Every week, questions abound about the latest wireless acronym. Are you implementing 802.1x on your 802.11a/b/g networks? How about EAP-FAST supplicants? IPsec VPN over wireless? TKIP, MIC, LEAP? How do you feel about the future of 802.11n, w, x, y, z?
Users want something simple -- just to be able to open a laptop and be connected to the Internet. They can do it in a hotel, so why is the corporate enterprise any different?
As CIO of Harvard Medical School, I need to support several types of wireless use, ranging from insecure wireless Internet access for visitors with possibly unmanaged, virus-infected laptops to highly secure wireless access for trusted users of corporate managed devices.
With 4000 PCs, 4000 Macintoshes and 1000 Linux-variant machines, what can a CIO do to navigate the 802.11 ABCs and arrive at a sustainable and supportable approach?
After months of experimentation, we found a way to meet the needs of our users, provide reasonable security and keep helpdesk calls to a minimum.
Before I begin, can I say that support for Macs and Linux machines was a challenge, configuring complex wireless protocols such as TKIP, MIC or EAP-FAST on Red Hat Enterprise Linux requires expert engineers, using IPsec virtual private networks was very invasive to the operating system and tended to cause errors, instability and calls to the helpdesk.
We kept it simple. For visiting users, we created an 802.11a/b/g service set identifier called "Public", which sits outside the firewall and offers access only to the public Internet.
For our power users who are willing to accept a minimal amount of configuration to get behind the firewall without an SSL VPN, we created an SSID called "Private" that uses WPA. For Mac users, no configuration is necessary -- just open the laptop lid and sign into the network using enterprise (Active Directory) credentials. For PC users, a small amount of configuration is necessary, depending on the driver used for wireless (Windows, Intel, IBM, and the like.). For Linux, a custom driver must be downloaded, which makes this approach less than perfect, but most Linux users are happy with an SSL VPN, so calls to the helpdesk are limited.
The bottom line: two SSIDs -- one with a simple, appropriate-uses page, and one with WPA along with an SSL VPN -- provide choices that work everywhere for everyone.
Our next challenge will be WiMax vs EV-DO vs EDGE.