Penn State Wireless Assist Criteria Checklist
1.
Administration of the local wireless LAN
- Only
an existing Administrative, Technical or Security contact in the applicable
building
may request Penn State Wireless Assist.
- The
building in which the service is to be provided must have a designated wireless
LAN contact for 1) administrative, 2) technical, and 3) security issues.
Contact availability information must also be provided for coverage from
8 a.m. through 5 p.m., Monday through Friday.
- The
intended coverage area for the wireless network utilizing Penn State Wireless
Assist must be identified (either by room number or other adequate physical
description) to permit reasonable troubleshooting support.
- Designation
of the coverage areas must be kept up-to-date, with an annual review. Notification
will be sent by ITS to the wireless LAN contact.
- The wireless
LAN must be registered
with ITS by the Administrative, Technical or Security contact.
2.
Configuration of an access point
- No
mechanism may be employed in the system that impedes any user with a valid
Penn State Access Account from accessing the network in a manner consistent
with Penn State Wireless Complete. (Examples include using MAC addresses or other
addresses that prohibit access.)
- All access
points on the Penn State Wireless Assist LAN segment must be compatible
with IEEE standard 802.11b, include password protection as stated in
University Policy AD20, have their SSID set to "pennstate",
be configured in "bridging" mode, and have no local access
controls other than the SSID.
- All
management of the access points must be from secured wired management
stations only.
3.
Other technical items
While the use of VLANs as a software configurable method of
providing segmentation between wired and wireless LAN segments is not explicitly
forbidden, their use for this purpose is discouraged. Because VLANs add a significant
level of complexity to the LAN enviroment, and thus the increased likelyhood
of a misconfiguration, they add a level of unnecessary risk. Individual
departments that elect to use VLANs for this purpose must be aware of the increased
risk introduced by VLANs and set appropriate management controls to insure
that the risk is minimized.
- Individual
departments are responsible for providing a separate wireless-only
LAN segment
with its own layer 3 interface. (This can be in the form of a port
from a router for the LAN, or a separate connection to Penn State's
Integrated
Backbone.)
- If a customer-managed
router is used to terminate the wireless LAN segments, the following
access
control list (i.e. filters) must be applied to the router interface that
connects to the wireless LAN segment:
- Allow
packet forwarding from the wireless segment only for the IP address
subnet that is assigned to the wireless LAN segment. (source address
filtering)
- Allow
packet forwarding for the DNS protocol only to the DNS server.
- Allow
packet forwarding for the DHCP protocol only to the DHCP server.
- Allow packet forwarding for the NTP protocol to the appropriate
NTP server.
- Allow
packet forwarding of all other port and protocols only to the Penn State Wireless Complete
VPN server appropriate to the campus, and any departmentally controlled
VPN server that is administered in accordance with AD-20. No departmentally
controlled VPN may use the same Group Access name as the Penn State Wireless
Complete VPN.
- As described
in RFC2644/BCP34, disable forwarding packets addressed to the broadcast
addresses of the directly connected subnets.
- If
a local DHCP server is used to provide IP addresses for clients on
the local
wireless LAN segment, then that DHCP server must:
- Be
administered in accordance with AD20
and its logs must be maintained for at least one year.
- IP addresses assigned to wireless clients must use private address
space acquired through TNS.
- IP addresses for LAN components (access points and switches) must be
assigned from a subnet other than that of the wireless clients.
I
acknowledge that my wireless LAN is compliant with the Penn State Wireless
Assist criteria. I understand that if this LAN is found to be noncompliant
at any time, the service may be terminated without prior notification. Penn State Wireless Assist will not be reinstated unless the LAN fully meets
the above criteria. In addition, I agree to register the wireless LAN at
https://www4.tns.its.psu.edu/scripts/wnr.
Administrative Wireless Contact: ________________________________________________________
Date:____________________
Note: This form should accompany the TSR for Penn State Wireless Assist.
Last Reviewed February 2008