Strategies for Wireless Networks at Penn
The University of Pennsylvania's wireless network environment is complex and rapidly evolving. Wireless service at Penn is provided via multiple networks, including AirPennNet, the University's enterprise wireless (Wi-Fi) network; AirPennNet Guest, an alternate Wi-Fi "guest" network for campus visitors; and AirPennNet-Help, a wireless network that is used to configure devices and provide an "on-boarding" service to connect end-user devices. AirPennNet and AirPennNet-Guest wireless, or other special purpose wireless networks, can also support the "Internet of Things", which provides wireless access for devices that are not typically associated with frequent end-user interaction (e.g. door locks, freezer monitoring nodes, and lighting controls).
AirPennNet, the University's enterprise wireless (Wi-Fi) network, includes over 3600 wireless 802.11 a/b/g/n (2.4 and 5 GHz) capable access points (APs), which provide highly reliable network performance and wireless coverage in most campus buildings. During the fall 2013 semester, AirPennNet accommodated over 68,000 unique devices in a given month, with the number of devices trending to a monthly increase of 30% year-over-year. On average, there are now 1.94 devices per person connecting to AirPennNet on a daily basis, and this number is steadily rising.
Major drivers such as continuously increasing aggregate numbers of end-user devices and requests to connect other devices through the "Internet of Things" are beginning to impact radio frequency and network capacity planning around AP placement and network access. Devices that do not support secure connectivity, as well as wireless devices belonging to campus guests who do not have PennKeys, must connect to wireless via an (AirPennNet-Guest) through some form of assigned PennKey or temporary code. There continue to be requests for much easier methods of providing low or unauthenticated access to the guest wireless network. An estimated 40,000 additional transient devices are brought onto campus each month. These additional guest devices could further affect wireless and Internet capacity if they were allowed to connect freely to open AirPennNet-related SSIDs.
ISC has begun addressing many of the key drivers surrounding campus wireless service. Through the course of industry research, design, installation, and testing with campus customers and wireless vendors, ISC has developed a set of strategies to address Penn's multi-faceted wireless needs. This document provides an overview of these strategies, which will be further developed as separate documents to provide greater detail where necessary.
Wi-Fi Networks - AirPennNet and AirPennNet-Guest
- Continue to provide dense wireless coverage and high-speed performance for end users and support incorporation of network-based resources into academic instruction.
- Increasing diversity and number of end-user devices per person.
- Increasing number of shared devices among end users.
- Increasing incorporation of network components in classrooms and meeting spaces.
- Increasing demands to accommodate network devices that interact with classroom technologies (projection devices), that require peer-to-peer wireless access.
- Non-contiguous wireless coverage in some indoor spaces, as well as in large sections of outdoor areas.
- Network devices that interact with classroom technologies (projection devices), impact overall performance to the wireless network and these connectivity models do not scale in today's wireless architecture.
- Continue to address the rapid expansion of personal devices that connect to AirPennNet on a daily and monthly basis.
- Monitor wireless use, provide regular reports, and proactively meet with IT Directors in the Schools and Centers to recommend increased coverage and higher density 5 GHz AP installations to the appropriate building networks.
- All new AP installations should support coverage and density for 5 GHz devices, and there should be two Category 5E (Cat 5E) wires installed per AP. More APs will be required, which will also provide ample capacity to support future higher performance 802.11ac network installations.
- Provide wireless coverage for campus outdoor spaces with the highest volume and density of end users (Locust Walk, Hamilton Walk and Kaskey Park).
- Undertake evaluation and implementation of authentication infrastructure models recently approved by the Network Planning Task Force (NPTF). This includes the use of digital certificates for network authentication for shared end user devices (e.g. tablets or laptops).
- Undertake evaluation and implementation of future wireless features that support end user devices and applications that require network broadcast/multicast without impacting the general wireless infrastructure. These features could be available in late FY '15. Until such time, ISC will adopt a case basis approach to small requests.
- Prepare for advancements in wireless technology that can offer increased network speeds, specifically for Wi-Fi 802.11ac technology.
- There are two waves of the Wi-Fi 802.11ac technology on the industry horizon.
- The first wave of 802.11ac technology is currently available and is being offered by network vendors. In mid-June 2013 the WI-FI Alliance started to certify pre-standard 802.11ac products for interoperability purposes; the IEEE recently adopted the wave 1 standard in December 2013.
- The first wave can achieve network speeds in excess of 1Gbps.
- Most new end-user devices will be equipped with first wave interface cards in the next 3 to 6 months.
- The second wave, offering improvements in multiple device connectivity, will not be available until 2015.
- AirPennNet APs are all 802.11 a/b/g/n capable. Most APs currently installed at Penn today have hardware limitations that may require upgrades to 802.11ac in the next year, which is sooner than previously anticipated.
- ISC must balance the scope of installing best available First Wave wireless technology versus waiting until the second wave of 802.11ac is available in 2016.
