4/16/10 NIH Wireless LAN

04/12/23

NIH Wireless LAN

NIH Technical LAN Coordinator Training

August 2006

04/12/232

Agenda CIT’s wireless network architecture VPN’s place in this new wireless

network architecture Basic wireless LAN equipment &

software Wireless client setup demo VPN client setup for wireless Questions

04/12/233

CIT Wireless & VPN Support First level support:

NIH Help Desk 301-496-HELP (4357)or 866-319-HELP

e-mail: [email protected]/CIT Support Web Page: http://support.nih.govCIT Web Page:http://cit.nih.gov/home.asp General Information page:http://wireless.nih.gov

04/12/234

CIT Wireless & VPN Support Second level support:

Network Operations Center (NOC) Third level support:

NEB/Network Operations Section Fourth level support:

NEB/Engineering Operations SectionWireless and VPN groups

04/12/235

Wireless and VPN Client Software Download Download client software and

documents from SDP (Software Distribution Product) Web site:

http://isdp.cit.nih.gov/downloads/wireless_lan.asp

http://isdp.cit.nih.gov/downloads/vpn_tools.asp

http://RemoteAccess.nih.gov

04/12/236

NIH Wireless Consolidation Scope

802.11x devices in locations with NIH employees using wireless networking

Point-to-point wireless network connections

Bluetooth wireless networking Bridge devices that convert to/from

802.11x wireless protocols Specialized wireless laboratory or

biomedical devices that use 802.11x networking

04/12/237

Wireless Consolidation Consolidation Cost Savings

Volume efficiencies Vendor discounts and operational

costs Multiple vendors provide competition

but increase operations costs Elimination of duplicate

overlapping networks Decrease in IRT costs to monitor

wireless security

04/12/238

Wireless Security Approach to be followed

Utilize VPN to meet encryption and user authentication requirements –

HIPAA (HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 )

Relevant provision: Guarantee security and privacy of health information

Develop and follow security and wireless policies All wireless devices registered and secured Scan for unauthorized devices

04/12/239

NIH Wireless Security Implementation Approach

Install wireless using a configuration that allows multi-vendor environment (i.e. no proprietary vendor extensions) Static WEP and Non-broadcast SSID

Require VPN over wireless to meet security requirements for encryption and user authentication per NIST recommendation Cisco VPN Client ( Version 4.x ) AES-256 and 3DES-168 encryption.

Install security devices at the wireless “On Ramp” to NIHnet in each building to restrict traffic

04/12/2310

NIH Wireless Security Implementation Approach

Allow VPN users to have direct access to NIH network

Authenticate users via Active Directory Tunnel non-NIH users to a perimeter wireless

DMZ Install web portal for authorized external users

to access the Internet over NIH wireless network

Take advantage of future standards when they mature to enhance security and functionality

04/12/2311

Basic Wireless LAN Equipment and Software Wireless Adapter Access Point (AP) RADIUS Server Active Directory Server VPN Client and Server Wireless Gateway

04/12/2312

Wireless Network Model

Wireless Access Point (AP)

On-ramp IC-net NIHnet DMZ Internet

04/12/2313

Types of Wireless Users

Type 1 – Wireless user within their primary building

Type 2 – Wireless user who has roamed to another building

Type 3 – Wireless guest or patient Type 4 – Specialized wireless

devices Example: lab scanner or biomedical device

04/12/2314

Type 1 User

Wireless Access Point (AP)

VPNIC-net NIHnet

Wireless ClientNon-Broadcast SSID

and Static WEP

VPN Client3DES/AES Encryption

Encrypted VPN SessionUser AuthenticationUser Network Traffic

On-Ramp

RADIUS

AD

04/12/2315

Type 2 User - Roaming to another building

Wireless Access Point (AP)

IC-net

NIHnet

Wireless ClientNon-Broadcast SSID

and Static WEP

RADIUS

AD

VPNEncrypted VPN SessionUser AuthenticationUser Network Traffic

IC-netVPN Client

3DES/AES Encryption

On-Ramp

04/12/2316

Type 3 Guest User

Non-Broadcast SSID and Static WEP

Different from NIHInternal Users

Wireless Client

Wireless Access Point (AP)

InternetNIHnet WirelessGateways

SSL Encrypted Session (Login only)Point-to-Point Tunnel

RADIUS

Redundant GatewaysLimited Internet accessNo direct access to NIHnet

AD

On-Ramp

04/12/2317

Type 4 User – No User Login

Wireless Access Point (AP)

IC-net NIHnet

Wireless Device Non-Broadcast SSID

and Static WEP

Network Traffic

Server

On-Ramp

System withoutVPN capability

04/12/2318

Wireless Consolidation Phases Each IC will progress through phases independently Phase 1

CIT installs On-Ramp device(s) CIT monitor wireless network 24x7 CIT takes over management of wireless devices Wireless assets transferred to CIT

Phase 2 IC install VPN clients on user machines

Phase 3 CIT enable security on On-Ramp when Phase 2 is complete

04/12/2319

Wireless ConsolidationPhase 1

Wireless Access Point (AP)

IC-net NIHnet

VPN

DMZ Internet

VPN

Centrally locatedRedundant

VPN Devices

On-Ramp installed and traffic allowedto go anywhere on IC or NIHnet.

CIT manages wireless access pointsand On-Ramp router.

VPN not required.

No change from current operation.

Router

04/12/2320

Wireless ConsolidationPhase 2

Wireless Access Point (AP)

IC-net NIHnet DMZ Internet

Centrally locatedRedundant

VPN Devices

VPN optional.

