This session is sponsored by Aruba: Hewlett Packard Enterprise company.
Chair: Mark O'Leary, head of above-net services development, Jisc.
Wireless connectivity and mobility are mission critical to most organisations today.
This session addresses how govroam is building upon the proven success of eduroam to offer the same seamless authentication experience to a much wider reaching community of users, we look at the highs and lows of a Wi-Fi project across an urban university, and we bring you the latest updates to our eduroam support portal.
Running order of talks:
16:15-16:40 - govroam
Speaker: David Hayling, University of Kent.
16:40-17:05 - Wi-Fi improvement project
Speaker: Jamie Lee, Goldsmiths, University of London.
17:05-17:30 - eduroam support portal changes
Speakers:
Edward Wincott, Jisc
Nik Nitev, Loughborough University
2. Please switch your mobile phones to silent
17:30 -
19:00
No fire alarms scheduled. In the event of an
alarm, please follow directions of NCC staff
Exhibitor showcase and drinks reception
18:00 -
19:00 Birds of a feather sessions
21. From a Reactive to Planned
Wi-Fi Service Improvement
Jamie Lee, Goldsmiths
22. Themes
»Where the Goldsmiths Journey Started?
»The First Wave
»A SecondWave and the Reactive Sprawl
»Service Improvement
»Planning for Capacity and Growth
»Benefits and What Next?
12/04/2017 From a Reactive to Planned Wi-Fi Service Improvement
23. Where the Goldsmiths Journey started
»25 Cisco 1200 series placed in
“key” areas of the campus
»Individually managed
»Hot spots map published
»A poor roaming experience
»Support overheads
»Low visibility of the service
12/04/2017 From a Reactive to Planned Wi-Fi Service Improvement
The result was
24. The First Wave
»Single Master Controller
»64 AP licenses increasing to 128
»FreeRadius 2.1.x integrated with Open LDAP
»Provides some NAC capability
»Use ofWi-Fi increasing as are demands
»Cisco AP’s coexist increasing complexity
Aruba 3600 Wi-Fi Controller with Freeradius Servers
12/04/2017 From a Reactive to Planned Wi-Fi Service Improvement
25. A Second Wave and the Reactive Sprawl
»Implemented ClearPass 2.2
and integrate with AD
»Introduced two local
controllers and 200 additional
AP’s
»Stabilised core network across
campus
»AP licenses converted to pool
Networks Overhaul begins
»ClearPass servers soon reach
capacity
»Wi-Fi in halls decision made
after the overhaul
»Access points deployed ad-hoc
upon request
»Incidents on the help desk
continue to increase
The Growing Pains continue
12/04/2017 From a Reactive to Planned Wi-Fi Service Improvement
26. Commitment to Aruba - HPE
» Gartner clients report a high degree
of satisfaction with Aruba's
ClearPass, which provides guest
access, device profiling, posture
assessment, onboarding and more.
» HPE offers free technical support in
business hours for three years on
most Aruba switches (24/7 for 90
days).
The Gartner Magic Quadrant
12/04/2017 From a Reactive to Planned Wi-Fi Service Improvement
Source: Gartner 2016
27. Service Improvement
»Procured campus wide passive and predictive survey that:
› Identified areas of channel overlap and poor coverage
› Identified high density areas and coverage shortfall
› Located and recorded 3rd partyWi-Fi networks
»The survey was used in procurement for the next phase
»Replaced controllers with wave 2 capable versions
»Introduced Aruba ClearPass to replace Freeradius
How we approached the Wi-Fi service improvement
12/04/2017 From a Reactive to Planned Wi-Fi Service Improvement
28. Planning for Capacity and Growth
»Approach new and refurbished
locations with aWi-Fi first view
»Separate security zones for
roles so access is managed
securely.
12/04/2017 From a Reactive to Planned Wi-Fi Service Improvement
29. Realising the Benefits
»686 Access Points now installed
»86% less help desk calls
comparing period before and
after the latest improvements.
