UIC Wireless Networking for Departments

The ACCC's UIC Wireless network now uses the 802.11g wireless standard, which is faster but completely compatible with the original 802.11b (also known as Wi-Fi) wireless network used at UIC. 802.11g and 802.11b networks run at the same radio frequency, 2.4 GHz, but 802.11g supports a much higher data transfer rate, 54 megabits per second, Mbps, vs. 11 Mbps.

Because the standard network security methods for 802.11 networks are not particularly secure used on their own, we have also adopted the 802.1x IEEE standard for authentication and encryption. The 802.1x standard ensures that only authorized users can connect to the network and assures users that they are connecting to the correct network. The encryption provides private data transmission, both ways. 802.1x security works on all types of 802.11 wireless (and also on wired) networks.

Specifically, the ACCC has adopted 802.1x wireless security solution for use on the UIC campus wireless network. Dynamic Security Solution's SecureW2 provides 802.1x EAP-TTLS protocol connection software for MS Windows 2000, XP, and Vista and for Windows Mobile 5/6 or Pocket PC 2003/2005 handhelds; Mac OS X 10.3+ comes with built-in 802.1x with EAP-TTLS security support, so people using Mac portables with wireless cards using Max OS X 10.3 or higher can use the UIC-Wireless network.

Departments must have replaced their existing 802.11b access points with 802.11g access points that are 802.1x-compliant and support EAP-TTLS by the end of Fall, 2006, semester.

Departments at UIC who want to set up their own wireless networks must:

• Have replaced their existing 802.11b access points with 802.11g access points that are 802.1x-compliant and support EAP-TTLS by the end of Fall, 2006, semester.
  
  
• Follow the UIC Networking and Computing Policies.
  
  
• Contact the ACCC Networks group at network@uic.edu before they begin to set up a departmental wireless network and cooperate with the ACCC on the placement and coverage of departmental wireless access points.
  
  
• For new access points, purchase and install  802.11g access point (AP) hardware that is 802.1x-compliant and supports EAP-TTLS. The ACCC only supports Cisco 1100 and Cisco 1200 series access points. The Apple AirPort Extreme Base Station has a new version; it does not work with UIC-Wireless and is therefore no longer approved. (Note that an AirPort access point and an AirPort wireless card are two different things. Macs with AirPort wireless cards can be used with the UIC-Wireless network; see Using the Mac OS X 802.1x Client.)
  
  
• Name their wireless access points according to the ACCC naming scheme and register them and, if applicable, their wireless DHCP IP addresses, with the ACCC.
  
  
• Use authenticated, secure wireless connections. Departments may use the ACCC's authentication servers, which use UIC netids and ACCC passwords to authenticate users. Or they may install and run their own authentication server. Departments choosing to use their own authentication server must keep all usage logging information and provide it immediately on demand by the ACCC Security Group.
  
  
• Use securely encrypted wireless connections, using dynamic, rather than static WEP keys.
  
  
• Provide IP addresses for their department's wireless network if the department if doing their own authentication. No additional address space will be provided to departments running their own internal authentication servers.
  
  However, this might not be necessary. The ACCC provides a private wireless network for the UIC campus.  If the department has the correct network equipment in their networking closet, we can add the departmental access point(s) to the ACCC's private wireless network.  If this is the case, then the department will not need to provide IPs for their access points and users from their designated subnet space. This decision is on a closet-by-closet basis and the feasibility can only be determined after ACCC surveys the wireless space for AP placement.
  
  
• Each Access Point installed on campus must have a double data jack installed at least 10 feet high according to ACCC Telecom Policy. 
  
  
• No open wireless access of any kind is permitted.

Please contact the ACCC (network@uic.edu) before buying or installing anything, to be sure your plans fit with our policy and infrastructure.

This is the simplest option. The department, coordinating things with the ACCC Network Group, buys and installs their own APs and uses the existing ACCC authentication server, DHCP services, and networking.

By and large, this means that you install compatible APs and we do the rest, and your users simply use their normal ACCC netids and passwords.

If you are a glutton for punishment, you can, if you wish, run your own authentication server, and/or your own DHCP server. You are still bound by UI policy to authenticate and encrypt wireless communications, and that includes keeping logs and making them available to ACCC security personnel when needed.

Sorry, not an option. This violates UI policy. Please note that an acceptable AP must also support EAP-TTLS. The ACCC only supports Cisco 1100 and Cisco 1200 series APs.

Please contact ACCC at network@uic.edu to discuss upgrading to these new standards. We will turn off networking for departments who knowingly do not comply with UI networking standards.

Each department is responsible for purchasing and installing their own 802.11g access point (AP) hardware that is 802.1x-compliant and supports EAP-TTLS.

