An introduction to EUD Wireless Networking

Quick Start for the Impatient

In order to join the wireless network, you must:

• Have a wireless card in your computer (802.11b or g; 802.1X-capable)
• Be running an operating system capable of 802.1X authentication (OS X 10.3 or above, Windows 2000 or XP, Linux)
• Submit a Wireless Access form, which can be found at:
  https://astrophysics.gsfc.nasa.gov/eudcomp/forms/wireless_setup.php
  Please print out the resulting PDF and return it to us.
• Have your computer scanned by us for viruses and security patches

Where you can connnect

The problem with reception in Building 2 is that the modular metal walls in the main part of the building really block the signal, such that it attenuates to unusable levels within just an office or two from the location of the wireless Access Point (AP). Thus we do not now nor will we likely ever be able to offer universal coverage.

The EUD System Team has plans for several more APs to be installed. If your research group wishes to ensure coverage for your group, please contact System to coordinate buying the same model AP (Cisco Aironet 1100 Series, about $400).

More Details

• your computer (the "supplicant")
• the wireless access point
• the RADIUS authentication server

This is all largely transparent to you and takes just a few seconds to sign on.

EUD Configuration Guides for Wireless

• Mac OS X
• Windows XP

Technical Details and Internet Standards used

Our network uses the Extensible Authentication Protocol (EAP) (RFC 3748) with the 802.1X security model ( IEEE 802.1X specification, PDF, 1MB). This involves authenticating each client laptop back to a RADIUS (Remote Access Dial-In User Service) (RFC 2865) server. RADIUS was originally designed to meet the needs of dial-up modem pools (hence the name), but has evolved to support EAP (RADIUS support for EAP, RFC 3579). There are several different protocols for implementing EAP and we have chosen to implement arguably the most secure, EAP with Transport Layer Security, EAP-TLS (RFC 2716). TLS is the same security that protects secure web servers (for e-commerce and the like).

In addition, we are using WiFi Protected Access ( WPA) which is the follow-on standard to the original (and not very secure) Wired Equivalency Protection (WEP). Instead of having a single unchanging password for all users for accessing the Service Set IDentifier (SSID) (that is, our wireless network name "AirEUD"), the system provides a different key (password) to each user for each session. (This is invisible to the user, fortunately!)

In our case, we are using OpenSSL for the cryptography end of things, in conjunction with the the freeRADIUS server. Consumer-grade wireless access points are usually not capable of interacting with a RADIUS server, so we have purchased enterprise-class access points from Cisco ( Cisco Aironet 1100 access points).

Numerous good articles exist on the Web which provide an overview and context for what we are doing here. The Wi-Fi Alliance has a lot of good information while Wi-Fi Planet (wi-fiplanet.com) has a good two-part overview available ( 802.1X Port Access Control for WLANs; Deploying 802.1X for WLANs: EAP Types )

The extended "handshake" of the EAP authentication process is shown in this diagram (from Wi-Fi Planet). An article from the June 2004 SysAdmin Magazine (not available online, regretfully) offered another view, with a better explanation of the RADIUS interactions.

Lastly, all of this takes place within a firewalled private network. Using VLAN (Virtual Local Area Network) capabilities in our network switches, a single network can span multiple wireless access points. Our network is protected by iptables and operates in a private address space using Network Address Translation (NAT) (RFC 1631).
[An introduction to NAT can be found here and a more technical view is available here.]