»Secure yet flexible mobility
»An improved student and staff
experience
»A solid platform for future
growth
The Results
12/04/2017 From a Reactive to Planned Wi-Fi Service Improvement
30. Lessons Learned and Next Steps
»Active survey might have
realised further benefits
»No management tool to
measure the effectiveness of
the service improvements
»eduroamTemplate in
ClearPass needs improving
»Audit Apps that use the Wi-Fi
Lessons Learned
»Implement Airwave to make
further service improvements
»Contain 3rd partyWi-Fi
»VoIP overWi-Fi, IPv6
»Full 802.11ac rollout
»Feasibility for tools such as
beacon and Skyfii for analytics
Next Phases
12/04/2017 From a Reactive to Planned Wi-Fi Service Improvement
34. jisc.ac.uk
My Details
Jamie Lee
IT Infrastructure Manager
j.lee@gold.ac.uk, @JamieLee_Gold
12/04/2017 From a Reactive to Planned Wi-Fi Service Improvement
Goldsmiths, University of London
36. pre-NWS44 eduroam seminar 2016
»Replacement of Roaming2
»Proactive contact with members to address issues
»Revision of technical specification
»Development and deployment of Service Provider
AssuranceTool
»Replacement of support server – new platform new
features
12/04/2017
eduroam support portal changes V2
37. Achievements 2016 - today
» Replacement of Roaming2
› New R93o dual function server
deployedVM machine for Roamingo
and New Support
› RedHat 7.3; marked performance
improvement. Baseline response time
from European monitor reduced from
1.4sec to 1.1sec
› Roaming2 will be replaced 3 and 4th
May (Decommission Old SolarisVM in
Manchester Replacement R2
deployment in Slough data centre
12/04/2017 eduroam support portal changes V2
38. Achievements 2016 - today
» Proactive contact with members to address
issues
› Ongoing…regular e-mails
» Revision ofTechnical Specification
› Version 1.4 released 14 July 2016
» Development + deployment of Service
Provider AssuranceTool
› Version2 now being rolled out to
community – BoF session at 18:00 theatre 3
» Replacement of Support server
› New platform new features
› Now in beta
12/04/2017 eduroam support portal changes V2
39. jisc.ac.uk
Except where otherwise noted, this work
is licensed under CC-BY-NC-ND
Edward Wincott
eduroam (UK) service manager
edward.wincott@jisc.ac.uk
01235 822378
41. A year of intensive coding
» First presented at last year’s NWS
› ideas and static pictures
» One year later, we have a working site
› with beta test users
› An outline of the most important changes
and improvements follows
12/04/2017 eduroam support server v2
42. Layout overview
»Three categories of content
› Status overview
› Configure
› Troubleshoot
»User menu
»Card specific help
»Pending change notification
»Service request form
»Links to policy documents
12/04/2017 eduroam support server v2
43. Monitoring – active tests
» EAP authentication tests
› All realms
› All servers
› All authentication methods
› IPv4 and IPv6
› Support for blank username
› CUI reply
» DNS (A,AAAA)
» ICMP
» Status-Server
» DNS (NAPTR)
» SMTP
» eduroam service page
12/04/2017 eduroam support server v2
Every 30 min – weighted severity
Every 24 hours
44. Passive monitoring
» Logs are now parsed in real time
» Error detection
› Loop detection
› Invalid shared secrets
› CSI
› Operator-Name
› Timeouts
› LeakedVSAs
› ICMP DU/TE
» Graphing
12/04/2017 eduroam support server v2
45. Monitoring – presentation
»RADIUS servers card
› ORPS related issues
»Status summary card
› All detected issues
› Available to the public (only
Err & Warn)
› More summarisation is on
theToDo list
12/04/2017 eduroam support server v2
46. Configuration
» ORPS
› Copy shared secrets between ORPS
› Status-Server setting verification
› Instant DNS check
» Organisation settings
› Simplified service configuration
› Multiple auth methods
› Instant eduroam URL check
» Realms
› Per-realm test account
» Accounts
› Individual accounts
› Read only accounts
» Pending change notification
12/04/2017 eduroam support server v2
47. Troubleshooting
» Testing
› Tests run directly on NRPS
› Target specific ORPS
› IPv6 support
› Multiple realms
› CUI requests
» Quick reference
› Filtered by ORPS platform
» Logs
› Parsed in real time
› Search
› Download
› 30 days history
› Admin (configuration) logs
12/04/2017 eduroam support server v2
48. Beta testing
»Existing credentials work
»Feel free to use
› (Changes have no effect on your eduroam service)
»Built-in help available
»Suggestions welcome
12/04/2017 eduroam support server v2
49. The road ahead
» Hope to bring into live service soon
› Migration code and procedure
› Bug fixes
› Roaming2 upgrade
» Further development
› Great flexibility
› Open source (hopefully)
› Written in perl (Dancer2,TemplateToolkit)
› Localisation and wider adoption
12/04/2017 eduroam support server v2
V1.0
To change the footer on every slide:
1. On the menu go to Insert > Header and Footer…
2. Select the Footer checkbox and enter the footer text in the accompanying text box
3. Click “Apply to All”
Since roughly the start of this century there has been a huge change in mobile working and the computing to support it.
