OIT Network Systems

Connecting a Private Wireless Access Point to the Campus Network

Some customers choose to attach private Wireless Access Points to the campus network, typically to create private wireless service in locations not served by OIT Wireless Service. These private Wireless Access Points include both standalone hardware devices and software-based implementations that run on normal computers that have both Ethernet and Wireless interfaces.

The purpose of this document is not to describe what a Wireless Access Point does, or to provide detailed documentation for configuring one. (We assume that a customer who chooses to operate a private Wireless Access Point understands what the device does, and has documentation from the device's vendor.) Instead, this document is intended to describe just the issues specific to connecting a private Wireless Access point to Princeton University's campus network.

Contents

  1. No Support
  2. Not Permitted in Dormitories or Apartment Buildings Where OIT Wireless Service is Installed
  3. Authorization Required in Some Buildings
  4. Private Wireless Access Points Degrade OIT Services in the Area
  5. Misbehaving Wireless Access Points Lead to Loss of Network Service
  6. Wireless Network Name (SSID, Service Set Identity)
  7. 802.11g vs. 802.11b
  8. Super G
  9. 802.11n vs. 802.11g, 802.11b, 802.111a
  10. 802.11ac vs. 802.11a, 802.111n
  11. Responsibility for Clients
    1. Enable Encryption
    2. Restrict Clients by Hardware Address
  12. Do not Redistribute (Extend) OIT Wireless Service or TVWNA
  13. Bridge versus NAT
  14. Host Database Registration
    1. Registering a Private WAP that acts as a NAT
    2. Registering a Private WAP that acts as a Bridge
  15. OIT Does not Test or Recommend WAP Models

No Support

Although this document discusses private Wireless Access Points, it should not be construed as a statement of OIT support for these devices.

Our experience is that customers who purchase these devices and attach them to the campus network usually misconfigure them; this typically interferes with other wired and wireless network services on campus, sometimes creating widespread disruptions. Even when properly configured, often these devices degrade or disrupt network service, due to defects (e.g. bugs) in many models.

This document, and others referenced by it, are intended to reduce the likelihood of such events. This document is also intended to spell out some of the requirements and responsibilities involved in operating a private Wireless Access Point.

OIT does not support private Wireless Access Points; you are responsible for operating your private Wireless Access Point in a way that does not interfere with the operation of OIT's wired and wireless networks. If you cannot configure it to operate in such a way, you will have to disconnect it. It is quite common for misbehaving private Wireless Access Points to cause such widespread disruptions that we must turn off network service at the point where the misbehaving device is attached to the campus network. OIT support staff are not responsible for assisting you in configuring or troubleshooting your Wireless Access Point.

You should be aware that it is possible that your Wireless Access Point will interfere with other RF (radio frequency) services in the area, or fail to work due to such interference. Examples of other RF services might include nearby OIT Wireless Service, Temporary Visitor Wireless Network Access (TVWNA), or another person with her own private Wireless Access Point. It could even interfere with services unrelated to computing; e.g. cellular phones, or other Princeton University RF-based services. In the event your Wireless Access Point interferes with any of these services now or in the future, you may be required to disconnect your Wireless Access Point. Note that even if your own Wireless Access Point functions without interference today, it may not do so in your next office or dorm room, or as OIT Wireless Service is expanded to cover more areas, or if OIT Wireless Service is expanded to use additional radio frequencies, or other University RF-based services are deployed.


Not Permitted in Dormitories or Apartment Buildings Where OIT Wireless Service is Installed

Individuals are not permitted to attach to the campus network any device operating as a Wireless Access Point in those University dormitories and apartment buildings where OIT Wireless Service is installed. (Such service is installed in all University dormitories, and in the majority of University apartment buildings.)

There may be some University apartment buildings where OIT Wireless Service is not currently installed. This restriction does not apply in those buildings at this time; it will apply if/when OIT Wireless Service is installed in those buildings.

When OIT becomes aware of any problem that involves a device operating as a Wireless Access Point that is attached to the campus network in violation of this policy, OIT will require that the customer disconnect it from the campus network, and not reconnect it (as long as it continues to operate as a Wireless Access Point) in any building where this policy applies. If the device is later re-attached to the campus network while operating as a Wireless Access Point in violation of this policy, the customers' use of the campus network may be blocked, and the matter referred to appropriate University disciplinary staff.


Authorization Required in Some Buildings

As per Princeton University Information Technology Policy , the following restriction applies to wireless access points installed by individuals:

"Wireless access points may not be installed by individuals in campus instructional, administrative, or service buildings without authorization from the department responsible for the area involved. If authorization is provided, the individual must comply with any rules regarding the wireless access point established by the department."