• Make sure that your 802.11g access point hardware is 802.1x-compatible and use EAP-TTLS. The ACCC only supports Cisco 1100 and Cisco 1200 series Access Points. Should you choose to purchase an AP other than one of these, it may work with the system that we have in place. However, the ACCC is not responsible if it does not, nor do we support any other equipment.
  
  
• Another point to keep in mind when purchasing APs is providing power for them. Some APs get their power from the ethernet line they're connected to. This is called in-line power; you'll need a switch that supports in-line power or a power injector to use this type of AP. Other APs need DC power; you might have to have a power outlet installed to use them. And some AP's have the option of using either in-line or DC power. Make sure you know which kind of AP you're purchasing and what type of power they need.
  
  
• The supported Cisco APs can use in-line power. If you are buying a Cisco AP, we highly recommend using a power injector to power it. The power injector stays in the data closet and will power the Cisco AP through its data jack. Buying and using a power injector is a much less expensive alternative to buying an in-line switch or adding a power outlet.
  
  
• If the department has the correct network equipment is in the their networking closet, we can add the departmental access point(s), AP, to the ACCC's private wireless network.  If this is the case, then the department will not need to provide IPs for their access points and users from their designated subnet space. This decision is on a closet-by-closet basis and the feasibility can only be determined after ACCC surveys the wireless space for AP placement.

The ACCC has adopted a 802.1x security solution security solution for UIC campus wireless networking. 802.1x is an IEEE standard that provides an authentication framework for 802-based wireless LANs. The 802.1x protocol suite includes methods for protected authentication and data transmission.

Our security system has two parts :

• Software that runs on the client computers: SecureW2 for MS Windows 2000, XP, and Vista and for Windows Mobile 5/6 or Pocket PC 2003/2005 handhelds; and Mac OS X 10.3+ itself. This software runs on a your wireless-enabled computer and allows the you to securely connect to a WLAN. SecureW2 is available for use by any member of the UIC community at no charge. For more information, see Installing and Using SecureW2.
  
  
• A specialised authentication server based on the RADIUS protocol that manages connections from WLAN clients, ensures that only authorized users can connect (and also assures users that they're connecting to the correct WLAN), and provides security information to the WLAN access point so it can set up encrypted private connections over the wireless link. The ACCC's authentication server can work with any 802.1x-compliant WLAN access point that it's configured to communicate with.

The ACCC is running an authentication server that authenticates using UIC netids and ACCC passwords. Departments may use the ACCC server to authenticate UIC users for their departmental WLANs. (Scenario I above.)

• The ACCC's server will only talk to access points that the server knows about, so departmental access points must be registered with the ACCC for them to talk to our server. This protects the UIC users from rogue access points.
  
  
• The ACCC's server will only authenticate users with active UIC netids and ACCC passwords. This protects departments from rogue users.
  
  
• The ACCC's server presents its certificate to the users as part of the authentication process; this certificate protects the users from rogue servers.

The security of the 802.1x wireless transmission is in two parts.

• An EAP (Extensive Authentication Protocol) authentication type called EAP-TTLS (Tunneled Transport Layer Security) is used to protect the 802.1x authentication. EAP-TTLS allows mutual authentication of the client and the network through a "tunnel" (similar to the Web's SSL), which is an encrypted channel.
  
  
• After authentication is complete, EAP-TTLS creates dynamic keys that are transformed into WEP keys that are different for each user and for each session. These dynamic WEP keys (Wired Equivalent Privacy) -- not static WEP keys -- are used to secure the wireless part of the connection. Note that WEP is a security protocol in the 802.11b/g wireless data transmission standard, not in 802.1x. Dynamic WEP keys are used because they keep changing -- new keys are requested every 10 minutes -- giving hackers less time to decode the keys and therefore decoding your wireless session.

For more information on 802.1x, 802.11b, 802.11g, and the authentication server and how they work together, see Wireless Security.

Departments may also use their own authentication method for their wireless LANs if they wish. Some departments may only want their own people to use their wireless therefore using their own authentication method isn't a problem.

But please note that the ACCC distributed SecureW2 client is preconfigured only for UIC-Wireless. If a department elects to use their own authentication server they will have to provide their users with suitable configuration information or alternate software.

Regardless of what authentication method a department uses, data transmission on a departmental LAN must be encrypted using dynamic WEP keys (Wired Equivalent Privacy), NOT static WEP keys. WEP is a security protocol in the 802.11b/g wireless standard (also called Wireless Fidelity, Wi-Fi) that is designed to provide a WLAN with security and privacy comparable to a wired LAN. Static WEP keys are less secure than dynamic WEP keys because there are a finite number of WEP keys being used (typically 4). The fewer keys in use, the easier it is for an attacker to derive the key. Dynamic WEP keys keep changing, giving hackers less time to decode the keys.

