Wireless network Faculty of Science
Within the Science Faculty a secure wireless 54 Mbit/s wi-fi WPA network is available at almost every place in the Huygens building, starting july 2005. The network advertises itself with the name (SSID) "Science"". It can only be used by people with a Science-login. Since fall 2006 the university RU-wlan is available in the Huygens building for all students and personnel of the RU.
What you need
To access this "Science"-network, you need:
Wi-Fi hardware that supports WPA (more exactly WPA Enterprise with PEAP/MS-CHAP v2). Almost all laptops have this built-in since a few years. All Intel Centrino laptops should be fine. N.B.: There is a security vulnerability in the Intel Centrino Windows-drivers, see Intel support for more information and updates. If one wants to use the Intel PROSet/Wireless software instead of the Windows software, the update above could be necessary.
Laptops from 2003 or later should be fine too, but often you need a driver-update (see the manufacturers web-site). When the built-in hardware doesn't support WPA, one can buy for about EUR 30,- a PCMCIA-card or USB-stick that does. See if needed wi-fi.org for "certified" hardware. C&CZ has tested two low-cost certified PCMCIA-cards, Linksys WPC54G-EU and D-Link DWL-G650+. Older 11 Mbit/s 802.11b hardware as well as newer 54 Mbit/s 802.11g hardware can be used, as long as WPA is supported.
- Either Microsoft Windows XP with Service Pack 2 (SP2). We wrote an extensive installation manual.
- Or Microsoft Windows Mobile 5 or 6. We have a simple installation manual available.
- Or Microsoft Windows Vista. Click "Start->Settings->Control Panel->Network". Choose "Setup connection or network". Choose "Setup manually". Choose then "Science" (with 1 capital!), WPA Enterprise and TKIP. Next choose "Change connection settings" and click in the tab "Security" on "Protected EAP" and "Settings...". In the window "Protected EAP properties" one has to check "Validate server certificate" and choose the verification method "Protected password (EAP-MSCHAP v2) and withing this in "Configure" uncheck "Automatically use my Windows-logonname and -password (and domain if necessary)". If one doesn't want to make a connection with previously entered account information, one can uncheck "Cache user information for subsequent connections to this network". In the meantime see if necessary the Cable Guy). In the near future, we will provide a detailed installation manual, until then one can use, if needed, the manual as mentioned above. If this is too difficult, don't hesitate to stop by C&CZ with your laptop.
- Or any other operating system with WPA (WPA-Enterprise) support
- For older versions of Windows XP or for Windows 2000, see the Microsoft website, e.g.: Overview of the WPA Wireless Security Update in Windows XP and/or Troubleshooting Windows XP IEEE 802.11 Wireless Access
- A PDA or smartphone with Windows Mobile will probably work if one chooses WPA/TKIP. In Windows Mobile 6 it is often impossible to set the PEAP-properties, but that isn't necessary! Just hit "Connect".
- For a Palm TX one can buy a WPA-Enterprise upgrade for about 6 US dollar.
- For Linux see this premature manual, which uses WPA supplicant.
- For Apple Macintosh WPA-Enterprise support is included with Mac OS X 10.3 or higher: See e.g. Apple's WPA Requirements information. Detailed info (and a Mac) fail us now. If someone has it, we would be pleased to hear more.
- The Apple iPhone and iPod Touch do not currently (software version 1.1.3, Jan. 16, 2008) support WPA with 802.1x, a requirement for WPA-Enterprise connectivity. Users are prompted only for a password when selecting "WPA" as their encryption type, which indicates that the device is only capable of WPA-PSK, not WPA-Enterprise. In order for the iPhone or iPod Touch to be compatible with the RU wireless network, an update would need to be made available from Apple with 802.1x support.
- Username and password
Before any Internet-traffic is possible, the combination of a loginname and password is checked through the 802.1x mechanism. One should prevent giving the loginname/password combination to a rogue (non-C&CZ) access-point, by checking the server-certificate. All traffic is encrypted with constantly changing keys, which makes eavesdropping impossible.
- For the "Science" network a C&CZ (science) username and password. Every employee and student of the Faculty of Science has (a right to) that.
- (For the RU-wlan) a RU-password for every RU-employee and student.
- (Not yet available at the RU:) or a username/password of an institution that takes part in EduRoam.
Background and future
- At the end of 2004, it was decided that we wanted blanket wireless coverage in Huygens-building phase I. Later it was decided that the RU would supply wireless coverage everywhere on campus.
- After meetings with the UCI, Vosko and Cisco we chose the Cisco 1130AG as wireless access point. After a site survey by Vosko, 54 of these access points were placed in Huygens-building phase I. To manage these access-points (IOS-version, configurations), we bought a CiscoWorks Wireless LAN Solution Engine, and later added AirMagnet laptop for security and troubleshooting.
- We had a lot of trouble with the initial configuration, due to our wish to use our existing FreeRadius radius server, which was not supported by our suppliers, our wish to spread the users in different VLANs (subnets) and the wish to make a safe WPA network, for which the users of MS-Windows XP2 SP2 wouldn't have to install extra software and the users wouldn't give their passwords to wrong servers (withoud correct certificate).
- In the first few weeks of september 2005 50 different users logged in to the wireless network, the largest groups were Organic Chemistry, that switched over from "their own" wireless network and students Computer Science.
- During 2006 the wireless network was extended to the Huygens building phase II and NanoLab.
- In the next year(s), wireless connectivity will be available in all remaining buildings: HFML, Botanic Greenhouse, RootLab, ITS, A2-wing (after renovation), Linnaeus building (after renovation) and several locations outside (lawn, terrace, ....).
- The next generation wireless network will probably be discussed from 2008: faster with 802.11n (200+ Mbit/s) and even more secure with WPA2 (better hardware encryption).
- As soon as we switch to VoIP (Voice Over IP, IP-Telephony) for our telephone system, we will look into VoWLAN (Voice over WLAN) as wireless speech solution.