Wireless solution

Binthanna Instituteof Technology

.

ICT-216
Kasun Rubasinghe

Sampath Adhikaramage
Sandeera Brose Vijekumar

Table of Contents

Acceptance notice

Executive Summary

Implementation Plan

Naming Convention for Wireless Devices

Design Overview

User Group and SSID association

Wireless LAN access to resources

IP addressing Scheme

Logical Network Diagram

10

Network usage and internet usage details

11

Proposed equipment for the wireless solution

13

Equipment Specifications

14

Floor Plans

18

Security

22

Mobility

24

Connection Process

25

Conclusion

26

Page 2 of 26

Acceptance notice

This document is the proposed wireless implementation plan for Bintanna institute of Technology
prepared by Simple Solutions Pty Ltd. All information included in this document is not to be used
unless it has been approved and authorized by the appropriate authority, in this case, the principle
of Bintanna institute of Technology and the managing Director of Simple Solutions Pty. Ltd.
All data included in the following sections are confidential and not to be disclosed to anyone who
does not have the appropriate clearance.
This proposal is copyright of Simple Solutions Pty. Ltd. And will remain so until the project becomes
official and is handed over to Bintanna institute of Technology. By viewing this document you agree
to keep all data and any technical plans and diagrams included within this document confidential.

This implementation plan has been authorized by:

Binthanna institute of Technology

Simple Solutions Pty Ltd.

Principle:

Managing Director:

Signature:

Signature:

Date:

Date:

Contact for all Enquiries:

Sampath Adhikaramage Managing Director, Simple Solutions Pty.Ltd.

Telephone : 023 1234567
Email: sam@simplesolutions.lk

Page 3 of 26

Executive Summary
Motivated by the need to reduce IT costs and to increase the productivity, college-wide Wireless
Local Area Network (WLAN) solutions are becoming increasingly popular. Use of mobile computing
devices has increased in popularity and the need for wireless solution has boosted over the last few
years. Wireless technologies can minimize the physical limitations of wired communications to
increase user flexibility and increase the productivity. Lower cost of network ownership is one of the
main reasons for the recent increase in demand.

Limited space, building architecture and school applications can make updating existing technology
challenging and expensive. Proposed wireless infrastructure for Binthanna Institute of Technology
solution capitalises on existing hardware to Improve:

Encourage a more flexible and shared classroom environment by bringing technology to

users.
Improve class rooms by reducing cable clutter and freeing up space used by other computer
equipments.

Increase productivity by allowing teachers to automate tasks, incorporate online academic

content into lessons and spend more time with students.

Seamless connectivity throughout the Institute for authorised users.

Enhance security with handheld wireless devices that can allow staff to connect to the
network from anywhere in the premises.

Enhance student and teacher productivity through near instant access to data and academic
information.

The proposed wireless solution can help enable virtually anytime, anywhere access to the Internet
and to the school network to help teachers increase class efficiency and productivity. It allows you to
control existing computers to create a more flexible and collaborative classroom environment.
The proposed implementation plan provides detail designs for the deployment of a reliable, robust
and secure wireless network for the Binthanna Institute of Technology using the best technologies
and products available on the market.

Page 4 of 26

Proposed Implementation Plan

Following is the time frame for the proposed wireless implementation for Binthanna Institute of
Technology.

Timeframe

Process

Resources

December 2011
(First Week)

Install cabling for Access points

and Wireless LAN Controllers

Simple Solutions Technicians

December 2011
(Second Week)

Install new Access Points and

Wireless LAN Controllers

Simple Solutions Technicians

February 2012
(First Week)

Train users

Simple Solutions Technicians

Context/ Constraints, Competing Projects/Forces

The project has to be finished by first week of February 2012. Because the semester 01 for year
2012 starts in second week of February 2012

Page 5 of 26

Naming Convention for Wireless Devices

Campus

Building no

Device no

Naming convention will indicate the Campus location Building No and the device no.
Eg: AP in Main street campus will be :
Campus
Main Street Campus

