06/13/22 NIH Wireless LAN NIH Technical LAN Coordinator Training August 2006
04/12/23
NIH Wireless LAN
NIH Technical LAN Coordinator Training
August 2006
04/12/232
Agenda CIT’s wireless network architecture VPN’s place in this new wireless
network architecture Basic wireless LAN equipment &
software Wireless client setup demo VPN client setup for wireless Questions
04/12/233
CIT Wireless & VPN Support First level support:
NIH Help Desk 301-496-HELP (4357)or 866-319-HELP
e-mail: [email protected]/CIT Support Web Page: http://support.nih.govCIT Web Page:http://cit.nih.gov/home.asp General Information page:http://wireless.nih.gov
04/12/234
CIT Wireless & VPN Support Second level support:
Network Operations Center (NOC) Third level support:
NEB/Network Operations Section Fourth level support:
NEB/Engineering Operations SectionWireless and VPN groups
04/12/235
Wireless and VPN Client Software Download Download client software and
documents from SDP (Software Distribution Product) Web site:
http://isdp.cit.nih.gov/downloads/wireless_lan.asp
http://isdp.cit.nih.gov/downloads/vpn_tools.asp
http://RemoteAccess.nih.gov
04/12/236
NIH Wireless Consolidation Scope
802.11x devices in locations with NIH employees using wireless networking
Point-to-point wireless network connections
Bluetooth wireless networking Bridge devices that convert to/from
802.11x wireless protocols Specialized wireless laboratory or
biomedical devices that use 802.11x networking
04/12/237
Wireless Consolidation Consolidation Cost Savings
Volume efficiencies Vendor discounts and operational
costs Multiple vendors provide competition
but increase operations costs Elimination of duplicate
overlapping networks Decrease in IRT costs to monitor
wireless security
04/12/238
Wireless Security Approach to be followed
Utilize VPN to meet encryption and user authentication requirements –
HIPAA (HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 )
Relevant provision: Guarantee security and privacy of health information
Develop and follow security and wireless policies All wireless devices registered and secured Scan for unauthorized devices
04/12/239
NIH Wireless Security Implementation Approach
Install wireless using a configuration that allows multi-vendor environment (i.e. no proprietary vendor extensions) Static WEP and Non-broadcast SSID
Require VPN over wireless to meet security requirements for encryption and user authentication per NIST recommendation Cisco VPN Client ( Version 4.x ) AES-256 and 3DES-168 encryption.
Install security devices at the wireless “On Ramp” to NIHnet in each building to restrict traffic
04/12/2310
NIH Wireless Security Implementation Approach
Allow VPN users to have direct access to NIH network
Authenticate users via Active Directory Tunnel non-NIH users to a perimeter wireless
DMZ Install web portal for authorized external users
to access the Internet over NIH wireless network
Take advantage of future standards when they mature to enhance security and functionality
04/12/2311
Basic Wireless LAN Equipment and Software Wireless Adapter Access Point (AP) RADIUS Server Active Directory Server VPN Client and Server Wireless Gateway
04/12/2312
Wireless Network Model
Wireless Access Point (AP)
On-ramp IC-net NIHnet DMZ Internet
04/12/2313
Types of Wireless Users
Type 1 – Wireless user within their primary building
Type 2 – Wireless user who has roamed to another building
Type 3 – Wireless guest or patient Type 4 – Specialized wireless
devices Example: lab scanner or biomedical device
04/12/2314
Type 1 User
Wireless Access Point (AP)
VPNIC-net NIHnet
Wireless ClientNon-Broadcast SSID
and Static WEP
VPN Client3DES/AES Encryption
Encrypted VPN SessionUser AuthenticationUser Network Traffic
On-Ramp
RADIUS
AD
04/12/2315
Type 2 User - Roaming to another building
Wireless Access Point (AP)
IC-net
NIHnet
Wireless ClientNon-Broadcast SSID
and Static WEP
RADIUS
AD
VPNEncrypted VPN SessionUser AuthenticationUser Network Traffic
IC-netVPN Client
3DES/AES Encryption
On-Ramp
04/12/2316
Type 3 Guest User
Non-Broadcast SSID and Static WEP
Different from NIHInternal Users
Wireless Client
Wireless Access Point (AP)
InternetNIHnet WirelessGateways
SSL Encrypted Session (Login only)Point-to-Point Tunnel
RADIUS
Redundant GatewaysLimited Internet accessNo direct access to NIHnet
AD
On-Ramp
04/12/2317
Type 4 User – No User Login
Wireless Access Point (AP)
IC-net NIHnet
Wireless Device Non-Broadcast SSID
and Static WEP
Network Traffic
Server
On-Ramp
System withoutVPN capability
04/12/2318
Wireless Consolidation Phases Each IC will progress through phases independently Phase 1
CIT installs On-Ramp device(s) CIT monitor wireless network 24x7 CIT takes over management of wireless devices Wireless assets transferred to CIT
Phase 2 IC install VPN clients on user machines
Phase 3 CIT enable security on On-Ramp when Phase 2 is complete
04/12/2319
Wireless ConsolidationPhase 1
Wireless Access Point (AP)
IC-net NIHnet
VPN
DMZ Internet
VPN
Centrally locatedRedundant
VPN Devices
On-Ramp installed and traffic allowedto go anywhere on IC or NIHnet.
CIT manages wireless access pointsand On-Ramp router.
VPN not required.
No change from current operation.