Roughly in the 15 years plus, mobile phones have gone from being moderately rare expensive portable telephones to cray supercomputer beating smartphones.
Portable computers have gone from limited luggables with short battery life to amazingly powerful devices which keep going all day.
During this time UK higher education along with partners across the world have pioneered eduroam
eduroam started in the UK with a Ukerna LIN project – Location Independent Networking.
Up to this time, and for somewhile afterwards, nomadic UKHE staff would, if they wanted to use the computing a site they were visiting either,
Have a local account and find a shared / open access PC labOR
Bring their own portable computer and battle with the local regime for connecting to the limited wireless network or plug into the network.
It is worth remembering that the success of eduroam didn’t come over night
Whilst we can all see nowadays how successful eduroam is, it was competing with many established local wireless deployments.
And whilst the local deployments were prevalent and were the first choice for local people, when the local people became guests elsewhere they weren’t used to using eduroam
The visited sites didn’t use their own eduroam and thus it was poor relation
Also there were device issues – not everyone ‘owns’ their own device, many with them issued by their employer had the device locked down and they couldn’t access the configuration they needed to connect to local versions of wifiOR
Could not access eduroam due to some necessary minor config tweak.
WIDESPREAD eduroam adoption
As eduroam became prevalent and popular it was telling how the dialogue with the likes of academics moved from ‘what is eduroam’ to ‘why don’t we have eduroam’ or ‘I’d rather meet somewhere that has eduroam’
eduroam had become part of maslow’s hierarchy of need.
in the mean time, the public sector
As eduroam has matured in adoption across the higher education sector there has been a considerable change in other parts of the public sector
These changes are clearly a reflection of changes in society and the world of work.
Newer technology
New ways of working – in particular greater demands and reasons for swifter collaboration between parts of the public sector
But before we get onto wireless in the rest of the public sector I need to speak about networking in general in the public sector
Some while ago I operated a Janet regional network, and over ten years ago Kent MAN started to explore cooperation with the Kent schools network and later the Kent county council network.
What took me a fair amount of time to understand were the restrictions and constraints under which our colleagues providing public sector networking worked under
To share services fundamentally takes trust
And to establish trust takes, I found, a fair amount of time
You have to learn and understand the drivers of the other partners
You have to explain your own drivers in terms that the other people will understand
Technical arguments on their own don’t win over and deliver trust
You have to address ‘fears’ that people have – however irrational they may appear to you, that other people have these ‘fears’ or concerns or issues are very real to them.
It takes time to take them and their superiors and colleagues on the journey from ‘interloper’ to trusted partner.
And then there is trying understand and aligning the procurement cycles
During this process which wasn’t just HE looking to cooperate with local government but also to support the development of shared services across the public sector.
Originally the compliance requirements on the public sector was orientated very much department by department
For example local government authority was expected to have separate connection to the department of work and pensions.
But Kent – lead by Jeff Wallbank set out to deliver a shared network in Kent that could connect ALL the kent local government authorities through a joint network to DWP.
Public sector compliance was ‘input’ orientated, but now has moved more towards outcome focussed – helped by the development of the National Cyber Security Centre and their balanced approach
There are still demands on public sector compliance – for very good reasons – NHS data really shouldn’t fly around without very good protection. But this applies to HE as well, where relevant.
Kent Public Services Network – KPSN - was rapidly enabling increasing numbers of shared services.
Once you have cracked shared connectivity the opportunities are considerable.
The desire to allow staff from differing public sector groups to easily use the network in locations they visited has been a wish for some while
The barrier – from my perspective – the initial attempt to deploy a ubiquitous and pervasive network with ALL the SECURITY features of the ‘old’ ‘INPUT’ model …
In 2012 I recall looking into Vendor Specific Attributes on RADIUS as a way to signal different network requirements to the visited network – though briefly an interesting idea the big problem was the lack of scaling and necessary level of trust.
BUT, more importantly we were trying to solve the wrong problem at the network level.
