Introduction
Purpose
To ensure the technical coordination required to provide the best possible wireless network for West Virginia University, this policy:- provides the structure for a campus-wide implementation of wireless technology,
- identifies responsibility for the deployment and management of the wireless network,
- identifies the wireless protocols, security and devices in use on campus,
- identifies security measures and installation procedures
Scope
This policy applies to all University staff, faculty, administrators, officers and students (collectively, “users”), including those on the regional campuses or Extended Learning sites with direct connections to the WVU network backbone.
Standard
Policy
The ITS Network Operations department will be solely responsible for the deployment and management of 802.11 and related wireless standards access points on campus. No other departments may deploy 802.11 or related wireless networks or wireless access points without coordination with Network Operations. This includes all intra-building and inter-building wireless LAN communications.
Wireless Local Area Networking using the IEEE 802.11 standard is a rapidly-evolving field. 802.11 wireless technology is by nature easy to deploy, but highly sensitive to interference and overlapping frequencies. In addition, information security can easily be compromised by misconfiguration of wireless equipment. Because of these characteristics, all wireless use at WVU must be planned, deployed, and managed in a very careful and centralized fashion to ensure consistent and reliable functionality, acceptable levels of performance, and all appropriate security and accountability features.
Standards and Implementation
All wireless infrastructure equipment shall consist of Cisco Aironet 1000-series or higher model Access Points or Bridges, or their direct replacements. In order to offer the greatest flexibility to our users in light of the wide variety of client devices and varying levels of need for secure communication, each access point shall support encrypted connections and may or may not also support an unencrypted mode.
| Security Mode: | WPA-Enterprise or successor protocol |
|---|---|
| Encryption: | AES or successor protocol |
| User Authentication: | IEEE 802.1X with Protected Extensible Authentication Protocol (PEAP) |
| Client Limitations: | * Some client pre-configuration is needed * Not compatible with all hardware or operating systems |
The unencrypted network shall require user login but will not offer any data security; this connection mode is offered in order to support guest access, or users whose wireless equipment is not compatible with the secure network protocols.
| Security Mode: | Authenticating Proxy |
|---|---|
| Encryption: | None |
| User Authentication: | Mandatory logon via web browser (captive portal) |
| Client Limitations: | * Compatible with any wireless device with web browser. |
The secure and unencrypted wireless networks shall be configured in compliance with industry standard best practices for the relevant security models.
Security Infrastructure and User Accounts
The primary information source for wireless users shall be at https://wvu.teamdynamix.com/TDClient/KB/?. This site shall maintain a list of hotspots, client configuration guides for supported operating systems, instructions for activating wireless accounts, and any other information deemed necessary or appropriate.
All encrypted and unencrypted wireless users shall be authenticated against the WVU Login Active Directory. Login accounts are available for all University faculty, staff and students who have either a mail.wvu.edu or a mix.wvu.edu email address. Accounts must be activated prior to use as per instructions on the information web site.
Guest accounts will be created for visitors as needed. Requests for guest accounts may be directed to the Service Desk; or, if technology permits and at the discretion of Network Operations, concierge privileges may be delegated to the department level to allow guest account creation in real time.
Wireless Access Point Installation
All requests for new wireless deployments shall be placed through the ITS Service Desk, which will forward the request to Network Operations. Network Operations will coordinate with the requesting organization to analyze the requirements and expectations for the requested service, perform site surveys or other research as needed, and prepare a wireless design report and price quotation for the requesters to review and approve.
On receipt of the requesting organization’s Oracle funding number, or other mutually-acceptable funding method, Network Operations shall purchase any required equipment and arrange for physical installation of the devices. No wireless access point may be deployed to a generally-accessible location; all wireless equipment must be placed above ceilings or in similarly inaccessible locations, or must be secured within a wall-mounted locking enclosure.
Wireless Bridging
All building-to-building network connections, wired or wireless, are the responsibility of Network Operations. Secured wireless bridges may be proposed as a connection medium for sites where fiber-optic or DSL connections are impractical. All such scenarios will be reviewed by the Network Operations on a case-by-case basis. Under no circumstances shall any building-to-building network connection be maintained by any organization other than Network Operations.
Ad-Hoc Networking
The use of 802.11 technology to directly link two PCs without the assistance of an access point can occasionally be a convenience but creates many potential security hazards. Ad-Hoc networking is discouraged at WVU: Users are advised to delete any Ad-Hoc network profiles on their systems unless they have a specific and immediate use for that style of wireless connection. Due to the security risks, Ad-Hoc wireless networks are forbidden at One Waterfront Place and in Stewart Hall.
Unauthorized Devices
All wireless infrastructure devices except those deployed under the auspices of Network Operations are forbidden on University property. Any such rogue devices already existing must be removed from service. When Network Operations locates a rogue access point on University grounds, the device will be disconnected and instructions to contact Network Operations will be left for the owner. Any rogue device which is returned to service in defiance of these instructions is subject to physical removal.
Wireless Support and Troubleshooting
All requests or trouble reports related to wireless networking shall be placed through the ITS Service Desk. Service Desk staff shall address all client-level help requests to the extent of their capabilities, with the understanding that uniquely difficult cases should be referred to the WVU TSC for assistance as a charged service. The Wireless Networking Coordinator will assist Service Desk staff with general understanding of wireless issues and troubleshooting methodology when requested. Access point failure or interruptions of wireless service shall be addressed by Network Operations as with any other network infrastructure outage.
Violations
Responsibility
The Associate Provost for Information Technology (CIO) is the policy administrator for information technology resources and will ensure this process is followed. Additionally, Deans, Directors and Department Heads are responsible for compliance with University policy within their respective administrative areas.
Exceptions
Exceptions to IT Standards will be considered using the IT Standard Exception Procedure.
Contacts
Policy Questions
Questions, concerns or additional information about this and any ITS policy should be directed to the CIO office at CIO@mail.wvu.edu.
Revision History
Policy Last Updated: April 27, 2007