Baylor University signs up for difficult course on WLAN security

Baylor University learns about wireless LAN security in the school of hard knocks.

Baylor University learned about wireless LAN security in the school of hard knocks. Three years ago, Baylor began installing 270 Enterasys Networks wireless access points across its Waco, Texas, campus in libraries, classrooms and dorms so students and faculty could access the campus LAN from computers outfitted with 802.11b WLAN cards. That was the easy part, according to Baylor’s IT staff. But finding a way to add authentication to enable unimpeded wireless access has meant a crash course in security technologies that hasn’t yet ended.

In fact, 802.1x, the authentication technology Baylor just started using last month, is causing the WLAN network to crash from time to time. “We’re forcing the wireless access points to do more than we had them do in the past,” says Bob Hartland, director of IT servers and networking systems at Baylor.

Based on an IEEE standard, 802.1x lets a WLAN user’s encrypted password be sent from an 802.1x-enabled laptop across the Enterasys access points, which support 802.1x, to a RADIUS authentication server included in Windows Server 2003, which Baylor uses.

While 802.1x authentication, which involved this end-to-end, back-and-forth hand-off via 802.1x, works, it has put an unexpected processing strain on the WLAN access points, causing their radio-frequency power to fail. For that reason, Baylor now dispatches four technically minded students to check and make adjustments on the university’s 270 WLAN access points each day.

“802.1x is more complex to troubleshoot than what we had before,” says Scott Day, Baylor’s manager of network services. The university also is reconfiguring the access points to try to sort out the problem.

Baylor IT staff had been waiting patiently for two years for the much-ballyhooed IEEE 802.1x authentication standard, along with Wired Equivalent Privacy (WEP) encryption, to appear in products.

Before 802.1x, campus IT staff tried a number of other experiments in wireless encryption and authentication. First came a limited VPN deployment, next was a homegrown client to authenticate campus users to the access points.

The homegrown system, which Baylor viewed as the interim step while it waited for vendors to implement 802.1x, was based on a design detailed in a paper published by the National Aeronautics and Space Administration.

“It was a gateway based on OpenBSD, [Secure Sockets Layer] logon and a Web browser,” Hartland says.

But Baylor was waiting for 802.1x, described as a standards framework for wireline and wireless that can accept many extensions, such as public-key certificates and passwords. Baylor deemed client-side certificates too complex and expensive to deploy. The university wanted to be able to have each user’s WLAN password be the same as the password to gain access to the Baylor campus LAN. That would minimize password administration. Two 802.1x variants, one called Tunneled Transport Layer Security (TTLS) backed by Funk Software and Certicom, and the second called Protected Extensible Authentication Protocol (PEAP), backed by Microsoft and Cisco, offered the potential to do that, according to Jon Allen, Baylor’s coordinator of IT security.

TTLS and PEAP provide mutual authentication and WEP re-keying but don’t require client-side certificates, only passwords. It’s important to have the 802.1x-based variant mutually supported in the WLAN card, the access point, the client software and the authentication server, because the authentication process crosses these points.

In the university’s viewpoint, the moment when all the stars aligned on that score arrived in the spring when Microsoft released 802.1x PEAP client code that can be used with XP and Service Pack 1 for Windows Server 2003.

“We’re pretty much a Microsoft shop, so we decided to take this course,” Hartland says. “We had been hearing about 802.1x for years.”

Baylor bought a site license for XP that would be available for all its students, faculty and staff. For non-Windows users, Baylor licensed the 802.1x-based client software from MeetingHouse Data Communications for Macintosh, Linux and PocketPC. But because campus users have moved to 802.1x based on PEAP, there have been issues to deal with above and beyond the strain that 802.1x authentication put on the Enterasys WLAN access points.

For example, not all WLAN cards have a hook into 802.1x, as the XP client software needs, according to Baylor’s IT staff. The Enterasys WLAN card and a card from Orinoco Wireless (which was purchased by Proxim) haven’t been a problem, but many other cards don’t seem to have the kind of “zero-config XP interface” that makes it easy to use XP for 802.1x authentication, Allen says.

Although Baylor’s IT staff waited a long time for 802.1x on the WLAN and find it’s resulted in some tough problems, they aren’t cynical about it. The staff are confident they will sort out what they call the “signal-strength issue” with the WLAN access points, perhaps by adding more access points. And the next step will be working on more complex role-based access to network resources for students and faculty based on security policy. “We’re just waiting for it all to settle down,” Hartland says.