Who this information is for
This information is for network managers in institutions on the University Data Network (UDN) that host University Wireless access points on their institutional network. It gives details about how the network needs to be configured to allow the access points to work.
What this information covers
This page describes features available on University Wireless access points to support extra functionality that some institutions may require, such as additional SSIDs or wired port configuration.
Information about using the management support network to connect the access points is described separately.
Local SSIDs
- University Wireless access points can be configured to support wireless networks (SSIDs) in addition to, the central service VLANs (eduroam, UniOfCam, UniofCam-Guest and UniOfCam-IoT).
- Each additional SSID creates a burden on the performance of the wireless network which affects all SSIDs, not just the additional ones. For this reason, their number and use should be limited.
- UIS strongly advises that services provided to users are not limited to 'internal' local SSIDs. This may inconvenience users when they roam outside the physical location of the institution.
- For all new requests for locally bridged SSIDs, client devices should support Wireless Protected Access 3 (WPA3).
- For bespoke short-term requests, like conference events, we require at least 4 weeks' notice. An extra charge for this service is also under consideration.
Create a new SSID
If your institution would like to create a new SSID service, you must provide the following information:
- What the ESSID (wireless network name) should be? We recommend that something identifying the institution should be used. For example, "Botolph's Guests" rather than just "Guest Network".
- Whether the ESSID should be announced in beacons or "hidden" from wireless network lists in client devices. This is not a security tool as the network can still be found by wireless snooping software or equipment but it can be used to hide a non-public network from being obviously selectable.
- What security should be used on the wireless side of the network? For example, none/open or WPA3-AES-SAE.
- Which access points the network should be available on? The default is all the access points within an institution. If it needs to be selectively available, some access points may need to be reconfigured and restarted. Usually, the affected access points should be grouped under a single zone in the Wireless Console.
- What 802.1Q VLAN ID should be used for the SSID? There are 3 options:
- For VLANs that are to be routed directly by the CUDN, UIS will allocate a Global VLAN ID. If this is an existing VLAN, that number will be used for it. This VLAN will need to be fed from the institution's Point of Presence (PoP) switch to the required access points.
- For VLANs that are routed inside (or otherwise private to) institutional networks, the VLAN ID can be selected by the institution but must come from the Local VLAN ID ranges. The institution will need to create this VLAN on their local network and feed it to the required access points. There could be a potential problem if this number conflicts with an internal number used by the wireless system. These numbers are gradually being freed up but if a clash occurs in the meantime, UIS will advise the institution to select another number.
- In some cases, the local SSID will be routed by the UIS centrally. In this case, traffic will be tunnelled over the management network and the VLAN ID will not need to be exposed to the institution, nor will any local configuration be required.
It should be noted that there is a maximum limit of 8 SSIDs per access point radio, including the various UniOfCam and eduroam ESSIDs, to avoid oversubscribing the access point and uplink network connection. Access points utilising the downlink-enabled port (for example, AP-505H) should also have less than 8 SSIDs.
Security settings for SSIDs
There are different options for security settings:
Open
An open network means no security. Open networks typically need some additional security provided internally, to limit or authenticate and authorise access further onto the network. Even if this is done, institutions should be aware that many devices will connect to any open network and attempt to gain internet access, possibly using local IP addresses. Traffic over open networks is not encrypted over the air, allowing it to be easily captured. Open networks are only allowed in exceptional circumstances.
WPA2-PSK (AES) / WPA3-SAE (AES) ("WPA3 Personal")
WPA2-PSK / WPA3-SAE use a single, shared key or passphrase known by all users. Here a single, shared key is used for all connecting users and traffic is encrypted over the air so that it cannot easily be captured (although someone with knowledge of the shared key can set up a fake access point to capture traffic).
These networks are only allowed in certain circumstances. Complex keys must be provided which should be long passwords, 12-15 characters, with a combination of upper and lower-case letters, numbers, and symbols to maintain strong security.
WPA3-AES ("WPA3 Enterprise") with Lookup
WPA3-AES use individual usernames and access passwords. This is essentially the same as eduroam (although the local network must be provided by the institution) but only a subset of users can connect to it. Access is controlled by a Lookup group.
Federated WPA3-AES
UIS servers proxy authentications to your institutional RADIUS servers. The local network must be provided by the institution:
- UIS will assist with setting up the proxying of RADIUS authentication requests by providing appropriate hostnames, shared secrets and other appropriate configuration
- The configuration of local RADIUS servers is the responsibility of the institution
- University Wireless will setting up the SSID and authentication
- The institution must specify an appropriate VLAN to bridge the traffic (except where the network is run by UIS)
- Appropriate logging must be maintained to comply with Janet rules and for security purposes to respond to requests from UIS Sec-Ops
Various legacy options are not available for security reasons on these networks. For example, WEP, WPA-TKIP-PSK and WPA-TKIP.
Limitations for locally-bridged networks
There are several limitations regarding locally-bridged networks:
- If a public shared key is used, this can only be changed by contacting the Wireless Team A date and time for a change can be coordinated, but it cannot be changed excessively.
- Access lists cannot be employed on locally-bridged networks, so they are essentially open.
- Usage of locally-bridged networks is not currently reported in the University Wireless Console, although it is logged for diagnostic and abuse purposes.
- The underlying network to which a locally-bridged network connects the client is the responsibility of the institution. Institutions must provide services for IP networking, DHCP, access control and logging, as appropriate.
- The access points have no ability to detect if the client VLAN has been fed correctly to them. If this has not been set up, the client will end up in an isolated network on that access point.
- There is no way to control the VLAN onto which individual clients are based. Each ESSID has its own VLAN, on a particular access point.
- Clients cannot be forcibly disconnected or banned from the network.
Remote access points (RAPs)
Remote access points are no longer supported by the University Wireless Service
Local switch using wired ports
By default, the wired ports on an access point are configured so that the first one is the uplink to the (untagged) management VLAN and no other ports are usefully active. On access points with multiple ports, for example the 505H (hospitality series) access points, each port can be configured in a manner similar to a switch. VLANs can be presented tagged or untagged on each port and traffic bridged locally between them.
To use this functionality, an institution will need to contact the Wireless Team with the desired configuration of each port. You will need to note the VLANs, tagged or untagged, stating which access points this configuration should apply to. Where necessary VLAN IDs will be allocated by Network Support.
Local VLAN bridging is also used to feed the traffic from local SSIDs into the institutional network.
Please note that, as stated above, LLDP-MED is not currently available to advertise a voice VLAN to a phone so this must be manually configured on a handset.
Pass-through ports
Some access points have a pair of ports labelled pass through. For example, on the AP-303H there is one on the back and one on the panel at the bottom. This is literally a direct electrical connection between the 2 ports, allowing a cable to be physically extended through to the other port. The access point does not interfere with the connection either to control VLANs nor supply Power over Ethernet. Nothing can be or needs to be configured, to use this facility.
Last updated: Jan 2024