MN-B1 -AP000

Device
Wireless LAN Controllers
Wireless Access Points

Campus
Middle Street Campus

Device
Wireless LAN Controllers
Wireless Access Points

MN Main Street

MD Middle Street

WLC Wireless LAN Controller

Device Name
MN-B1-WLC001
MN-B1-WLC001
MN-B1-AP001
MN-B1-AP002
MN-B1-AP003
MN-B1-AP004
MN-B1-AP005
MN-B2-AP001
MN-B2-AP002
MN-B2-AP003
MN-B3-AP001
MN-B3-AP002
MN-B3-AP003
MN-B4-AP001
MN-B4-AP002
MN-B5-AP001
MN-B5-AP002

Device Name
MD-B1-WLC001
MD-B1-WLC002
MD-B1-AP001
MD-B1-AP002
MD-B1-AP003
MD-B2-AP001
MD-B2-AP002
MD-B2-AP003
MD-B2-AP004
MD-B2-AP005
MD-B2-AP006
MD-B3-AP001
MD-B3-AP002
MD-B3-AP003

B - Building
AP Access Point

Page 6 of 26

Design Overview
There are two campuses. Each campus has five user groups
Main street Campus
o student
Information Technology
Electronic and Electrical Engineering
o Teachers
o Administration
Management
Accounting
o Guest

Middle street Campus

o student
Motor Mechanic
Business Studies
o Teachers
o Administration
Management
Accounting
o Guest

Each user group can access wireless network using different devices.

Campus laptops
Private laptops
Mobile Phones
PDAs

Proposed network will support all 102.11 b/g/n devices.

Minimum requirements for connecting devices to the proposed wireless network.
Must support :
WPA2 TKIP
Proxy Authentication

Page 7 of 26

User Group and SSID association

User Group

SSID (Service Set Identifier)

Students

STUDENT

Teachers

TEACHER

Administration
Management

MANAGEMENT-ADMIN

Accounting
Guest

MANAGEMENT-ACC
GUEST

Wireless LAN access to resources

User Group
Students

Accessible Resources
IT File Server
Application Server

Electrical Engineering

E&E Server
Application Server

Teachers

Mail Server
Application Server
Student Database
Student Results
Teaching Material

Administration
Management

Accounting

Guest

Mail Server
Application Server
Student Database

Not Broadcasting

Mail Server
Student database
Application Server
Payroll
Accounts Management
Guest Internet Access

Page 8 of 26

All the traffic generated by the user will be forwarded to the Wireless LAN Controller from the access
points using Lightweight Access Point Protocol tunnel (LWAPP). Traffic will be separated into VLANs
depending on the user groups. Following table demonstrates VLAN information bound with the SSID
of each user group.

SSID (Service Set Identifier)

VLAN - ID

STUDENTS

VLAN 10

TEACHER

VLAN 30

MANAGEMENT-ADMIN

VLAN 70

MANAGEMENT-ACC

VLAN 80

GUEST

VLAN 99

All users except the guest users will have to authenticate themselves using WPA2-TKIP
authentication. All authentications will be handled using the existing Microsoft active directory
services. After authentication active directory will allocate resources appropriately to the users.

IP addressing Scheme
172.16.0.0/16 will be used for this solution.

Network

VLAN - ID

DHCP Pool (Dynamic Host

Configuration Protocol)

STUDENTS

VLAN 10

172.16.10.0 /22

TEACHER

VLAN 30

172.16.30.0 /24

MANAGEMENT-ADMIN

VLAN 70

172.16.70.0 /24

MANAGEMENT-ACC

VLAN 80

172.16.80.0 /24

GUEST

VLAN 99

172.16.99.0/24

WLC Manager VLAN

VLAN 3

172.16.3.0 /24

AP Manager VLAN

VLAN 7

172.16.7.0 /24

Page 9 of 26

Logical Network Diagram

The following is the logical network diagram which shows the wireless network connectivity
in the Binthanna Institiute of Technology. The existing Ethernet network is separated into
three layers: Core , Distribution, and Access. We didnt give out the real number and
interconnect link types of the core swithes and access switches, only explains that the WLC
will be connected to the core switch, the AP will be connected to the access switch,

Page 10 of 26

Network usage and internet usage details

Binthanna Institute estimated network usage based on Data provided by the administration
The institute has a single-homed Cable broadband connection to an ISP which provides a 4.0
Mbps data rate. Users connecting to the wireless network will share the same internet
connection, if they are authorized to access internet.
According to the data provided by the institute there will be:

Average of 750 students in the institute at peak hours.

