Skip to content Skip to navigation
Local Area Wireless Network
a research project of
Laboratory for Computer Science Reasearch
Department of Computer Science

Typical Wireless Questions
by Hanz Makmur

  • New student already configured for wireless
  • Wirelessly connecting to a remote site securely
  • Workshops and Conferences
  • Collaborating between distinct organizations that are physically close
  • Abuse of Services
  • Network Attack Monitoring
  • File Sharing ala Napster
  • Bandwidth control
  • Running a server on a wireless device
  • Usage Monitoring
  • Access requiring different authentication services.
  • Services provide to guests - Identifying Guest Users

    New student already configured for wireless

    A student arrives with an 802.11b-equipped notebook he has used in high school and at home. An undergraduate account is established at RU and the student requests wireless access to this account. The user's laptop has wireless a client on his laptop that supports his home usage - it must be maintained. What is required to provide access to his undergraduate accounts using DCIS's LAWN?

    No additional software or setup required. This student runs a browser and an RU login window is presented. The student selects his or her status and authenticates.

    Wirelessly connecting to a remote site securely

    An IBM researcher collaborating with a Rutgers' Professor visits one day a week. The visitor needs to access his RU email, his IBM email, and servers behind IBM's firewall. IBM supports connections to inside its firewall using their own VPN and the visitors laptop is already set up to for this connection. What is required to provide access to his researcher using DCIS's LAWN?

    No special action is required. No additional software or setup is required. A login window will be presented to the visitor - he can log in by authenticating against either RU or IBM (assuming IBM is a trusted authentication server). The visitor selects his or her status and authenticates. To get access to IBM mail and internal servers, the visitor runs the IBM VPN client already installed in his notebook.

    Workshops and Conferences

    Centers often run workshop whose participants come from numerous other universities and corporations. There will be many participants with wireless equipped notebook who have no account at Rutgers but do have accounts at their respective Universities or Corporations. The participants would like to be able to access their emails, browse the Internet, and connect back to their office using the environment already on their laptop. What needs to be done to enable these people to gain access to the wireless network?

    If the member attending belong to organization that already have established trust relationships with RU nothing needs been done - if the trusted organization will "vouch" for the user RU will accept this. If there is no established trust relationships one needs to be established. IT managers of the respective organization need to be contacted and information exchanged. If a trust relationship is not desired a cover-all guest account can be established and each visitor given access. Though possible, the latter alternative is undesirable since it established unwanted distance between Rutgers and those collaborating with us. By setting up trust relationships between RU and collaborators the community is extended and all benefit.

    Adding a trust relationship requires one of in a configuration file per trusted authentication server Added. This is independent of the number of people who will authenticate against this server.

    Collaborating between distinct organizations that are physically close

    New Jersey Institute of Technology (NJIT), Rutgers University, and University of Medical and Dentistry of New Jersey (UMDNJ) would like to setup authenticated wireless systems, which will allow their users to access their respective data using any of their peer institution's wireless networks. Because the close proximity of each organizations, users would like to use the wireless network and roam between buildings without re-authentication. These organizations do not share list of students and staff and use different authentication services. What steps are required to make this seamless roaming and network collaboration?

    Each participant must include in their trusted authentication server list the servers at their peer institutions and the authentication protocols to be used. Once this is set up all users at all participating institutions will have the desired access - no one will need a guest account. In this example each participant would need only to add two lines to the configuration file.

    Abuse of Services

    A user sent an email threat to one of the faculty over the wireless network. Can the machine from which the message was sent be identified? Can the user be identified?

    Yes. DCIS's LAWN has a connection logging turned on which logs every open connection established by a wireless user. Since every email records originating IP, we can trace back to machine and user who logged in at the time.

    Network Attack Monitoring

    A wireless client launches a denial of service attack on an Internet site. Can a system administrator find out when such attack occurs without analyzing the connection logs?

    Yes. LAWN's Intrusion Detector System (IDS) can be configured to page or email a System Administrator when the attack is detected.

    File Sharing ala Napster

    Can a wireless user be prevented from getting and sharing copyrighted songs on the wireless network?

    DCIS LAWN system currently does not limit what a user can access. However, users are not allowed to share files or provide services without special arrangements being made in advance with a System Administrator. Future versions of LAWN will have policy enforcement that controls use of services based on the class of the users.

    Bandwidth control

    Can the bandwidth of a user be limited?

    The DCIS LAWN system was not designed to control the bandwidth of individual users. Software is available that can easily be adapted to the LAWN system that would enable management of an individuals bandwidth.

    Running a server on a wireless device

    A professor would like to provide services to students in an e-Learning classroom. Some of the students are on their computers in the dorms, another are on another campus in a lab, and some are connected wirelessly in the classroom. The professor has a web server containing his lecture and would like his student to access this file from his wireless laptop. Can this be done?

    LAWN users are, by default, clients and cannot provide services. In this situation, the professor's laptop is running as a web server and as a client. This can be done in the current LAWN version but requires a special setup. Such a setup such take less than 5 minutes; however, it is an unusual setup and not routinely done.

    Usage Monitoring

    System Administrators need to see the list of people who are connected on a specific wireless gateway and a list of all users who are currently logged on wirelessly in the whole campus. How can this be done?

    DCIS's LAWN system is a command line driven system. To get access to live data, administrators need only login to the machine via SSH and type the appropriate command.

    Access requiring different authentication services.

    Some Centers run long-term workshop that require accounts to exist for several month so participants can submit their assignment, communicate via email etc. If a center employs multiple types of accounts, and multiple authentication services (e.g., enigma cards, kerberos server, local password entries) how is wireless access made possible for all classes of user?

    To add access to accounts only one line needs to be added to a configuration file. The users will see the same interface they do on a wired connection.

    Services provide to guests - Identifying Guest Users

    If a non-Rutgers user inappropriately uses the LAWN can his identity be discovered?

    With LAWN, the identity of each user is always known. Every connection made to any hosts is logged and trace-able to an authenticated user. Discovering a user's identity is a matter of looking through logs. Note that if a sysadmin decides to introduce a special guest account that allows user to not be authenticated, the ability to locate responsible individuals is lost.

    Last Modified: Tuesday, August 13, 2002