Authenticating Public Access Networking
Joseph W. Graham II
University of Pittsburgh
717 Cathedral of Learning, Pittsburgh, Pennsylvania 15260
+1 (412) 624-5244
jwg@pitt.edu
ABSTRACT
The University of Pittsburgh began offering network connections to
residence hall students in 1998. Initially, students were assigned
static IP addresses and manual processes were implemented to
record the each computer’s network card MAC address. This
quickly became unwieldy as service was expanded to all of the
nearly 6,000 residence hall rooms. In 2000, DHCP was used to
provide student IP addresses in conjunction with registration
software to record the necessary machine information. Tracing
activity in response to security issues was still time-consuming
because of the time needed to research activity logs.
The adaptation of the Point-to-Point Protocol (PPP) for broadband
use by commercial Internet Services Providers (ISP’s) provided a
much simpler solution for registering users, and providing IP
addresses. Direct user authentication to the network is
accomplished by requiring the entry of a username and password
each time the user establishes a connection. Tracing specific activity
is simplified because it is not necessary to research different sets of
logs to determine the IP address and username. Management of the
system is entirely dynamic. The system can be used just as easily for
ports located in public areas, classrooms, and in conjunction with
wireless network services. The need for authenticated access to the
network from these locations is even more important than from the
residence halls.
Although PPPoE has been used for authenticated access in the
residence halls during the past academic year, this service will be
converted to the IEEE 802.1x standard, which eliminates the
requirement for client authentication software in the coming year.
Our experience with PPPoE is that support requirements are very
low and are primarily limited to client software installation
assistance. Further reduction of support requirements is expected
with the introduction of 802.1x authentication for residence hall,
public access, classroom, and wireless network connections.
Categories and Subject Descriptors
C.2.1 [Network Architecture and Design]: Wireless
Communications
General Terms: Management, Documentation, Performance,
Design
Keywords: Wireless, Authentication, Networking, PPPoE,
Directory, LDAP, Kerberos, NDS, Active Directory, DHCP
1. INTRODUCTION
The University of Pittsburgh began providing Ethernet ports in its
Pittsburgh Campus residence halls in 1996. All residence hall
rooms were wired with one “port per pillow” in 1998. The
connection rate at that time was approximately 40%. Since that
Copyright is held by the author/owner(s).
SIGUCCS’02, November 20-23, 2002, Providence, Rhode Island, USA.
ACM 1-58113-564-5/02/0011.
247
time, the number of residence hall beds has increased to 6,000 and
the connection rate has continued to increase to the current 74%.
Several methods for authenticating users to the residence hall wired
network have been evaluated and implemented over time, each
successively leading to simplified configuration of user devices and
reductions in support overhead. Problems persisted, however, that
required a much more effective solution than had been available
previously.
At approximately the same time, a pilot effort was introduced to
offer wireless network service to University students using a
program in which laptop computers equipped for wireless access
were available for student checkout in the main campus library.
This program continued until 1999 at which time it was abandoned
due to the high cost of equipment maintenance and because of user
complaints regarding slow performance and other issues. The
library has maintained a wireless service since that time, but the
service is available only to library staff. Pressure to offer wireless
service throughout the University community has been increasing
substantially in recent years.
In the past academic year, a pilot program designed to implement
wireless service in public areas, offices, and classrooms was
conducted and yielded highly positive results due to the
improvements in technology and in the ability to secure access to the
wireless network using PPPoE technology. This paper will explore
in more detail the PPPoE solution that has been most recently used
with a high degree of success to authenticate residence hall users
and the wireless gateway solution that is being implemented to
authenticate users to various wireless network implementations
across campus. Both of these methods take full advantage of the
University’s central directory and authentication services that have
been implemented over the past two years.
2. EVALUATION OF TECHNOLOGIES
2.1 Residence Hall Network Authentication
During the first two years in which residence hall network access
was provided, users were assigned static IP addresses upon
registration of their Ethernet card MAC addresses. The drawback of
this method was that a tremendous amount of effort was needed to
record user information and to research records when tracking down
a problem.
In September 1999, Dynamic Host Configuration Protocol (DHCP)
service was introduced to assign IP addresses to users without the
need to manually record and research user information. Lucent
Technologies’ QIP software was selected for this purpose because in
addition to IP address assignment, the software offered an
automated means of registering user Ethernet card addresses via a
web page. This software was used throughout the 1999 academic
year, but serious problems occurred with the registration
management component as participation in the ResNet program
grew and the demand for service outstripped the ability of the
software to keep pace. As a result, QIP was implemented without
the registration management component.
