Mobile Computing and Security Authenticated Network Access (ANA) Jon Peters Associate Director Dave Packham Manager of Network Engineering NetCom University of Utah Copyright David Packham and Jon Peters, 2001. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Mobile Computing and Security Authenticated Network Access (ANA) Jon Peters Associate Director Dave Packham Manager of Network Engineering NetCom University.
Dec 22, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Mobile Computing and SecurityAuthenticated Network Access (ANA)
Jon PetersAssociate Director
Dave PackhamManager of Network Engineering
NetComUniversity of Utah
Copyright David Packham and Jon Peters, 2001. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or
to republish requires written permission from the author.
•University of Utah, located in Salt Lake City
•Department of Network & Communication Services (NetCom) responsible for campus network backbone, phone service, security, email, help desk, phone operators
•Hosting the 2002 Winter Olympic opening and closing ceremonies, and the athletes’ residence village
Background
Purpose of Presentation
• Authentication through a firewall.
• Authenticated network access (ANA).
Driving Need
Driving Need
OC-12c GigEthernet
OC-12c
OC-12c
OC-3c/12cOC-12c
C-12c
CiscoLS1010
ATMSwitch
Cisco 6509Building
AggregationSwitch
BuildingAggregation
Switch
GIG
BACKBONE
R
Fort Douglas StudentVillage Distribution Node
Ballfield #1
Ballfield #2
Ballfield #3
Ballfield #4
Ballfield #5
Ballfield #6
Conner Road #1
Conner Road #2
Conner Road #3
Guest House #1
Eleven Acres #1
Eleven Acres #2
Eleven Acres #3
Eleven Acres #4
Eleven Acres #5
Village Center #1
Village Center #2
Upper Chapel #1
Upper Chapel #2
Upper Chapel #3
48 10bT ports
48 10bT ports
72 10bT ports
68 10bT ports
68 10bT ports
68 10bT ports
143 10bT ports
145 10bT ports
180 10bT ports
190 10bT ports
171 10bT ports
264 10bT ports
219 10bT ports
286 10bT ports
210 10bT ports
176 10bT ports
176 10bT ports
169 10bT ports
169 10bT ports
166 10bT ports
3,036 10bT ports
1000bFX LinksBuilding switch to
Building AggregationAccess Switch
Fort Douglas StudentVillage Data Network
Access andAuthorization
Services
Cisco 6509Building
AggregationSwitch
Driving Need
Driving Need
Design Requirements
• Security
• Performance
• Scaling
• Cost
• Global authentication database model
• Minimum client side configuration
• Multi-platform support
Authentication through a firewall
R
Laptop computer WWW/DNS
Firewall
DHCP
Ethernet
LDAPServer
Authentication through a firewall
• Security
• Performance
• Scaling
• Cost
Authenticated Network Access (ANA) Components
• (2) redundant HSRP router capable of supporting multiple interfaces or virtual sub-interfaces and the ability to associate a user supplied MAC address per each interface.
• (2) redundant DHCP servers with (2) network interface cards each.
• (2) redundant LDAP server with (2) network interface cards.
• (2) redundant WWW/DNS server with (2) network interface cards.
• (2) redundant VLAN policy server with (2) network interface cards.
• Fully switched network capable of spanning certain vlans throughout the mobile computing area.
ANA
R
DHCP-1
WWW/DNS
DHCP-2
LDAP
VMPS
priv
ate
net
wor
k
Laptop computer
R
Internet/Intranet
Campus DNS
Campus Switch/Router ANA login Switch/Router
155.101.29.100.10.f6.05.b1.00
155.101.29.100.10.f6.05.b1.00
ANA Process
• Initial connection
• Authentication to network
• Continuance of lease
• Link down or release of IP address
ANA Client
ANA Client connects to ANA controlled
Cisco switch
ANA Controlled Switch
?
To which VLAN should this port
belong?
ANA Controlled Switch Cisco VPS1100
Place port in default VLAN for VTP
domain.
ANA Controlled SwitchCisco VPS1100
ANA Client
ANA v3
Client requests and receives a DHCP address
SDPROLIANT 1850R
ANA Client
Client requests authentication page
by launching a browser
ANA v3Cisco VPS1100
ANA v3 commands the VPS server to
place the switch port into a new VLAN
SDPROLIANT 1850R
VPS server places the switch port into the
VLAN assigned to the port via ANA v3
ANA Controlled SwitchCisco VPS1100
ANA Client
Client has full access to open network
ANA
• Security – switched, logged, VPN usable• Performance - < 30k• Scaling – 50,000 S/F/S. +- 5000/day• Cost – Log linear• Global authentication, NID, LDAP, modular• Minimum client side configuration – NONE!• Multi-platform support – Linux/PDA/Mac
Daily Graphs
Long Term Graphs
Summary of Activity
• Average Number of Visits per Day on Weekdays 468• Average Number of Hits per Day on Weekdays 32,956• Average Number of Visits per Weekend 1,009• Average Number of Hits per Weekend 49,250• Most Active Day of the Week Wed• Least Active Day of the Week Mon• Most Active Date October 01, 2000• Number of Hits on Most Active Date 58,379• Least Active Date September 20, 2000• Number of Hits on Least Active Date 5,624• Most Active Hour of the Day 18:00-18:59• Least Active Hour of the Day 06:00-06:59
Current Development Plan
• Addition of wireless networks and other devices.
• Addition of remote access users through VPN’s.
• Bandwidth and usage notifications.
• Post login licensed software download.
Email Address [email protected] Server – http://www.netcom.utah.edu/ana
Current Development TeamDave Packham
Steve ScottJustin Kim
Andrew ReichMindy Sartor
Past Team MembersJohn Storm
Kyle MalloryAlexander Quilter
Related Documents