Once our Kent Public Services Network colleagues understood eduroam and the radius hierarchy that underpins it they were keen to adopt it, or something similar.
The initial deployment didn’t have the support of national bodies, and thus Kent was going it alone somewhat.
But they did see the benefit of the potential ‘NETWORK EFFECT’ and though initially considered calling the service KPSNroam, swiftly came to the name psnroam
The success of this service was reassuring
I was pleased that the likes of Ashford Borough Council were an early adopter – they made psnroam available in the library for example, as well as across their premises.
I was surprised but pleased that Kent Fire and Rescue service was an early adoptor
And of course Kent County council started to adopt psnroam
Meanwhile
Work continued to educate central government as to the benefits of a shared radius hierarchy
Excellent work by Mark O’Leary (Jisc), and colleagues, supported by Jeremy Sharpe, and also Jeff Wallbank (Kent County Council) manged to reassure the necessary people that a govroam service based on model of eduroam was possible.
Jisc – I understand – put a little seed money in run a pilot govroam NRPS, and now the service is more established.
Does mean that the early adopters of psnroam and having to ‘redeploy’ the same service
I hope they are able to eventually do away with the psnroam identitiy and just use govroam.
This might be the point to say why not eduroam everywhere – well there are international agreements that strictly restrict eduroam to the education and research sectors. And anyway, trying to tell the whole of the public sector to ‘just connect to eduroam’ I’d image would be confusing for significant swathes of other sectors.
The initial deployment didn’t have the support of national bodies, and thus Kent was going it alone somewhat.
But they did see the benefit of the potential ‘NETWORK EFFECT’ and though initially considered calling the service KPSNroam, swiftly came to the name psnroam
The success of this service was reassuring
I was pleased that the likes of Ashford Borough Council were an early adopter – they made psnroam available in the library for example, as well as across their premises.
I was surprised but pleased that Kent Fire and Rescue service was an early adoptor
And of course Kent County council started to adopt psnroam
Meanwhile
Work continued to educate central government as to the benefits of a shared radius hierarchy
Excellent work by Mark O’Leary (Jisc), and colleagues, supported by Jeremy Sharpe, and also Jeff Wallbank (Kent County Council) manged to reassure the necessary people that a govroam service based on model of eduroam was possible.
Jisc – I understand – put a little seed money in run a pilot govroam NRPS, and now the service is more established.
Does mean that the early adopters of psnroam and having to ‘redeploy’ the same service
I hope they are able to eventually do away with the psnroam identitiy and just use govroam.
This might be the point to say why not eduroam everywhere – well there are international agreements that strictly restrict eduroam to the education and research sectors. And anyway, trying to tell the whole of the public sector to ‘just connect to eduroam’ I’d image would be confusing for significant swathes of other sectors.
The initial deployment didn’t have the support of national bodies, and thus Kent was going it alone somewhat.
But they did see the benefit of the potential ‘NETWORK EFFECT’ and though initially considered calling the service KPSNroam, swiftly came to the name psnroam
The success of this service was reassuring
I was pleased that the likes of Ashford Borough Council were an early adopter – they made psnroam available in the library for example, as well as across their premises.
I was surprised but pleased that Kent Fire and Rescue service was an early adoptor
And of course Kent County council started to adopt psnroam
Meanwhile
Work continued to educate central government as to the benefits of a shared radius hierarchy
Excellent work by Mark O’Leary (Jisc), and colleagues, supported by Jeremy Sharpe, and also Jeff Wallbank (Kent County Council) manged to reassure the necessary people that a govroam service based on model of eduroam was possible.
Jisc – I understand – put a little seed money in run a pilot govroam NRPS, and now the service is more established.
Does mean that the early adopters of psnroam and having to ‘redeploy’ the same service
I hope they are able to eventually do away with the psnroam identitiy and just use govroam.
This might be the point to say why not eduroam everywhere – well there are international agreements that strictly restrict eduroam to the education and research sectors. And anyway, trying to tell the whole of the public sector to ‘just connect to eduroam’ I’d image would be confusing for significant swathes of other sectors.
The initial deployment didn’t have the support of national bodies, and thus Kent was going it alone somewhat.
But they did see the benefit of the potential ‘NETWORK EFFECT’ and though initially considered calling the service KPSNroam, swiftly came to the name psnroam
The success of this service was reassuring
I was pleased that the likes of Ashford Borough Council were an early adopter – they made psnroam available in the library for example, as well as across their premises.