Maximum of 150 staff members will be requiring network access at peak hours.
Average of 50 guests who may need internet access at peak hours.

And we will assume the following:

60% of the students will be using wireless at any given time (Considering Electrical
Students, Electrical students and Motor Mechanic students who will not be using the
network much. Also we assume that 100% IT students will not be using wireless at
any given time).
100% staff will need to use wireless at any given time.
50% of guests will be using wireless at any given time.

Based on the assumptions,

Maximum of 450 students will be connected to wireless at peak hours

Maximum of 150 staff members will be connected to wireless at peak hours
Maximum of 25 guests will be connected to wireless at peak hours.

Therefore a maximum number of 625 users will need to use the wireless network at peak
hours. If every wireless user needs to access internet at the same time, which is very
unlikely to occur, each user will get a data rate of 6.55Kbps, which is reasonably sufficient
for browsing web. IMPORTANT: This is not due to any fault in the wireless network. This is
solely due to the single-home internet connection of the existing wired network of the
institute.

Page 11 of 26

The following graph shows the projected 24 hour wireless internet usage.

The following graph shows the projected 24 hour wireless network usage.

Page 12 of 26

Proposed equipment for the wireless solution

For the proposed wireless solution, we will be using the existing network to support it.
Following equipment list only includes the devices needed to implement the wireless
solution. Cisco equipments are used for this solution because of their reliability and
performance.

Device

Model

Number
Price (Approx.)
of units

Total Cost

Access Point

Cisco Aironet 3500

27

$950.00 per unit

$25,650.00

Wireless LAN
Controller

Cisco Air-CT2504

$1,900.00 per
unit

$7,600.00

PROJECTED TOTAL COST FOR EQUIPMENT

$33, 250.00

Page 13 of 26

Specifications of the equipments used

Access point - Cisco Aironet 3500

Cisco Aironet 3500 specifications

Dimension (W*L*H)

23*23*4.8 cm

System Memory

128MB DRAM
32MB Flash

Powering Options

802.3af Ethernet Switch

Cisco AP3500 Power Injectors (AIR-PWRINJ4 equal)
Cisco AP3500 Local Power Supply (AIR-PWR-B)

Software

Cisco Unified Wireless Network Software Release 7.0 or later

2x3 multiple-input multiple-output (MIMO) with two spatial

streams
Maximal ratio combining (MRC)
Legacy beamforming
20- and 40-MHz channels
PHY data rates up to 300 Mbps
Packet aggregation: A-MPDU (Tx/Rx), A-MSDU (Tx/Rx)
802.11 dynamic frequency selection (DFS)
Cyclic shift diversity (CSD) support

802.11n Version 2.0

(and Related)
Capabilities

Page 14 of 26

Data Rates Supported

802.11a: 6, 9, 12, 18, 24, 36, 48, and 54 Mbps

802.11g: 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, and 54 Mbps
802.11n data rates (2.4 GHz and 5 GHz)

Maximum Number of
Nonoverlapping Channels

2.4 GHz
802.11b/g
20 MHz: 3
802.11n
20 MHz: 3

5 GHz
802.11a:
20 MHz: 21
802.11n:
20 MHz: 21
40 MHz: 9

Maximum Transmit
Power

2.4 GHz
802.11b
23 dBm with 2
antennas
802.11g
20 dBm with 2
antennas
802.11n
20 dBm with 2
antennas

5.0 GHz
802.11a
20 dBm with 2
antennas
802.11n
20 dBm with 2
antennas

* reference - http://www.cisco.com/en/US/docs/wireless/access_point/3500/quick/guide/ap3500getstart.html