An evaluation of available DHCP solutions resulted in the
identification of Point-to-Point Protocol over Ethernet (PPPoE) as a
viable alternative to the previous solutions. The PPPoE protocol is
a standard Internet protocol as defined by RFC 2516. This protocol
requires a user to authenticate to a RADIUS server in order to obtain
and use an IP address to connect to the Internet over a standard
Ethernet network. In this way, PPPoE is similar to the PPP protocol
used on the University’s remote access dialup modem pool.
Early in the project planning process for the implementation of
PPPoE user authentication, the need to deploy a single vendor,
cross-platform client software solution was identified in order to
simplify documentation and user support. It was also determined
that the process in which users obtain, install, and configure the
client software was critical to success given the need to quickly
deliver the solution to a potential 6,000 residence hall users within a
few days of the start of the fall term. In order to simplify this
process for users, a special Web site was set up that is accessible
only to these users providing the ability to download preconfigured
software and simplified installation instructions.
The Internet
NAS
Figure 2: PPPoE Architecture
2.2 Wireless User Authentication
Security was a paramount concern during the wireless networking
pilot program. It was quickly decided that both Wire Equivalent
Privacy (WEP) and individual user authentication would both be
employed in conjunction with wireless networking to encrypt data
and to identify users if needed in connection with security incidents.
PPPoE was implemented during the wireless pilot in part because of
the successful implementation of this protocol for residence hall user
authentication. Feedback received during the pilot implementation
indicated that users were dissatisfied with the lengthy process of
installing and configuring a wireless radio card, WEP key, and
PPPoE client software and that some users experienced
incompatibility problems that made it difficult for them to
participate in the program.
The pilot program experience made it clear that an alternative
solution of for user authentication was needed that did not involve
the installation of client-side software. The IEEE 802.1x protocol
was initially evaluated to provide this alternative in light of the fact
that current operating systems include 802.1x functionality. In
addition, all of the wireless radio cards under consideration support
the authentication protocol. Implementation of 802.1x has been
delayed, however, because the implemented version of RADIUS
software is not capable of native communication with the
University’s LDAP, NDS, Active Directory, or Kerberos
authentication systems. This problem required the identification of
an interim solution until a compatible 802.1x solution has been
developed and deployed.
248
Demands for immediate deployment of wireless network service in
public areas, classrooms, and office areas led to the consideration of
wireless gateway solutions from several different vendors. The
requirements for consideration included the ability to authenticate
users against one of the University’s central authentication systems,
the ability to employ roles-based access, the ability to restrict access
to specific applications and services over the wireless network.
Based upon these criteria, a product selection has been made and
wireless network service is being deployed in various campus
locations.
Figure 1: Wireless Gateway Architecture
2.3 Unified Authentication to the Network
At this time, the University has implemented two distinctly different
mechanisms for authenticating users to the network: PPPoE for
residence hall students and wireless gateways for wireless network
users. One obvious potential problem is the need for the same student
to install and configure a PPPoE client in order to access the wired
network from a residence hall room and then authenticate to the
network using the wireless gateway from a classroom. As the
deployment of wireless service increases, we anticipate the need to
implement a single mechanism for user authentication to the network
regardless of whether a user accesses the network from a wired port or
wireless service anywhere at the University. The extension of the
requirement for users to authenticate to the University’s wired network
to all wired ports, irrespective of the location or purpose of the port is
underway using the 802.1x protocol.
3. LESSONS LEARNED
The primary lesson that we learned is that it is both practical and
possible to implement effective systems for user authentication to
wired and wireless networks. While PPPoE requires the distribution
of client software and does have user support requirements, we have
demonstrated that the protocol offers improved security and can
actually reduce the need to provide extensive individual support for
student users. Fears that this deployment would dramatically
increase student support calls at the start of the previous Fall term
were quickly dispelled.
The Web-based user authentication interface provided by wireless
gateway solutions offers a client software-free method that is readily
understandable by a variety of users. Further, the Web interface is
readily usable in conjunction with a wide range of end user devices,
from laptops to handheld devices, offering a much more flexible
solution for wireless deployment than is available with PPPoE.
Ultimately, a single system that offers ease of configuration and use
for all users, regardless of whether the network is accessed from
wireless or traditional wired ports must be implemented in order to
avoid confusion and to offer users flexibility in roaming from
classroom to public area to residence hall or office without needing
to re-authenticate or switch to a different authentication mechanism.
We believe that the 802.1x coupled with RADIUS provides this
functionality.