I was surprised but pleased that Kent Fire and Rescue service was an early adoptor
And of course Kent County council started to adopt psnroam
Meanwhile
Work continued to educate central government as to the benefits of a shared radius hierarchy
Excellent work by Mark O’Leary (Jisc), and colleagues, supported by Jeremy Sharpe, and also Jeff Wallbank (Kent County Council) manged to reassure the necessary people that a govroam service based on model of eduroam was possible.
Jisc – I understand – put a little seed money in run a pilot govroam NRPS, and now the service is more established.
Does mean that the early adopters of psnroam and having to ‘redeploy’ the same service
I hope they are able to eventually do away with the psnroam identitiy and just use govroam.
This might be the point to say why not eduroam everywhere – well there are international agreements that strictly restrict eduroam to the education and research sectors. And anyway, trying to tell the whole of the public sector to ‘just connect to eduroam’ I’d image would be confusing for significant swathes of other sectors.
The merits of this shared network service to allow ubiquitous and pervasive wireless network access is clear to many partners across Kent, and I understand more widely.
There is an agreement in principle to deploy eduroam alongside govroam deployments
A number of deployment details remain
The govroam NRPS does not talk to the eduroam NRPS
Whether and how we can solve this potential problem remains to be seen
Getting govroam and eduroam deployed very widely needs support from both the public sector itself but also from commercial suppliers into the public sector
My university – Kent – has stated along with other universities in Kent that we would like to deploy govroam across our estate, to sit along side eduroam. Some connectivity and network service (DHCP, DNS, etc) remain to be worked out in detail.
But this greater collaboration is seen as a clear benefit.
This
Hi everyone. Ok, so the themes I will cover in my presentation are around the move from a toe dipping into the Wi-Fi waters through to a platform ready for IoT and a Wi-Fi first generation (Gen-Mobile). Bear with me as it is a painful journey that looks back as well as forwards. I think it is important to reflect on the past, especially when many of us remember life before Wi-Fi, our students most likely don’t.
The first deployment of Wi-Fi was a controller-less deployment, using Cisco. Power was required locally and we proudly published a map to say look we have Wi-Fi but look its not everywhere. Did anyone else do this?
So the first attempt at a centralised service offering included Aruba’s 3600 controller, however it functioned alongside the existing Cisco deployment. It wasn’t long before we reached capacity. It took a while to satisfy requests and the roaming issues persisted. Not good for an increasingly demanding customer base.
We engaged Pervasive Networks to implement an improved wired and wireless LAN infrastructure. Lots more technology but focussing too heavily on the LAN. Many of the Wi-Fi problems remain and in reality increase as coverage improves. We knew expansion was necessary and took steps to increase and review licensing introducing AP failover. This was all good and saw some much improved management capability but the emphasis was still skewing towards reactive fixing not proactive planning. We needed to look at the problem differently. It’s clear to see that reactive decisions are driving the issues.
Given that we had already invested heavily in extending coverage and capacity of the Wi-Fi network it made no sense to switch vendor at this stage. The solution was not failing but the approaches taken to date were. It was time to evaluate where we had gone wrong and what was needed in order to fix the growing number of issues both with the Wi-Fi provision and the systems in use to manage it.
We used a company called Net Connections to carry out a full survey of both internal and external sites. Every building then had a report produced with recommendations for AP placement, density and rogue network containment. This information was used in procurement of the next phase. Vanix were the successful bidders and first carried out an overall health check of the Wi-Fi network design, looking at it from the ground up confirmed many of the issues we had and provided a clear way forward to improve the situation.
To avoid falling into the same trap again we take a Wi-Fi first approach and have all new and refurb locations surveyed first. AP’s are placed where there is greater density and greater demand, not just to provide coverage to a location. Wave 2 implementation is standardised in all new and refurbished locations.
Security roles that follow the Wi-Fi roles are applied to devices to give a much more consistent experience and is easier to support.
Happy to share the tweaks I made with ClearPass to improve compliancy with the Jisc eduroam tech spec.
Happy with results: if you know of a national roaming operator anywhere who has a better service management platform let us know and we will, subject to copyright, steal some ideas.
My current view is it is more likely other NROs will be borowing from us, especially since we plan to publish it with an open source licence – with jiscs kind blessing.
10K lines of code