Jan 08 2009

Outrageous Convenience and Security

Balancing wireless security with ease of access at the University of Pittsburgh

Before the rollout of campuswide wireless service began in 2006, a University of Pittsburgh student remarked in a focus group that not only should the university offer wireless in all its buildings, but that wireless should be “outrageously convenient.” By this, of course, the student meant that the service should be available anywhere on campus, at any time, with no-hassle connections using any wireless device. The request came as no surprise: Pitt students were already accustomed to outrageously convenient wired access in residence halls and in the many central computing services on campus.

The simplest way to achieve wireless convenience is to allow open access to wireless services, a path chosen by other schools. Open wireless access to the Internet might be an option but would require restricting access to many of the applications and services available to wired network users on campus. Security is at the forefront of our planning efforts; Pitt students and faculty acknowledged the need for wireless network authentication, but faculty stressed the need for a system that would allow guest users, such as visiting and adjunct faculty, to have limited access to the Internet.

Wireless authentication itself was no significant challenge. Several years before, we successfully implemented 802.1x authentication for the wired network in our residence halls. Our existing 802.1x authentication was integrated with our identity management system and easily could be extended to wireless.

Providing guest wireless access posed special challenges. By definition, this would allow users who do not have formal university roles access to university network resources. In other words, we were providing the most secure wireless solution that technology could afford to our known users and then deliberately violating that security by allowing nonaffiliated users access to the same system.

The Solution

The solution was to operate two completely separate wireless networks over the same hardware. We installed wireless controllers and more than 2,000 access points in about 100 buildings on our main Pittsburgh campus. We broadcast one service set identifier — Pitt-Wireless — for the authenticated users and a separate SSID, Guest-Wireless, for guest users. We manage Guest-Wireless connections through a captive portal that allows guest users access to the Internet for web browsing and personal e-mail only. By doing so, we preserve security for university users while extending courtesy service to visitors.

Our willingness to offer network access to guests does not mean that we provide open wireless Internet access to everyone. We require guest users to register and identify an affiliated sponsor. As an urban campus that overlaps the campuses of other schools, along with hospitals and residential areas, our capacity would be quickly overwhelmed by unsponsored guest users if we provided open guest access.

Why all the trouble about providing guest access? Why provide it at all? Colleges and universities by nature are centers for collaboration and the free exchange of information. Adjunct faculty, volunteers, visiting scholars and others without formal university affiliation come to the university to teach, conduct research or participate in meetings and conferences, and they need convenient Internet access. Our guest wireless service allows us to provide these important visitors with a tangible level of support.

Pitt, like most universities, has both long-term and short-term guests. Our accounts management system already provides for long-term guests by allowing regular faculty or staff members to sponsor guest computing accounts. Unlike accounts for students, faculty and staff (known as primary accounts), sponsored accounts must be renewed at the start of every fiscal year to ensure that only active accounts remain open. Sponsored accounts are given access to the Pitt-Wireless, or full-service, wireless network.

Guest wireless accounts are created for people visiting the university for a period of up to 30 days. Convenience is the key: An individual guest user can submit a request for a guest account, or a faculty or staff member can request the account for them. For conferences or large groups, the sponsor can submit bulk guest wireless account requests. After the sponsor is verified, the user receives an e-mail with information on how to log in, change the temporary password and connect to the Internet through the captive portal interface.

Convenience, ease of use and guest access were the main features requested by our students and faculty. From an IT perspective, the goal has been to provide an enterprise-class service throughout the university that is secure, but not so secure that the service becomes difficult to use. We believe we have accomplished all of these objectives and more.