Wireless Access

From BNL Physics Computing

Contents


[edit]

Executive Summary

If you are connecting to the "Visitor Wireless Network", then use your machine's wireless network scanning tool to determine which networks are at your location. Select the "Corus..." network with the strongest signal (the name can be Corus, Corus2, Corus3, etc) and click on your "Connect" button. You should connect to the network. Attempt to access any web page with your browser and you should be redirected to a "Network Registration" page (Network Registration screen shot). Fill out the registration form and submit it. You should now disconnect from the wireless network and reconnect to get a valid IP address. Finally, to get your browser to work, go into its network connectivity configuration page and select the option to auto-detect proxy settings for the network. Save this setting and your browser should be able to access pages on the Internet.

For more details, see below.

[edit]

Overview

Wireless network access is generally available within the Physics Building (Building 510). In particular, the conference rooms in the building are meant to have good coverage and office space should have between good and reasonable coverage. If there is poor coverage in an area where you require wireless access, please contact the ITD Helpdesk (x5522, itdhelp@bnl.gov) for assistance.

Wireless access is provided by a number of Cisco Wireless Access Points (WAPs) distributed about the Physics Building and the BNL Campus. The access points carry multiple networks and which one you connect to will depend on your location and needs. The networks are basically divided into an unencrypted, unauthenticated "Visitor" network, and an encrypted, authenticated "Employee" network.

All BNL wireless networks require registration of the MAC address of the wireless card and the use of an HTTP proxy in order to access web pages. If you fail to register within the allotted time, your machine will be blocked from the network. If you fail to configure the proxy, you will only be able to see local web pages.

[edit]

Visitor Wireless Network

The Visitor network is called "Corus" after the Roman god for the North-West wind. The SSID advertised by the WAP will be either "Corus" or "Corus2", etc. There are multiple "Corus" networks because a single network does not have sufficient IP addresses to satisfy the entire user community of the BNL Campus. Each WAP will advertise a single SSID, but it will accept connections on all SSIDs so that a user can move from one location to another without having to reestablish a connection. The SSID advertised in the Physics Building is "Corus2".

[edit]

Features

The Visitor Wireless network boasts the following features:

[edit]

Limitations

The Visitor Wireless network has the following limitations:

  • Outgoing HTTP traffic is blocked, so an HTTP Proxy must be used (see below)
  • Outgoing SMTP (email) is blocked
    • Users should be able to receive email
    • Users can only send email if they connect to an authenticated outgoing email server (or they setup an appropriate VPN or SSH tunnel to their mail server)
  • The Corus network is outside of the BNL campus network, so users can only see publicly accessible BNL web sites (unless they setup an SSH tunnel) and have to go through the SSH gateway machines in order to access internal machines
[edit]

Using the Visitor Network

All computers with wireless capability have a means of scanning the area for access points. When you use your tool to have your system do such a scan, one of the Corus networks should show up and you should just have to select it and click on your "Connect" button. Since neither encryption nor authentication is used on the Corus network, you should be able to connect to it if you can see it from your location. For more information see the ITD Wireless Access page.

[edit]

Connecting for the First Time (Registering Your MAC Address)

If the wireless card you are using has never been connected to the Corus network (i.e., your MAC address is not known to the network infrastructure), then you will have to register your card (MAC address). When connecting for the first time, your machine will be given an IP address that is capable of only connecting to the registration page on the registration web site. Once you have established a network connection, you should open your browser and attempt to access a web site. Your browser should be redirected to the registration web site and the registration page should be displayed (Network Registration screen shot). Once you successfully fill out the registration page, you will need to release and reestablish your IP address in order to get an address that can go to more than the registration page. If you do not know how to release and reestablish your address, taking the drastic measure of rebooting your machine and reconnecting to Corus will work.

[edit]

HTTP Proxy Setting

HTTP traffic is blocked from leaving the Corus network. In order to access any web pages, you will have to configure your browser (and any other application that uses HTTP) to use the proxy. All modern browsers have an option similar to "Auto-detect proxy settings for this network". If you select this option in your browser, then you should be able to access web pages. If your browser does not auto-detect, then you can load or point your browser at the proxy script file http://wpad.bnl.gov/wpad.dat (sometimes referred to as a PAC file). If you continue to have problems, consult the ITD Web Proxy page.

Note: Once you disconnect from the Corus network and return to your usual network, you will have to reverse any changes that were made to your browser's configuration.

[edit]

Employee Wireless Network

The Employee Wireless Network will give the user the same network connectivity (other than speed) as when connected to a physical network wall jack. The Employee wireless network uses encryption, and authentication using a CryptoCard is required to establish a connection. The Employee network is available anywhere the Corus network is available, but the SSID of the Employee network is not advertised. The Employee network SSID is "Adeona" after the Roman goddess who guides the child back home, after he or she has left the parental house for the first time. MAC Address registration and use of the HTTP proxy are also required on the Adeona network as above.

[edit]

Using the Employee Network

Before you can use the Employee wireless network, there are some prerequisites that have to be met:

[edit]

Prerequisites

  • You must have a CryptoCard account with ITD
  • You must have a wireless card that supports the 802.1x standard for port-based network access control
  • Your 802.1x implementation must support PEAP (Protected Extensible Authentication Protocol)
  • Your wireless card must support WEP (Wired Equivalent Privacy)
[edit]

Adeona Setup

To connect to the Adeona network:

  • Define a new 802.1x configuration
  • Set the SSID (wireless network) of the configuration to Adeona
  • Set the User Name to the user name for your CryptoCard account
  • Set the authentication method to PEAP
    • If there is a place for an "Outer Identity" or something of that nature, leave it blank

Once you are setup as above, connect to the network. You should be prompted for your one-time-password (you will not get the challenge). If you successfully enter the password, then you should get connected. The first time (and maybe every time) you connect, you will have to accept the site's certificate. For more information, you can go to the ITD Wireless Access page (note that the information about the Employee network is only available from the internal BNL network or from Adeona).

[edit]

Conferences and Wireless

For meetings or conferences where there will be people attending who do not have a BNL Life or Guest Number, it is possible to obtain a "Conference Key" from the ITD Helpdesk (x5522). This "Conference Key" can be used in place of a Life or Guest Number during the registration process, thus allowing these people to complete the registration process.

Retrieved from "http://www.phy.bnl.gov/computing/index.php/Wireless_Access"