Mobile Computing and Security Authenticated Network Access (ANA) Jon Peters Associate Director Dave Packham Manager of Network Engineering NetCom University of Utah Copyright David Packham and Jon Peters, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

University of Utah, located in Salt Lake City Department of Network & Communication Services (NetCom) responsible for campus network backbone, phone service, security, , help desk, phone operators Hosting the 2002 Winter Olympic opening and closing ceremonies, and the athletes’ residence village Background

Purpose of Presentation Authentication through a firewall. Authenticated network access (ANA).

Driving Need

Design Requirements Security Performance Scaling Cost Global authentication database model Minimum client side configuration Multi-platform support

Authentication through a firewall

Security Performance Scaling Cost

Authenticated Network Access (ANA) Components (2) redundant HSRP router capable of supporting multiple interfaces or virtual sub-interfaces and the ability to associate a user supplied MAC address per each interface. (2) redundant DHCP servers with (2) network interface cards each. (2) redundant LDAP server with (2) network interface cards. (2) redundant WWW/DNS server with (2) network interface cards. (2) redundant VLAN policy server with (2) network interface cards. Fully switched network capable of spanning certain vlans throughout the mobile computing area.

ANA

ANA Process Initial connection Authentication to network Continuance of lease Link down or release of IP address

ANA Client ANA Client connects to ANA controlled Cisco switch ANA Controlled Switch

? To which VLAN should this port belong? ANA Controlled Switch Cisco VPS1100

Place port in default VLAN for VTP domain. ANA Controlled Switch Cisco VPS1100

ANA Client ANA v3 Client requests and receives a DHCP address

ANA Client Client requests authentication page by launching a browser

ANA v3 Cisco VPS1100 ANA v3 commands the VPS server to place the switch port into a new VLAN

VPS server places the switch port into the VLAN assigned to the port via ANA v3 ANA Controlled Switch Cisco VPS1100

ANA Client Client has full access to open network

ANA Security – switched, logged, VPN usable Performance - < 30k Scaling – 50,000 S/F/S /day Cost – Log linear Global authentication, NID, LDAP, modular Minimum client side configuration – NONE! Multi-platform support – Linux/PDA/Mac

Daily Graphs

Long Term Graphs

Summary of Activity Average Number of Visits per Day on Weekdays468 Average Number of Hits per Day on Weekdays32,956 Average Number of Visits per Weekend1,009 Average Number of Hits per Weekend49,250 Most Active Day of the WeekWed Least Active Day of the WeekMon Most Active DateOctober 01, 2000 Number of Hits on Most Active Date58,379 Least Active DateSeptember 20, 2000 Number of Hits on Least Active Date5,624 Most Active Hour of the Day18:00-18:59 Least Active Hour of the Day06:00-06:59

Current Development Plan Addition of wireless networks and other devices. Addition of remote access users through VPN’s. Bandwidth and usage notifications. Post login licensed software download.

Address Web Server – Current Development Team Dave Packham Steve Scott Justin Kim Andrew Reich Mindy Sartor Past Team Members John Storm Kyle Mallory Alexander Quilter