Tb2323 cavalcanti new

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Carlos Meza, HP Networking Group, Americas Product ManagerJessian Ferreira-Cavalcanti, Network Analyst, Unesp - Sao Paulo State University

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.2

With centralized authentication

Multi-campus Wi-Fi network

Carlos Meza

Jessian Ferreira-Cavalcanti

June 2012


“Unesp along with USP and Unicamp offers free public higher education in Sao Paulo State.”

http://www.unesp.br/eng/conteudo.php?conteudo=1419

Photo: Gustavo Brognarawww.orquestra.ia.unesp.br


Agenda

1. Background2. Challenges3. Solution4. Deployment5. Results6. Next steps7. Questions ! answers ?


Background

Photo: piratininga.org


Univ Estadual Paulista background

• Public university of Sao Paulo state, Brazil

• Founded in 1976• Present in over 23 cities and 34

schools• Set of 14 institutes inspired in

University of California multi-campus system

• Sao Paulo state is about the size of Nevada

• Total annual budget: US $1 billion


Univ Estadual Paulista network

• 40 WAN nodes• 9k VoIP extensions• IPv6 already working• 58k users: staff, students and professors• More than 25 separate wireless

infrastructures• 600 access points and home wireless

routers• Different vendors: D-Link, Cisco,

Enterasys, etc.• Local management• Mobility wasn´t quite comfortable• 2008: first wireless project

unespNET map


Challenges

Photo: Felipe Borgeshttp://www.flickr.com/photos/flborges/6693115587/


Technical and community requirements

Technical• Unify wireless and wired network

management• Improve security• Evaluate the size of wireless demand• Get remote IT staff involved on

implementation

Community• Mobility for users in multi-campus

activity• Easiest possible authentication method• Bring your own device: many different

kinds to be connected• Guest users

Will it be hard to configure?

I don´t know my user and password, how can I get it ?


Complexity of parallel projects

• New wired network project - HP Networking core and access devices

• IT staff reorganization project - IT high committee "CSTI" • Internal technical discussions - “wireless network forum"• Meetings with 4 vendors: HP, D-Link, Cisco and Siemens• 3 PoCs for wireless infrastructure• Funding from research support agency - FAPESP How about

compatibility with the wired infrastructure?


Identifying a solution meeting all requirements• Wireless infrastructure prerequisites• Definition of management and security templates for wireless access• Choose of central access controller model • Wired network project was also an important driver• Same brand of new core and access switches: faster learning curve• Competitive price• But...• Required compatibility with existent enterprise portal authentication• Change on management culture of IT staff on remote sites

I like faster learning curve !


Solution

Photo: www.ricardomilani.com.br


HP solution achieved wireless requirementsHardwareScalability and redundancy• HP 7506 switch• HP 7500 access controller module: 640

APs• HP WA2610E-AGN access point• HP Proliant DL380 G6• VMware ESXi for background servers: user

accounts, authentication, syslog and DHCP

SoftwareFocus on network access • Ongoing tests with IMC user access

Management and WLAN management modules

• Enterprise Portal written in Java language

• LDAP entries: online feed of data from corporate database authentication system

• FreeRADIUS authentication server23 dBm of transmit power for indoor AP !


Separate VLAN IDs for different client profilesCommunity access SSIDSecurity• WPA2/AES with PEAP• State-of-the-art authentication method• Corporate login and password

Guest access SSIDEase of configuration • WPA/TKIP with pre-shared key• Authentication security: HTTPS portal • Used also in initial steps of configuration

for community access SSID


Pilot

DARK FIBER

RADIUS 1

RADIUS 2


Deployment

Photo: www.agr.feis.unesp.br/irrigacao.php


Planning for deployment

Site survey• HP channel helped on site-survey tips• IT staff of remote sites had a main role• SSID for site survey • First access controller• 3 access points per remote site• Test of centralized authentication

Pilot project• HP Engineering team support• Unesp administrative building and Inst.

of Arts• 41 access points• SSID with local forwarding on specific

VLAN


Solution deployment

Final project• HP channel participation• Phase 1: 220 access points installed• Phase 2: 460 to install• More 520 to arrive in next quarter• Total: 1200 access points• 3 access controllers scalable up to 1920

APs• RADIUS redundancy on the AC• Maximum of 60k clients

Management• One time setup• VLAN local forwarding• Two SSIDs• Access point registration• Local staff: DHCP configuration and VLAN• No more management, just monitoring• Driving the change of culture:

AP easy installation, let´s take a look (video)

Really? We don´t need to enter the AP interface?

You mean all the university people??


Access point and SSID configuration

Vlan 3333Interface GigabitEthernet1/0/1Port link-type trunkPort trunk permit vlan 1 3333

Wlan service-template 1000 cryptoSsid communityBind WLAN-ESS 1000Cipher-suite ccmpSecurity-ie rsnGtk-rekey client-offline enableClient forwarding-mode local vlan 3333Service-template enable


Access point registration & DHCP configurationWlan ap campus01 model WA2610E-AGNMap-configuration ap2610.cfg serial-id 210235A42LB000000AAA radio 1 service-template 1000 radio enable

# DHCP confhost AP-library-1 { hardware ethernet 00:23:89:aa:aa:a0; fixed-address A.A.A.A; option option-43 80:0b:00:00:02:0f:0f:ff:01:0f:0f:ff:02;}


Results

Photo: www.agr.feis.unesp.br/irrigacao.php


Investment

WiredTotal number of switch ports: 43k Used: 32k (half of the community)US $2,000/switchCat 6a cabling: US $150/portInvestment: US $233/portTotal: US $9,360,000

WirelessTotal number of APs: 1200Connections available: 60k (scalable)US $689/APUS $23,000/controller (+1 upgrade)Investment: US $15/connectionTotal: US $900,000


Network is changing smoothly

Easier management model68 administrators for 34 schools Now only 8 admins on the core

Central controllers fit centralized authenticationPeople feel stronger corporative spirit


Next Steps

Photo: Thiago A. Pradohttps://ssl.panoramio.com/photo/248405


Continuing to improve mobility services

Increase number of APs and available connectionsWireless VoIPLDAP redundancyGlobal education SSID: eduroam


Q&A


Thank you

[email protected]


Back-up slides

Technology

Tb2323 cavalcanti new