IC install VPN clients onwireless user devices.

Optional IC-specificVPN Devices

Router

VPN

VPNVPN

04/12/2321

Wireless ConsolidationPhase 3

Wireless Access Point (AP)

IC-net NIHnet DMZ Internet

Centrally locatedRedundant

VPN Devices

IC completes installation of VPNclients on wireless user devices.

VPN required.

Security enforced on On-Ramp router.

Optional IC-specificVPN Devices

Router

VPN

VPNVPN

04/12/2322

Wireless Authentication Overview

Wireless ClientNIH

WirelessGateway

B12 WLAN VPN

Concentrator

IC Network

NIH Network

Wireless DMZ

B45

VP

N

GRE Tunnel

Internet

RadiusActive Directory

1a

2a

3a

4a

2b3b

4b

On-RampRouter

1b

B12

VP

N

AP

Wireless ClientGuest

IC VPNConcentrator

WirelessGateway

B45 WLAN VPN

Concentrator

Internet

GRE Tunnel

Wireless DMZ

DHCP Server

AP

04/12/2323

Wireless Client Setup

Insert the Cisco wireless client adapter

Click Cancel

04/12/2324

Wireless Client Setup

Cisco Aironet Desktop Utility (ADU)

Double click to start the installation

04/12/2325

ADU and Driver Installation

Click Next Click Next

04/12/2326

ADU and Driver Installation

Click Yes

Click Next

Click Next

04/12/2327

ADU and Driver Installation

Click Next Click Next

04/12/2328

ADU and Driver Installation

Click OK

Click OK to reboot

04/12/2329

ADU Configuration

Double Click ADU Icon

Select Profile Management

Select Default and click Modify

04/12/2330

ADU Configuration

Rename the Profile NameEx: NIH WLANSSID1: Enter the NIH SSIDSSID2: Enter NIH Guest SSIDSelect Security tab

Select Pre-Shared Key (Static WEP) Click Configure

04/12/2331

ADU Configuration

WEP 1: Enter NIH Static WEP KeyWEP Key Size: select 128

Click OK to return to Profile Management

windowSelect Advanced tab

04/12/2332

ADU Configuration

Click OK to return toProfile Managementwindow

Uncheck 5 GHz 54 Mbps

04/12/2333

ADU Configuration

Select Current Status tab Verify the Wireless Connection

Congratulation! ADU Installation and Configuration have been completed.

04/12/2334

Wireless VPN Setup

New VPN Client (ver. 4.8)

Double Click Icon to begin Installation.

NOTE: This will install the configuration for Remote Access VPN as well as Wireless VPN. (not shown)

04/12/2335

VPN Client InstallClick Upzip to place Installation Files in Folder.

The extraction process will look like this.

Then

04/12/2336

VPN Client Install

Open the Directory for the Client Installation Files and then Click the Setup Icon (circled).

04/12/2337

VPN Client Install

MSI or InstallShield installation process will begin.

04/12/2338

VPN Client Install

If this is a new Client Install, Skip Two Slides.

Otherwise, You will see the following message:

Click Yes

04/12/2339

VPN Client Install

When you receive the restart request from the Installer, please Click Finish and allow computer restart.

If you do not, when you try to install the client later, you’ll receive an error.

04/12/2340

VPN Client Install

Click Next and/or Yes where the MSI Installer Wizard asks you for input.

Install should progress to dialog showing install in progress.

If you uninstalled a previous client and rebooted, after re-boot the Installer continues as shown below.

If you didn’t have to uninstall a previous client, the Installer continues as below.

04/12/2341

VPN Client Install

Click Finish to restart the Computer and complete Install.

04/12/2342

VPN Client Install

After computer has been restarted per previous instructions:

Click Start menu to find VPN Client and Click it to start VPN Client.

04/12/2343

Wireless VPN Setup

There are no other steps!!

04/12/2344

Wireless VPN SetupCaveat #1: The newest version of the VPN client is an MSI Installer. This MSI client is not designed to replace older clients installed previously using the INSTALLSHIELD Wizard. If you used the Windows Installshield installer to install your old VPN Client, you’ll need to UNINSTALL the old VPN Client first before installing the new 4.8x VPN Client. (We are finding that we have to use an older client on some new XP Machines. We are still gathering information to present to Cisco.) The new MSI client will be supported by Cisco on an on-going basis. The Installshield client will not. The MSI client will do future updates without rebooting the user’s PC.

If you are not sure, uninstall the old VPN before trying this install.Caveat #2: This product is designed to be used with all versions of Windows, however we have encountered problems with and do not support the Cisco VPN client on XP Home edition.

04/12/2345

Wireless VPN Connection

Highlight Wireless VPN and then Click Connect.

04/12/2346

Wireless VPN Connection

Enter Active Directory (NT Logon)

<Domain>\<Username> and <Password> in form shown above.

(The slash mark MUST be entered in the \ direction.)

Click OK.

04/12/2347

Wireless VPN Connection

Click Continue and you are now connected to

Wireless VPN!!

The Client will confirm your credentials.

04/12/2348

Wireless VPN Connection

A VPN Client Lock symbol should appear in the System Tray symbolizing that you are indeed connected to NIHnet via VPN.

If you right-click on it, you can click Statistics to view your connection statistics. >>>>>

04/12/2349

Wireless VPN Connection

To cause the VPN Client to reappear while connected, double-click the VPN Lock icon in the system tray.