- Adopt a phased "best available technology" strategy for wireless network service that relies on a combination of 802.11ac and non-802.11ac AP hardware rather than delaying upgrades of all older AP hardware currently installed today.
- Continue ongoing evaluation of first wave 802.11ac technology with current vendor.
- Upon successful evaluation, select a date in FY14Q3 to begin installing 802.11ac APs in new locations or as upgrades to selected older 802.11 a/b/g/n APs in buildings with a higher density of devices.
- Delay full replacement of older 802.11 a/b/g/n APs until late FY'15.
- The decision to begin full replacement will be based on the impacts of AP hardware limits to operational service and the current status of Wave 2 technology.
- 802.11ac strategy should be revisited quarterly, or at shorter intervals as needed.
- Improve Wireless Internet Access for Guests of the Campus Community.
- Community requests for low- to no-barrier wireless guest access.
- Easier access to guest networks could lead to an increase in IT security incidents and changes in Penn's CALEA status.
- In FY'15, ISC will pilot a service with an ISP to connect the wireless guest network directly to the Internet along with port and access limits imposed at initial network connectivity. The NPTF recently approved ISC's estimates for this pilot. Possible outcomes include:
- Redesign guest network as separate and segmented IP network from PennNet IP space.
- Determine that user community must accept the current imposed requirements for guest access and provide no further capital investment to enhance that service.
Internet of Things/Operational Technology Devices
- Enable Internet of Things and Operational Technology (OT) Devices networks to coexist with end-user device wireless networks. Prepare campus network to accommodate increased number of OT Devices and a larger-scale Internet of Things.
- Increasing demands to accommodate network devices not associated with end users, including operational technology (OT) devices that require wireless coverage in building hallways, basements and mechanical room spaces.
- Supporting the coming surge of OT devices on larger-scale "Internet of Things" networks will present challenges to Penn's current wireless network, due to issues of capacity or coexistence of multiple networks.
- Customers may perceive costs of installing a wireless OT device as lower than a wired network solution, although wired solutions may be less expensive.
- Securing OT devices on the network requires additional wireless infrastructure.
- Some spaces that house OT devices are unoccupied and have sources of Radio Frequency (RF) interference, which affects radio communication for wireless networks.
- OT devices historically have longer operating lifecycles that enable them function over much older network technologies. This may present an impediment to upgrades to future wireless technologies.
- Most OT device technologies operate at 2.4 GHz unlicensed spectrum and are connected to the Internet of Things network on a Wi-Fi or other wireless networks such as Bluetooth, IEEE 802.15.4 Zigbee or cellular network technologies.
- There is no clear ownership of other OT networks that are in pilot or in consideration for sensor and lighting control installations.
- Adopt the following procedures for OT Devices:
- Hardwire OT devices first when and wherever possible. Provide wired Ethernet or Power Over Ethernet (POE) connectivity to OT devices will offer the longest life cycle in the field for the network and OT hardware. In most cases the investment for initial wiring costs will be less than total operating costs of additional or duplicate supporting infrastructure.
- For those devices that cannot be wired, ensure that OT devices support a minimal acceptable specification, including at least:
- EAP-TLS device authentication.
- 5 GHz support (or committed support by calendar year 2020).
- As of December 2013, OT devices that meet technical requirements can connect to either the AirPennNet or the AirPennNet-Guest wireless network on a limited basis by using pre-authentication methods until supporting authentication infrastructure is available (late 2014).
- Support a subset of OT devices that meet future infrastructure requirements and upgrade intervals in order to avoid conflicts with network upgrades.
- Continue investigation of other wireless technologies and devices to either support a larger campus Internet of Things network or a co-mingling of different networks.
- Undertake evaluation and implementation of authentication infrastructure models recently approved by the Network Planning Task Force (NPTF). This includes the use of digital certificates for network authentication for OT devices.
- Work with Schools and Centers to identify and consult on in-building installations of OT devices. ISC can then account for either integration or coexistence of Internet of Things networks as it expands the AirPennNet service to one that has higher density of AP deployments.
- Develop wireless solutions for other devices that require network access but cannot access AirPennNet
- Upon completion of all infrastructure upgrades there still may be a subset of devices that cannot connect to AirPennNet
- For OT Devices that cannot connect to AirPennNet/AirPennNet-Guest:
- Identify alternate wireless network technologies, such as Zigbee, Bluetooth and cellular networks. For example, ISC has been consulted on the integration of the Zigbee-based Contactless Door Locks Project in Gregory House.
- Partner with the network operators/owners to determine if they present any operational interference to AirPennNet or the carrier cellular networks (see Strategy on Distributed Antenna Systems document).
- School and Center IT staff should partner with ISC and Acquisition Services to adopt a policy to support network specifications to avoid bypass to the AirPennNet authentication infrastructure.
- This policy should include review of common solutions by school or centers before device purchases are made.
If you have any questions, comments, or concerns with this document, please send them to: firstname.lastname@example.org.