Wireless network migration plans

This is a status report on the planned upgrade to the wireless network, and a request for testing and feedback on the migration strategy.

The original plan was that the new wireless system would offer all of the networks that the old one did, with the addition of Eduroam. We also hope to provide a new internal wireless network with good security (WPA2-Enterprise). This would allow a seamless transition to the new hardware. In due course, and with appropriate notice, the old w-107-CB2-3QG network, which is hopelessly insecure, would be phased out.

Unfortunately there is a snag. A bug has been found in the Aruba system which means that addition of the legacy w-107-CB2-3QG network with WEP encryption breaks Eduroam. The bug will in due course be fixed, but there is no short term workaround. We therefore wish to explore the idea of eliminating the use of WEP sooner rather than later.

To this end, our sample Aruba access points are now offering a network imaginatively called w-107-CB3-0FD, which uses WPA2-PSK encryption (sometimes called WPA2-Personal). The password has been derived from the key of the old w-107-CB2-3QG network by doubling it, i.e. 10 characters in total. (If you have forgotten the old key, please ask a Computer Officer in person).

I would like users of the w-107-CB2-3QG network to consider the impact of the proposal on their use of the wireless network.

The preferred option will be to switch to Eduroam, following the documentation issued by the Computing Service. However this will place your machine outside the CL security boundary, so may not meet all needs.

The second option is to switch to w-107-CB3-0FD. This should be entirely straightforward for reasonably recent systems, though some older machines may well be unable to use WPA2. It will provide exactly the same connectivity as w-107-CB2-3QG did. However people who take this route should be aware that there is still a long term desire to phase out this network, as any system using a single key known to a large number of people is risky.

Older machines which cannot handle the stronger security and cannot have hardware or software upgraded to do so will have to fall back to the wgb network. This is not really recommended for internal use; it is primarily provided for the benefit of casual visitors and uses the public Internet over an ADSL line. There is also a risk that legislation or regulation may force us to withdraw this facility.

The provision of a new “internal” wireless network is awaiting development work by the Computing Service. The idea is that the network will be authenticated in exactly the same way as Eduroam, but will be restricted to members of the Computer Laboratory and will provide direct connectivity with an internal network. Unlike Eduroam, it will probably require registration of the machine for DHCP.

One of the new access points is currently providing coverage to the “Street” area, and I would therefore like to invite users of the w-107-CB2-3QG network to try out migration to either Eduroam or w-107-CB3-0FD. Obviously you should leave the old network configured as well for the time being, so that you do not lose wireless access in other parts of the building. Please report your experiences directly to maj1@cl.cam.ac.uk, especially if you expect to be adversely affected by the removal of w-107-CB2-3QG.

This entry was posted in Local IT systems and tagged , . Bookmark the permalink.