If there are multiple departments responsible for the area reached by wireless access point's radio signal, you must obtain authorization from all of those departments, and comply with rules set by all of them. Keep in mind that this "area" may even extend to a neighboring building.

Related to this restriction is the fact that if OIT wireless services are installed in that area, your wireless access point will significantly degrade the OIT service, as described in the following section.

When OIT becomes aware of any problem that involves a Wireless Access Point that is attached without such authorization, OIT will require that the customer disconnect it, and not reconnect it in any building where this policy applies. If the device is later re-attached in a manner that violates this policy, your network service may be blocked, and the matter referred to appropriate University disciplinary staff.


Private Wireless Access Points Degrade and Disrupt OIT Services in the Area

Wireless services provided by OIT uses the 2.4 GHz frequency range. It also uses the 5 GHz frequency range in over half the University buildings (and this number is growing all the time).

You should be aware that when you operate a private Wireless Access Point in the 2.4 GHz frequency range, you significantly degrade wireless performance for customers using OIT Wireless Service and Temporary Visitor Wireless Network Access (TVWNA) in the same area covered by your private Wireless Access Point. In and near the many buildings where OIT's services also use the 5 GHz frequency range, operating your private Wireless Access Point in that frequency range will degrade service similarly.

Even if the OIT services are not installed in your location at the time you install your private Wireless Access Point, if/when OIT services are expanded to cover your location (or upgraded to use additional frequencies in your location), the performance problems will occur.

In some cases, the performance degradation may go as far as to completely disrupt wireless services for customers of the OIT services in that location.

You will make the problem even worse if you configure your wireless access point:

When this happens, there may be no obvious indication to you, your neighbors, or to OIT that your wireless access point is the source of the problem. (I.e. it is unlikely anyone will immediately come knocking at your door to inform you of the problem.) Instead, your neighbors experience poorer (or disrupted) wireless performance and reliability problems for no apparent reason.


Misbehaving Wireless Access Points Lead to Loss of Network Service

OIT's experience is that the majority of Wireless Access Points attached by customers to the campus network have at one time or another caused serious network disruptions, interfering with many other customers. Or the Wireless Access Point functioned acceptably, but extended campus network service to Wireless clients that in turn have disrupted or degraded network service.

As with any device attached to the campus network and causing a serious disruption or degradation of network service, we disable network service to the offending device in whatever way is necessary to restore service to the remainder of the network.

In the case of a misbehaving Wireless Access Point, or a wireless client behind a private Wireless Access Point, we typically disable network service at the point where the Wireless Access Point is attached to the campus network. As a result, that location (e.g. dormitory room, apartment, office) may lack network service for an extended time (days). If you choose to attach a Wireless Access Point to the campus network, you should keep in mind that it is likely this will happen to you, perhaps repeatedly.

As with any device attached to the campus network, if the device repeatedly disrupts service, or repeatedly behaves in a way that degrades service to other customers, OIT may insist the device be permanently disconnected from the campus network. If the device is later re-attached and is again the source of a similar problem, your network service may be blocked, and the matter may be referred to appropriate University disciplinary staff, as per OIT's Three Strikes Practice for Network Disruptions.


Wireless Network Name (SSID, Service Set Identity)

When configuring your Wireless Access Point, you will need to specify what "network name" you would like your private wireless network to have. This is also known as its "SSID" (Service Set Identity).

This is the network name that wireless clients see, and select to join your private wireless network.

We recommend you name your wireless network after the hostname registered for your Wireless Access Point. For instance, if your Wireless Access Point is registered as in the Host Database jxydoe-wap.princeton.edu, then make your wireless network name jxydoe or perhaps jxydoe's network. Using the same name as your Wireless Access Point's hostname will help identify the wireless network to anyone who stumbles across it, and may be helpful for diagnostic purposes.

Be sure that you do not specify puwireless as your network name, or any network name that begins with puwireless. That wireless network name (a.k.a. SSID) is reserved for use by OIT Wireless Service. Other names that begin with that word are reserved for possible future use by OIT Wireless Service. if you were to name your private wireless network the same way, it would confuse clients who stumble across it, and could cause difficulty for users of OIT's service.

Also do not specify puvisitor as your network name. or any network name that begins with puvisitor. That wireless network name (a.k.a. SSID) is reserved for use by Temporary Visitor Wireless Network Access (TVWNA). Other names that begin with that word are reserved for possible future use by TVWNA. If you were to name your private wireless network the same way, it would confuse clients who stumble across it, and would cause difficulty for users of TVWNA service.


802.11g vs. 802.11b

If your Wireless Access Point operatese in the 2.4 GHz frequency range and supports 802.11g, 802.11n, or 802.11ac, it is important you configure it so that it does not interfere with existing 802.11b devices operating in the 2.4 GHz frequency range.

