• Introduction
• Overview of QUT’s network
• Technical part of the LAS Project
• Support part of the LAS Project
Alison Davis and Peter Kurtz
Introduction
• Laptop Access Project started in 1999
• Provide Laptop Access in QUT Labs
• Faster and better access
• Demand for student labs
• Economic considerations
Alison Davis and Peter Kurtz
Overview of the QUT Network
• Potential of 34,000 users - 30K students 4K staff.
• 6000 x PCs / Workstations
• 90 Central Servers, 30 x Faculty Servers
• 2 x WAN ATM Switches
• 3 x Legacy Routers, 4 x ATM Router Engines
• 46 x ATM Switches
• 189 x Ethernet Switches
• 370 x Ethernet Hubs
• 48 x Terminal Servers
• 600 x Digital / Analog Modems
Alison Davis and Peter Kurtz
Kelvin Grove Campus
34Mbps
Mt Cootha
QUT Wide Area Network (Voice/Data) - May 2000
Gardens Point Campus
Carseldine Campus
4 x 2Mbps
155Mbps
Margaret St Offices
64k
UQ
34Mbps
PABX
PABX
PABX
PABX
AARNET
DIALINACCESS
6 x 2Mbps
2 x 2Mbps
2Mbps
ATM Switch
Legacy Router
Merivale St
PSTN / ISDN
Peel St
KG Offices (4)
Switch
2Mbps Radio Link
2Mbps Radio Links
GU
34Mbps
USQ Adelaide St
34Mbps
Alison Davis and Peter Kurtz
Network Projects 2000
• Installing Accellar router switches into the core of data network.
• VoIP trials
• Carseldine WAN upgrade to155Mbps
• Microwave Links reused for redundancy
Alison Davis and Peter Kurtz
QUT Wide Area Network (Voice/Data) - Future
Mt Cootha
Gardens Point Campus
Carseldine Campus
Kelvin Grove Campus
GU 34Mbps
34Mbps
155Mbps
155Mbps155Mbps
34Mbps
6Mbps
12Mbps
ATM Switch
Legacy Router
AARNET
UQ
Alison Davis and Peter Kurtz
Current Networking Issues
• High Availability and High Bandwidth Integrating voice over the data network
• Network Performance Wire speed routing IP only backbone
• Network Security Breach Monitoring within the LAN Secure Management LAN Leaf node (port based) authentication
Alison Davis and Peter Kurtz
Laptop Access Project Requirements
• Easy to use authenticated laptop access Given technical and financial constraints.
• Network Authentication Use QUT Access username, password.
• Network Access and Performance Same as in a standard public access lab.
• Before Authentication Network access must be completely restricted, including other
unauthenticated ports.
Alison Davis and Peter Kurtz
Possible Client End Solutions
• Laptop to switch authentication using: 1. Microsoft(NetBIOS) or NetWare Client 2. Browser or telnet Client 3. Extensible Authentication Protocol - EAP
• Laptop to server authentication Microsoft or Browser client Server requests port movement from default VLAN to
the authenticated VLAN
Alison Davis and Peter Kurtz
Network Authentication Process
Laptop/PC
Default Port Virtual LAN
Authenticated Virtual LAN
Central Dynamic Address Allocation Server (DHCP)
Network Gateway (Router)
Alcatel Ethernet Switch
Central AuthenticationServer (RADIUS)
InternalWeb and Telnet Server
12 3
Alison Davis and Peter Kurtz
IP, Gateway AddressPrimary DNSSecondary DNS - Switch IP
Network Authentication Process - Detail
DHCP Request Central DCHP ServerDHCP Reply
1
2 SwitchInternalWeb & TelnetServer
DNS [QUTAccess ]
DNS [Switch IP Addr]
Username, Password
Auth Successful
CentralRADIUSServer
FrontEnd forOracleDB
ORACLEDatabase
Stores:QUTAccessUsernamePassword
Alison Davis and Peter Kurtz
Current Solution Specifications
• ISC DHCP Server Ver 2.0 Internet Software Consortium - www.isc.org
• RADIUS Server Radiator Open Systems Consultants - www.open.com.au
• Oracle Database ver 8 with perl DBI• ALCATEL Switches
Omnistack 4024,5024, Omniswitch router OSR Current software 4.1.2 GA Standard Telnet, Netscape, IE 4,5 Win95,98,NT,Win2000, MacOS, Linux
Alison Davis and Peter Kurtz
Alcatel Solution
• Switch authentication reliability software, hardware problems
• Vendor support was good
• Scalability is Costly
Alison Davis and Peter Kurtz
Future Direction
• QUT authentication backend change Directory Service replaces oracle db User profile detail VLAN LDAP replace RADIUS
• Goals for switch vendors Authentication before DHCP A solution for Operations Systems apart from Win2K A solution for all L2 Access - Ethernet & Wireless
Alison Davis and Peter Kurtz
From the technical detail to the bigger picture…..
• Technical
• Support
• Usage
• Cost effectiveness
Alison Davis and Peter Kurtz
What other universities are doing
• User services list March 2000
• University of Melbourne
• CAUDIT list June 2000
Information from 23 universities
Alison Davis and Peter Kurtz
Institutional Responses
• Most universities are at least considering laptop access for students (17/23)
9 yes 8 Soon/very small 6 no
• Demand has been much lower than expected• Many see wireless as the future direction
Alison Davis and Peter Kurtz
QUT laptop access areas
• Law Library. September 1999
• Graduate School of Business teaching facilities. Semester 1 2000
• Gardens Point Library. June-July 2000
• Student superlab – 350 ports – October 2000
Alison Davis and Peter Kurtz
Law library usage statistics
Daily use
1
2
3
4
5
6
21/0
1/00
4/02
/00
18/0
2/00
3/03
/00
17/0
3/00
31/0
3/00
14/0
4/00
28/0
4/00
12/0
5/00
26/0
5/00
9/06
/00
Date
Nu
mb
er
of
use
rs p
er
da
y
#users per day
Alison Davis and Peter Kurtz
Law Library usage statistics (cont)
Days used service #Students1 92 33 24 15 17 1
10 111 112 123 1
TOTAL 21
Alison Davis and Peter Kurtz
Law library usage statistics (cont)
• 21 students successfully used the service
• 9 students only used it on one day
• 1 student used it on 23 days
• Maximum of 5 users on any one day
• Usage slowly increasing
Alison Davis and Peter Kurtz
Support issues
• Hired laptops (preconfigured)• Only connect at QUT laptops (configure
once)• Modem + QUT connection laptops (minor
adjustments)• Work laptops. Major adjustments.• Hire network cards or USB connectors
Alison Davis and Peter Kurtz
Promotion
• Signage
• Official launch
• Position
• Competition
• Feedback
Alison Davis and Peter Kurtz
What we’ve learnt
• Support
• Demand - convenience
• Promotion
• Equity
• Laptop Security
• Technical - hardware and management