skip to content
 
Astrophysics Science Division

An introduction to EUD Wireless Networking

EUD offers a wireless networking environment whereby you may connnect a laptop computer or other device to a firewalled network that can access the Internet. The computer can be government tagged or personally owned.

Quick Start for the Impatient

In order to join the wireless network, you must:

  • Have a wireless card in your computer (802.11b or g; 802.1X-capable)
  • Be running an operating system capable of 802.1X authentication (OS X 10.3 or above, Windows 2000 or XP, Linux)
  • Submit a Wireless Access form, which can be found at:
    https://astrophysics.gsfc.nasa.gov/eudcomp/forms/wireless_setup.php
    Please print out the resulting PDF and return it to us.
  • Have your computer scanned by us for viruses and security patches
This network uses extensive security mechanisms to protect your privacy as well as the EUD and larger GSFC network. Security is provided by issuing SSL certificates to each user. (Details, technical documents, and buzzwords are found below.) (This is not a Starbucks-style wide-open anything-goes network.)

Where you can connnect

Currently, we have access points in Conference Rooms in Building 2 (Rm 8, Rm 22, Rm 215, Rm W230, and Rm W20), Building 6 (Rm S113), Trailer 6 (Rm 012), Building 21 (Rm 183, Rm 191), as well as the High Bay lab. You may be able to get a signal if you are reasonably close to these locations. For a complete and up-to-date list of access points, click here.

The problem with reception in Building 2 is that the modular metal walls in the main part of the building really block the signal, such that it attenuates to unusable levels within just an office or two from the location of the wireless Access Point (AP). Thus we do not now nor will we likely ever be able to offer universal coverage.

The EUD System Team has plans for several more APs to be installed. If your research group wishes to ensure coverage for your group, please contact System to coordinate buying the same model AP (Cisco Aironet 1100 Series, about $400).


More Details

There are initially three parts to the network:
  • your computer (the "supplicant")
  • the wireless access point
  • the RADIUS authentication server
Your laptop goes through an elaborate handshake with the RADIUS server, with the access point acting as a conduit. One you have been approved, you are allowed to "associate" with the access point, at which time your network traffic is permitted to pass through the firewall machine to the Internet.

This is all largely transparent to you and takes just a few seconds to sign on.


EUD Configuration Guides for Wireless

You are welcome to peruse the following two guides: These web links will also be emailed to you when you you are issued an SSL certificate.

Technical Details and Internet Standards used

(Background note: Internet standards are published as "Request for Comment" documents. I have provided links to these, when possible.)

Our network uses the Extensible Authentication Protocol (EAP) (RFC 3748) with the 802.1X security model ( IEEE 802.1X specification, PDF, 1MB). This involves authenticating each client laptop back to a RADIUS (Remote Access Dial-In User Service) (RFC 2865) server. RADIUS was originally designed to meet the needs of dial-up modem pools (hence the name), but has evolved to support EAP (RADIUS support for EAP, RFC 3579). There are several different protocols for implementing EAP and we have chosen to implement arguably the most secure, EAP with Transport Layer Security, EAP-TLS (RFC 2716). TLS is the same security that protects secure web servers (for e-commerce and the like).

In addition, we are using WiFi Protected Access ( WPA) which is the follow-on standard to the original (and not very secure) Wired Equivalency Protection (WEP). Instead of having a single unchanging password for all users for accessing the Service Set IDentifier (SSID) (that is, our wireless network name "AirEUD"), the system provides a different key (password) to each user for each session. (This is invisible to the user, fortunately!)

In our case, we are using OpenSSL for the cryptography end of things, in conjunction with the the freeRADIUS server. Consumer-grade wireless access points are usually not capable of interacting with a RADIUS server, so we have purchased enterprise-class access points from Cisco ( Cisco Aironet 1100 access points).

Numerous good articles exist on the Web which provide an overview and context for what we are doing here. The Wi-Fi Alliance has a lot of good information while Wi-Fi Planet (wi-fiplanet.com) has a good two-part overview available ( 802.1X Port Access Control for WLANs; Deploying 802.1X for WLANs: EAP Types )

The extended "handshake" of the EAP authentication process is shown in this diagram (from Wi-Fi Planet). An article from the June 2004 SysAdmin Magazine (not available online, regretfully) offered another view, with a better explanation of the RADIUS interactions.

Lastly, all of this takes place within a firewalled private network. Using VLAN (Virtual Local Area Network) capabilities in our network switches, a single network can span multiple wireless access points. Our network is protected by iptables and operates in a private address space using Network Address Translation (NAT) (RFC 1631).
[An introduction to NAT can be found here and a more technical view is available here.]


David Friedlander
24 Nov 2004, updated 22 Feb 2005