Olivet Nazarene University Scales, Secures Massive Wireless Environment with Aruba

The IT department at Olivet Nazarene University (ONU) faced complicated challenges within their existing wireless LAN (WLAN) system. The university had already installed some first generation access points (APs) and devices in a few of the buildings on campus, but soon realized that the system just wasn’t going to scale very well as the service was rolled out to more and more users, including faculty, staff, students and guests. The main factors that drove ONU to look for a new WLAN solution centered around scalability, security and centralized management.

“Trying to manage individual (fat) AP’s including firmware upgrades, channel assignments, and power levels, just to name a few, was going to be a daunting challenge that nobody on the ONU IT staff was looking forward to supporting,” said Dennis Seymour, Director of Information Technology at Olivet Nazarene University.

The University has over 70 separate buildings on campus including residence halls, academic centers, libraries and administration offices and has plans to add additional buildings in the near future. With that said, a system that could be centrally managed, allowed for multiple security and authentication methods and could easily be expanded was what the university was looking for.

Another obstacle that ONU had to address was that as a private university, approximately 75 percent of the computer systems that will be using the WLAN are not directly owned or controlled by the university, so the new WLAN had to provide a secure, but easily adoptable system for all student and guest users and the wide variety of computer system these students bring on campus. Seymour went on to state, “It doesn’t make much sense to spend a quarter of a million dollars or more on a system if no one wants to use it because it is too complicated to use and support.”

After evaluating several systems in house, ONU chose a next generation WLAN switching system from Aruba. “The Aruba system has all the features we were looking for and at a price we could afford.” The college already had an existing wired network core, which is made up primarily of layer 3 switches from Enterasys Networks. This made the Aruba Wi-Fi switching platform ideal for ONU because it was specifically designed to automatically connect 802.11a/b/g access points via GRE tunnels over any IP wired network with no physical or logical re-configuration.

The Aruba system can also be configured as a layer 2 overlay to any existing Ethernet network, simplifying deployment by riding on top of the existing network infrastructure.

The heart of the Aruba system at ONU consists of an Aruba 800 switch configured in “master” mode where all configuration and security parameters are managed for the entire wireless network. Four Aruba 5000 switches are configured in “local” mode acting as policy enforcement points, providing the horsepower behind the system. A fifth Aruba 5000 switch is configured as a local backup for any of the other Aruba 5000 switches. This level of redundancy is provided via standards based Virtual Router Redundancy Protocol (VRRP), further demonstrating Aruba’s support of standards based protocols. At the edge, ONU deployed over 400 Aruba AP-52 dual purpose 802.11a + b/g “thin” APs. For ONU, the thin AP model was determined to be more secure, scalable and easier to deploy. Aruba thin APs retain no configuration information and all encryption is performed at one location, the Aruba WLAN switch. The second benefit was the ability for ONU to easily install and centrally manage hundreds of APs from a single point.

On the client side, several authentication methods are utilized including 802.1x and Aruba Captive Web Portal. When students and guests launch a Web browser, they are redirected to a captive portal page that forces the user to provide proper user credentials. These credentials are then used for authentication by a backend RADIUS server. Upon successful authentication, the user is presented with the option of downloading the Aruba VPN dialer. The Aruba VPN dialer totally automates the process of setting up a VPN session on the client machine while providing users strong layer 3 IPsec encryption.

Staff member laptops are configured to use 802.1x as the authentication method which also uses a backend RADIUS server to validate the user name and password. Once these users are successfully authenticated, a unique dynamically rotating WEP key is automatically assigned to that client’s machine providing secure encryption.

The Aruba system software, ArubaOS, allows the support staff to dynamically create security rules based upon individual users or groups of users - granting them permission to systems, protocols or destinations appropriate for their given role in the wireless domain. The entire wireless system is managed from a single point in the network and includes advanced features such as auto Radio Frequency (RF) calibration (including channel assignment and AP power level adjustments) and user mobility tracking. This feature is especially important for any organization moving towards Wireless VoIP phones where E911 locator service is critical.