Router
04/12/2320
Wireless ConsolidationPhase 2
Wireless Access Point (AP)
IC-net NIHnet DMZ Internet
Centrally locatedRedundant
VPN Devices
VPN optional.
IC install VPN clients onwireless user devices.
Optional IC-specificVPN Devices
Router
VPN
VPNVPN
04/12/2321
Wireless ConsolidationPhase 3
Wireless Access Point (AP)
IC-net NIHnet DMZ Internet
Centrally locatedRedundant
VPN Devices
IC completes installation of VPNclients on wireless user devices.
VPN required.
Security enforced on On-Ramp router.
Optional IC-specificVPN Devices
Router
VPN
VPNVPN
04/12/2322
Wireless Authentication Overview
Wireless ClientNIH
WirelessGateway
B12 WLAN VPN
Concentrator
IC Network
NIH Network
Wireless DMZ
B45
VP
N
GRE Tunnel
Internet
RadiusActive Directory
1a
2a
3a
4a
2b3b
4b
On-RampRouter
1b
B12
VP
N
AP
Wireless ClientGuest
IC VPNConcentrator
WirelessGateway
B45 WLAN VPN
Concentrator
Internet
GRE Tunnel
Wireless DMZ
DHCP Server
AP
04/12/2323
Wireless Client Setup
Insert the Cisco wireless client adapter
Click Cancel
04/12/2324
Wireless Client Setup
Cisco Aironet Desktop Utility (ADU)
Double click to start the installation
04/12/2325
ADU and Driver Installation
Click Next Click Next
04/12/2326
ADU and Driver Installation
Click Yes
Click Next
Click Next
04/12/2327
ADU and Driver Installation
Click Next Click Next
04/12/2328
ADU and Driver Installation
Click OK
Click OK to reboot
04/12/2329
ADU Configuration
Double Click ADU Icon
Select Profile Management
Select Default and click Modify
04/12/2330
ADU Configuration
Rename the Profile NameEx: NIH WLANSSID1: Enter the NIH SSIDSSID2: Enter NIH Guest SSIDSelect Security tab
Select Pre-Shared Key (Static WEP) Click Configure
04/12/2331
ADU Configuration
WEP 1: Enter NIH Static WEP KeyWEP Key Size: select 128
Click OK to return to Profile Management
windowSelect Advanced tab
04/12/2332
ADU Configuration
Click OK to return toProfile Managementwindow
Uncheck 5 GHz 54 Mbps
04/12/2333
ADU Configuration
Select Current Status tab Verify the Wireless Connection
Congratulation! ADU Installation and Configuration have been completed.
04/12/2334
Wireless VPN Setup
New VPN Client (ver. 4.8)
Double Click Icon to begin Installation.
NOTE: This will install the configuration for Remote Access VPN as well as Wireless VPN. (not shown)
04/12/2335
VPN Client InstallClick Upzip to place Installation Files in Folder.
The extraction process will look like this.
Then
04/12/2336
VPN Client Install
Open the Directory for the Client Installation Files and then Click the Setup Icon (circled).
04/12/2337
VPN Client Install
MSI or InstallShield installation process will begin.
04/12/2338
VPN Client Install
If this is a new Client Install, Skip Two Slides.
Otherwise, You will see the following message:
Click Yes
04/12/2339
VPN Client Install
When you receive the restart request from the Installer, please Click Finish and allow computer restart.
If you do not, when you try to install the client later, you’ll receive an error.
04/12/2340
VPN Client Install
Click Next and/or Yes where the MSI Installer Wizard asks you for input.
Install should progress to dialog showing install in progress.
If you uninstalled a previous client and rebooted, after re-boot the Installer continues as shown below.
If you didn’t have to uninstall a previous client, the Installer continues as below.
04/12/2341
VPN Client Install
Click Finish to restart the Computer and complete Install.
04/12/2342
VPN Client Install
After computer has been restarted per previous instructions:
Click Start menu to find VPN Client and Click it to start VPN Client.
04/12/2343
Wireless VPN Setup
There are no other steps!!
04/12/2344
Wireless VPN SetupCaveat #1: The newest version of the VPN client is an MSI Installer. This MSI client is not designed to replace older clients installed previously using the INSTALLSHIELD Wizard. If you used the Windows Installshield installer to install your old VPN Client, you’ll need to UNINSTALL the old VPN Client first before installing the new 4.8x VPN Client. (We are finding that we have to use an older client on some new XP Machines. We are still gathering information to present to Cisco.) The new MSI client will be supported by Cisco on an on-going basis. The Installshield client will not. The MSI client will do future updates without rebooting the user’s PC.
If you are not sure, uninstall the old VPN before trying this install.Caveat #2: This product is designed to be used with all versions of Windows, however we have encountered problems with and do not support the Cisco VPN client on XP Home edition.
04/12/2345
Wireless VPN Connection
Highlight Wireless VPN and then Click Connect.
04/12/2346
Wireless VPN Connection
Enter Active Directory (NT Logon)
<Domain>\<Username> and <Password> in form shown above.
(The slash mark MUST be entered in the \ direction.)
Click OK.
04/12/2347
Wireless VPN Connection
Click Continue and you are now connected to
Wireless VPN!!
The Client will confirm your credentials.
04/12/2348
Wireless VPN Connection
A VPN Client Lock symbol should appear in the System Tray symbolizing that you are indeed connected to NIHnet via VPN.
If you right-click on it, you can click Statistics to view your connection statistics. >>>>>
04/12/2349
Wireless VPN Connection
To cause the VPN Client to reappear while connected, double-click the VPN Lock icon in the system tray.