University network exec shares experiences and challenges of rolling out wireless across two campuses.Rolling out wireless Internet access is tricky, especially when it comes to finding the best locations for wireless gear. Even more important is making sure that wireless communications are secure. Network World spoke with Mark Bruhn, Indiana University acting associate vice president for telecommunications, about these and other challenges that\u00a0it faced\u00a0in deploying nearly 1,600 wireless-access points across its two main campuses. Here are excerpts from the conversation:Can you describe Indiana University's network infrastructure?We have responsibility for the core campuses at Bloomington and Indianapolis. We have about 3,000 acres of campus at Bloomington and 600 acres in Indianapolis. There are hundreds of buildings. We run the core network to all those buildings. We also run the statewide network that connects eight regional campuses to Indianapolis and to the outside world.The ballpark number of users is 126,000. That would include 98,000 to 99,000 students, 5,000 faculty and another 10,000 staff. We also have a category of "other users," such as contract programmers.The number of users is getting higher because we're attempting to better serve our admitted students and even prospective students. We have students who are no longer enrolled but still have some continuing tie with the university, whether they owe a bursar bill or have incompletes. That number of 126,000 is going to grow as we take into consideration these peripheral relationships. Identity management is a huge area for us. When we install wireless , we want to make sure that the people who are using our wireless network are the people who are affiliated with Indiana University and should be allowed to use that resource.Where does the wireless-access piece fit in?All over the place. We have all of our administrative and academic buildings 100% covered by wireless, although we do identify dead spots periodically. On the Bloomington and Indianapolis campuses, about 85% to 90% of the outside areas that matter are covered by wireless. We've been looking at areas where students and faculty congregate and where wired access isn't possible.At some point, we may think we've got all the outside areas that matter covered, but then certainly there will be areas brought to our attention by faculty and students, and we'll have to go out and take a look. Wireless in residence halls hasn't been a high priority because every room has at least one data jack and all the common areas have data jacks. We're doing the residence halls last because the students already have connections.When did Indiana University begin its wireless rollout?Early 2003. We had a few hundred - maybe 300 or 400 - wireless-access points on the Bloomington campus. My predecessor told the telecom staff that we were going to double that number over the space of a year or 18 months. And we did. The last number I saw was 978 wireless-access points at Bloomington and 600 at Indianapolis.How did you select the equipment?We standardized on Vivato outside, and the equipment inside was Lucent\/Orinoco [now Proxim]. We engaged a consulting company to advise us and do some preliminary site surveying. After that engagement was complete, and we had a good idea of how many access points we would initially need and where they would be placed, we released a request for proposals for hardware.Did you do this wireless rollout with your own staff or did you contract it out?All of it was done internally. One of the things we dealt with was that you can place a little piece of equipment in a ceiling panel just about anywhere, but then you've got to get wiring to it. The network cabling wasn't overly difficult, but you have to get power to those things. The areas where they don't have ready access to power, they've been using Power over Ethernet, which has been outstanding, because then you run the one cable and you don't have to worry about looking around for a conduit to tap or a box.How much have you spent on wireless-access initiatives during the last 18 months?The total amount was just short of $1 million. We estimate that the cost of maintenance and life-cycle replacement amounts to about $250,000 per year. We're on a three- to four-year replacement cycle.Describe some of the rollout's challenges.Getting the wires from a switch to the wireless access point. We've got older buildings, especially in Bloomington. The architects don't want you to run an ugly conduit on the outside of a hallway, so you have to be a bit more creative. The network connection and the power continue to be a challenge. When you look at a site survey, that's obviously one of the things you look at first.Coverage is another thing. In some of these buildings you have to make sure you place these things very carefully. So you do your site survey and you put them up, and then you have to move them around to make sure you get the most coverage out of one wireless-access point. You want to get the coverage as dense as you can but avoid overlap.Microwaves are an issue. We have microwave ovens in little kitchens in some departments. You have to make sure that's taken into account.One of the biggest things, though, that we had to worry about is security . Once wireless is pervasive, how do we make sure that university resources are not being used by someone who is not eligible? The solution that we settled on is a set of VPN servers. To access our network, you have to provide your university credentials. You have to use your network ID and password to authenticate to the VPNs, and then you are assigned a routable address.Did you have any pushback from users about needing to log on and type in a password to get wireless access when they don't have to do that for wired access?No. The wireless network was new to many, many users, and authentication came with it. We used their university credentials, so they didn't have to memorize another user name and password. I think we're going to start getting a bit more pushback when we start doing authentication with the wired network, because people are used to not having to do that process.How do you handle guest users on the wireless network?If a visiting scholar comes to a particular department for a few days, we can issue an Indiana University credential. We call them affiliate accounts. We built a system for issuing and tracking affiliate accounts. It was based on our VPN servers. What we discovered is that VPN-over-VPN connections don't work. When we were authenticating our guest credentials with our VPNs, and the guests needed to access their VPNs at their home organizations, they were establishing another VPN connection on top of our VPN connection, and that was bad news. So we are rolling out a different authentication scheme for guest users. We are using HP 740 Access Control Servers, and we are authenticating using RADIUS-based credentials instead of VPNs.What have been the biggest benefits of the wireless rollout?Wireless made us rethink some security issues, for example, the guest credentialing scheme and the new user authentication scheme. We knew we needed these schemes for wireless, and then that smoothed the process for rolling them out on the wired network.A few years back, there was a major university that announced it was the first to cover its campus with ubiquitous wireless. But the university had no protection on its wireless network.Once it made that announcement, it ended up offering half the community free Internet access. We knew we weren't going to do wireless like that. That's why we rolled out our VPN simultaneously with our wireless access.What advice would you offer to other network professionals planning wireless rollouts?My advice is that you shouldn't roll out wireless access without encryption. It doesn't cost that much to add encryption. It's not that much more of an effort to put in good security on a wireless network, so I recommend doing it. Think about how you're going to feel if your corporation has a wireless network and that wireless network is used to perpetrate a heinous crime. WEP is not a good solution. VPNs are a reasonable solution.Another recommendation of mine is to deal with the guest-user situation as well as the regular-user situation. You may need to offer temporary network access to a particular conference room. You ought to register certain information about users when you register them at the conference.Another piece of advice I have is that you shouldn't let departments install their own wireless access. We found some students were bringing in their own wireless networks, which caused problems. You have to try and find rogue wireless-access points. When we find them, we try to get them set up correctly.A year ago, Intel selected Indiana University as the most unwired campus in the United States. This year, the university didn't make the top 30 on that list. What happened?We did not provide information to Intel last year for the survey. We're not sure where they got the information that they used to select us. It's nice that we were selected last year, but the criteria did change this year. This year, the criteria are focused on the availability of wireless across the campus and the number of computers that the university provides per student. That's why 95% of the colleges in this year's list are small colleges that can claim 100% coverage and have higher computer-to-student ratios.Getting personal: Mark BruhnName:Mark BruhnTitles:Acting associate vice president for telecommunications and chief IT security and policy officer.Organization:Indiana UniversityResponsibilities:Maintain, operate and secure the network infrastructure and key network applications including data, video and voice services.Annual network budget:$10 million for e-mail, video and other data applications; $17 million for voice services.Staff size:115Previous jobs:Bruhn has been at Indiana University since 1985, serving as IT policy officer, disaster-recovery project leader, deputy director of the computer security office and information security officer. Previously, he was in the U.S. Air Force. Education:Bruhn holds a bachelor of science degree in computer science from Park College and CISSP and CISM certifications.