Page 15 of 26

Wireless LAN Controller - Cisco Air-CT2504

Dimension (W*L*H)

Cisco Air-CT2504 specifications

44*204*271 mm

Wireless Standards

IEEE 802.11a
802.11b
802.11g
802.11d
WMM/802.11e
802.11h
802.11n

Wired /switching / Routing

IEEE 802.3 10BASE-T

IEEE 802.3u 100BASE-TX specification
1000BASE-T
IEEE 802.1Q VLAN tagging

RFC 768 UDP

RFC 791 IP
RFC 2460 IPv6 (pass through Bridging mode only)
RFC 792 ICMP
RFC 793 TCP
RFC 826 ARP
RFC 1122 Requirements for Internet Hosts
RFC 1519 CIDR
RFC 1542 BOOTP
RFC 2131 DHCP
RFC 5415 CAPWAP Protocol Specification

Data Request for Comments

(RFCs)

Page 16 of 26

Security Standards

WiFi Protected Access (WPA)

IEEE 802.11i (WPA2, RSN)
RFC 1321 MD5 Message-Digest Algorithm
RFC 1851 The ESP Triple DES Transform
RFC 2104 HMAC: Keyed Hashing for Message Authentication
RFC 2246 TLS Protocol Version 1.0
RFC 2401 Security Architecture for the Internet Protocol
RFC 2403 HMAC-MD5-96 within ESP and AH
RFC 2404 HMAC-SHA-1-96 within ESP and AH
RFC 2405 ESP DES-CBC Cipher Algorithm with Explicit IV
RFC 2406 IP Encapsulating Security Payload (ESP)
RFC 2407 Interpretation for ISAKMP
RFC 2408 ISAKMP
RFC 2409 IKE
RFC 2451 ESP CBC-Mode Cipher Algorithms
RFC 3280 Internet X.509 PKI Certificate and CRL Profile
RFC 3602 The AES-CBC Cipher Algorithm and Its Use with IPsec
RFC 3686 Using AES Counter Mode with IPsec ESP
RFC 4347 Datagram Transport Layer Security
RFC 4346 TLS Protocol Version 1.1

Encryption

WEP and Temporal Key Integrity Protocol-Message Integrity

Check (TKIP-MIC): RC4 40, 104 and 128 bits (both static and
shared keys)
Advanced Encryption Standard (AES): CBC, CCM, Counter Mode
with Cipher Block Chanining Message Authentication Code
Protocol (CCMP)
DES: DES-CBC, 3DES
Secure Sockets Layer (SSL) and Transport Layer Security (TLS):
RC4 128-bit and RSA 1024- and 2048-bit
DTLS: AES-CBC

Authentication,
Authorization, and
Accounting (AAA)

IEEE 802.1X
RFC 2548 Microsoft Vendor-Specific RADIUS Attributes
RFC 2716 PPP EAP-TLS
RFC 2865 RADIUS Authentication
RFC 2866 RADIUS Accounting
RFC 2867 RADIUS Tunnel Accounting
RFC 3576 Dynamic Authorization Extensions to RADIUS
RFC 3579 RADIUS Support for EAP
RFC 3580 IEEE 802.1X RADIUS Guidelines
RFC 3748 Extensible Authentication Protocol
Web-based authentication
TACACS support for management users

Management Interfaces

Designed for use with Cisco Wireless Control System

Web-based: HTTP/HTTPS individual device manager
Command-line interface: Telnet, SSH, serial port

*reference - http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps11630/data_sheet_c78-645111.html

Page 17 of 26

Page 18 of 26

Access Point Implementation

Heat Map

Page 19 of 26

Page 20 of 26

Access Point Implementation

Heat Map

Page 21 of 26

Security
Wireless user authentication using AAA server
The WLC will be using a AAA server to access the user database and authenticate users to
the wireless network. The AAA server is already implemented in the existing network and
the WLC only needs to be configured to use the AAA server for user suthentication.