Also, if a department plans on using their own DHCP server (Dynamic Host Configuration Protocol), the IP addresses in their address pool MUST be registered with the ACCC. Due to the limited number of campus IP addresses available and to other problems with there being multiple DHCP servers, we would prefer that departments use a centralized ACCC DHCP server rather than their own.

The names of ACCC's public wireless access points (APs) follow the convention: building-room.ap.wireless.uic.edu.

The names of departmental access points follow the convention: buildingnumber-room.ap.deptzone.uic.edu
where "building number" is the number of the building and "room" is the room number where the AP is located.

For example, if the ACCC had a private access point in room 179 BGRC, which is building number 933,
its name will be: 933-179.ap.cc.uic.edu
That way we can easily identify the wireless access points on a department's network. And, since departments must have their IP addresses registered with the ACCC in QNET, the QNET data will tell the ACCC networking people where the access point is located. Departmental access points must be registered with the ACCC in order for us to provide adequate service.

Also, if a department plans on using their own DHCP server, the IP addresses in their address pool must be registered with the ACCC, and each hostname must indicate that it is a wireless DHCP client. For example, DHCP1.wireless.deptzone.uic.edu.

If the department has the correct equipment in its networking closet to have their AP on ACCC’s private wireless network, then we can add the departmental access point(s) to the ACCC's private wireless network.  If this is the case, then the DNS registration of the AP and its users will be done by ACCC Networks staff and the department will not need to provide IPs for their access points and users from their designated subnet space. This decision is on a closet-by-closet basis and the feasibility can only be determined after ACCC surveys the wireless space for AP placement.

Responsibilities of your Department and the ACCC:

The most important thing for you to do is the first step: contact us so we can help you plan your installation.

1. Department- Email network@uic.edu to open a case log in the problem database to ask for a wireless survey for your area in order to find the best physical placement for your access point (AP). Please tell us the rooms and areas of buildings that you want to have wireless accessible.
2. Department- Meet with the ACCC UIC-Wireless staff and discuss wireless possibilities and answer any questions.
3. ACCC- Meet with the department with blueprints to do a general walk through of area and set up an additional appointment if necessary to do some real-time testing of signal strength.
4. ACCC- Send a summary email stating what was discussed at the wireless survey.
5. ACCC- Make copy of blueprints and send via campus mail with a sample Telecom AS order for jack installations.
6. Department- Purchase the AP and power injector if you're using a Cisco AP. (See Departmental Supplied and Installed Access Points for details.)
7. Department- Have the proper jack installed where your wireless AP will located, according to the blueprints and according to ACCC policy and standards.
8. ACCC- Create a departmental wireless zone for the AP.  The zone will be named ap.deptzone.uic.edu.
9. ACCC- Register the AP, using the naming scheme described above. Your AP will look like this in QNET:
    x.x.x.x  room bldg * *  bldgnum-room.ap.deptzone.uic.edu  jack#  AP
10. Department- "Donate" a block of contiguous IPs in your IP address space to use for your wireless clients if you have to use your own IP space.  The ACCC will provide client IPs if  the AP can go on the ACCC private wireless network.
11. Department- If you are using your own IP space, please register those IPs as user1.wireless.deptzone.uic.edu, user2.wireless.deptzone.uic.edu, and so on.
12. Department- Send a copy of the AP and user registrations to your problem ticket.
13. ACCC- Send DHCP registered IPs to the ACCC systems group to add to DHCP server.
14. ACCC- Make required changes on router configuration to reflect new DHCP server scope.
15. ACCC- Add new AP information into the ACCC's authentication server and generate a shared secret.
16. Department- If the department is using a Cisco AP, please drop off the AP at the ACCC so that we can configure your AP for you.  You will be given pertinent information (your login info, shared secret, ACCC authentication server info, and so on) once it’s completed.
17. ACCC- Program the AP for the department.
18. ACCC- The ACCC will contact Telecom after the AP is completely programmed for the department. Telecom will pick up the AP from the ACCC and mount it to the wall for the department.
19. Department- If you are not using a Cisco device, the configuration must be completed by the department.  The ACCC will send you any known parameters that your type of AP needs.
20. Department- If you are not using a Cisco device, after you have finished the configuration, please test your wireless as a client.
21. Department- If you are not using a Cisco device, after the testing is successful, please contact Telecom to install the AP for you.
22. ACCC- After Telecom mounts the AP, the switch will be programmed properly, and the jack will be activated.
23. Department- Test your wireless network and report any problems to the current case log.

Contact the ACCC's wireless LAN coordinator at network@uic.edu.