This content is part of the Essential Guide: Mapping your wireless local area network: How to make your WLAN shine
Problem solve Get help with specific problems with your technologies, process and projects.

How UPenn tackled wireless LAN access for 46,000 BYOD clients

To handle 46,000 clients and 20,000 concurrent connections, UPenn had to automate wireless LAN access provisioning, but that was only a first step.

In part 1 of this series on automated provisioning of Wireless LAN access for BYOD, we examined how to integrate WLAN features with mobile device management tools. In part 2, we see how the University of Pennsylvania tackled automated WLAN access for BYOD.

Large universities are forced to be on the bleeding edge of Wireless LAN access for BYOD -- at least 25% of their BYOD population changes each fall with the arrival of freshman carrying the latest Wi-Fi-enabled consumer devices. In order to support tens of thousands of ever-changing devices, university IT shops must be able to scale both their WLANs and their ability to provision access.

The University of Pennsylvania started by building a WLAN that was large enough to handle 46,000 devices and could support 802.11x authentication. The university's WLAN is comprised of 3500 Aruba AP135 access points with 13 M3 WLAN controllers to deliver pervasive campus Wi-Fi.

"We support about 20,000 concurrent connections to one big enterprise 802.1X-authenticated SSID," said Colleen Szymanik, senior network engineer. "We take the position that if you are who you say you are, then once you're authenticated, you should have access to all of our network services. On the back end, we use Kerberos authentication and EAP-TTLS with PAP."

But manually configuring 802.1X/EAP-TTLS settings on this scale is unthinkable. "We’ve been doing this for about six years now, so we had to come up with our own onboarding solution," Szymanik explained.

New clients connect to a provisioning SSID that leads them to a CloudPath XpressConnect server, where they are auto-provisioned with Wi-Fi profiles containing EAP-TTLS settings and associated credentials.

New clients connect to a provisioning SSID that leads them to a CloudPath XpressConnect server, where they are auto-provisioned with Wi-Fi profiles containing EAP-TTLS settings and associated credentials.

Yet even with 802.1x authentication and onboarding tools, some personal devices don't meet minimum WLAN access criteria and are therefore blocked. "Our students consider their dorm rooms to be their homes; they want to use products that can't support 802.1X," said Szymanik. "We tell students to connect those products to Ethernet. For example, you can only use Wii on campus where you have access to Ethernet. We also don't allow consumer products that use 1-2 Mbps data rates, regardless of whether 802.1X is supported."

Once configured and connected, Aruba's fingerprinting features are used to keep tabs on the types of devices using Penn's campus WLAN. "We're currently testing Aruba's ClearPass Policy Manager and AirGroup as a way to support Apple TVs," said Szymanik. AirGroup identifies each Wi-Fi client’s role and location, using that info to make Apple's AirPrint and AirPlay available over an enterprise WLAN where broadcast traffic that enables plug-and-play device discovery is usually blocked.

WLAN on-boarding is important, but it's only a first step to achieving scalability. Penn is now upgrading to Aruba's new 7200 controller to satisfy the student body's growing hunger for bandwidth. Along with greater capacity, the 7200 supports Aruba's new AppRF, enabling granular per-application visibility and control. For example, AppRF can recognize encrypted VoIP and improve call quality without degrading NetFlix streaming, Box downloads, or other high-bandwidth traffic that BYOD users of a large university WLAN might consider essential.

About the author: Lisa A. Phifer is president of Core Competence Inc. She has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for more than 20 years and has advised companies large and small regarding security needs, product assessment and the use of emerging technologies and best practices.

This was last published in January 2013

Dig Deeper on WLAN Security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.