WPA2 encryption
Wi-Fi Protected access 2 has been used for encrypting the data for secure transmission.
Thisis believed to be extremely secure method of data transmission. WPA2 Pre-shared key
used to authenticate users (Except Guest users)to the wireless network. Afterwards, Web
authentication will be used for user authorization.

Guest users can only browse web.

Users in the guest VLAN only have access to the internet. They cannot access any other
resources in the campus network.

Separate VLANs for separate user groups

A VLAN is a Virtual Local Area Network. In a VLAN users are logically separated into groups
depending on thir access needs and access restrictions. In this wireless solution, separate
VLANs were used for separate user groups, as a security measure, and a ease of
management feature. Each SSID corresponds to a unique VLAN. Once connected to a
specific SSID, the users are allowed access to specific segments of the network only as
specified in the corresponding VLAN. Each user group is assigned access to specific
resources and they cannot access any other resource that have been disallows in that
specific VLAN.
Page 22 of 26

Threats that a Wireless network faces, and the mitigations applied:

Client Misassociation
When a client saves an SSID, the computer tries to connect to that SSID when its seen
again. An attacker can spoof the SSID and a clients computer may automatically connect to
the rouge SSID and the client may be unaware of this. An attacker may steal information
from your computer this way.
Mitigation: Management Frame Protection
Basically, what this means is, an Access point broadcasts a unique key with its beacons, and
if there is a key mismatch the connection will not occur. Also if legitimate APs detect any
rouge APs without the unique key, they can be reported to the controller.
Ad Hoc Networks
An ad hoc network is a wireless network formed between two clients. An attacker can form
an Ad Hoc network with a client and try to steal information.
Mitigation:
Implement corporate security policies to stop users from forming Ad Hoc networks with un
trusted devices. If using company devices, implement polices to disable Ad Hoc networks.

Other popular attacks, and the mitigations applied:

Reconnaissance attacks: An attacker attempts to gain information about your network.

Mitigation: hiding the SSID by not broadcasting it in beacon frames.

Access attacks: An attacker tries to gain access to data, devices, and/or the network.
Mitigation: using MAC-based authentication for some VLANs as well as Wi-Fi Protected
Access (WPA2).
Denial-of-service (DoS) attacks: An attacker attempts to block legitimate users access to
services
and
resources
they
require.
Mitigation: Intrusion Prevention System (IDS/IPS) sensors can be installed in addition to
Management Frame Protection.
Page 23 of 26

Mobility
One mobility group is used for each campus

Users connected to a VLAN can roam inside the campus without losing their connection to
the network. When a user walks between Access points, the second access point recognizes
the client and keeps the client in the same VLAN. The whole process takes place between
the Access Point and the Controller, within 10 milliseconds, and its transparent to the user.
The user can keep on using the network and walking between buildings will not interrupt
any active downloads or active Voice calls (such as Skype).

Page 24 of 26

Connection Process Flow Chart

Initiate Connection

Select SSID : SSID in range?

Used wired computers.

No
Management and
accounting department see
provided guidelines

Yes

Select appropriate SSID and

click connect

Yes
Provide pre-shared key

No

Get the pre shared key from

administration staff

Prompt for web

authentication

Enter user credentials

Check the user ID

No
Password

Yes
Access Granted Enjoy
Page 25 of 26

Conclusion
This proposed wireless network has been designed according to accepted wireless
standards. Equipments used in the proposed plan are of high quality and high performance.
The wireless network is scalable and redundant and allows future growth. Wireless network
coverage can be easily extended by simply adding more access points to the access layer
switches.
Simple Solutions has been in the industry for more than 5 years, and is a well reputed
organization in the industry. We hope this proposal is will cater your needs for a wireless
solution.
Simple Solutions is delighted to be a part of this project and is looking forward to be actively
involved in the implementation of the wireless network project of Binthanna Institute.

Page 26 of 26