Any 802.11g access point should have a configuration setting that determines in which one of the following ways it will operate:

You must always select the last choice above. Some vendors may refer to the this choice as enabling 802.11g's "protection mechanism"; it is important that the protection mechanism be enabled.

Misconfiguring this setting causes your access point to interfere with any other older equipment (both access points and clients) operating within its RF range on the same (or overlapping) channels. While you may not notice the problem, it allows the devices' transmissions to interfere with each other. That leads to more retransmissions for all devices, and therefore lower performance for all devices. In particular, it reduces performance for customers of OIT Wireless Service and Temporary Visitor Wireless Network Access.

A wireless access point that cannot be made to operate in a way that includes compatibility for older equipment should not be used on the campus network.


Super G

Some vendors used to sell "Super G" Wireless Access Points, advertised as providing higher speed than 802.11b or 802.11g provides. "Super G" was a proprietary (non-standard) system that boosts speed by using three channels simultaneously. There are reports that "Super G" causes severe performance problems for any nearby equipment non-Super G equipment that operates in the 2.4 GHz range.

If you install any "Super G" equipment, and it causes problems for any OIT-provided services, you may be required to disconnect it.


802.11n vs. 802.11b, 802.11g, 802.11a

If your wireless Access Point support 802.11n, it is important you configure it so that it does not interfere with existing 802.11b, 802.11g, and 802.11a devices.

Any access point that has 802.11n support should have a configuration setting that determines in which one of the following ways it will operate. Some possibilities include:

You must select the last choice above; you must not configure the access point so that it operates in a way that lacks 802.11b, 802.11g, or 802.11a compatibility. It must operate such that it includes 802.11b, 802.11g, and 802.11a compatibility.

Misconfiguring this setting while using the 2.4 GHz frequency range causes your access point to interfere with any other 802.11b or 802.11g equipment (both access points and clients) operating within its RF range on the same (or overlapping) channels. Misconfiguring this setting while using the 5 GHz frequency range causes your access point to interfere with any other 802.11a equipment (both access points and clients) operating within its RF range on the same (or overlapping) channels. While you may not notice the problem, it allows the devices' transmissions to interfere with each other. That leads to more retransmissions for all devices, and therefore lower performance for all devices. In particular, it reduces performance for customers of OIT Wireless Service and Temporary Visitor Wireless Network Access.

An 802.11n wireless access point that cannot be made to operate in a way that includes compatibility for 802.11b, 802.11g, and 802.11a equipment should not be used on the campus network.


802.11ac vs. 802.11n, 802.11a

If your wireless Access Point support 802.11ac, it is important you configure it so that it does not interfere with existing 802.11a and 802.11n devices.

Any access point that has 802.11ac support may have a configuration setting that determines in which one of the following ways it will operate. Some possibilities might include:

You must select either of the last two choices above; you must not configure the access point so that it operates in a way that lacks 802.11a or 802.11n compatibility. It must operate such that it includes 802.11a and 802.11n compatibility.

Misconfiguring this setting may cause your access point to interfere with any other 802.11a and/or 802.11n equipment (both access points and clients) operating within its RF range on the same (or overlapping) channels. While you may not notice the problem, it may allows the devices' transmissions to interfere with each other. That leads to more retransmissions for all devices, and therefore lower performance for all devices. In particular, it reduces performance for customers of OIT Wireless Service and Temporary Visitor Wireless Network Access.

An 802.11ac wireless access point that cannot be made to operate in a way that includes compatibility for 802.11a and 802.11n equipment should not be used on the campus network.


Responsibility for Clients

When you attach a private wireless access point to the campus network, you have also taken on some responsibility for any clients that use your wireless access point to gain access to the campus network and the Internet.

This is part of of a basic principle: when a connection to the campus network is provided to you (e.g. in your dormitory room, in your office), you have some responsibility for the use made of the connection. This is easy to understand for a wired (e.g. Ethernet) connection: if devices are attached to that Ethernet connection operate in ways that violate University policies or break the law, you may be held responsible. If you allow that Ethernet connection to be used by devices that are not eligible to be attached to the campus network, you may be violating University policies.

When you attach a wireless access point to an Ethernet connection, you are in effect extending the availability of that network connection to any wireless devices within radio range of the wireless access point. Since that range can be hundreds of feet in all directions, it may encompass a substantial volume, perhaps even extending outside the physical boundaries of the University.

As the wireless access point redistributes your campus network access to other devices, you may be held responsible for the activities of any devices that connect to the network via your wireless access point, even if they do so without your explicit permission. By redistributing your network connectivity with a wireless access point, you've implicitly taken on some responsibility for devices that make use of the network service you have chosen to provide. If those wireless devices disrupt network service other otherwise are the source of network problems, we may turn off network service at the point where your wireless access point is attached to the campus network.

Before attaching a private wireless access point to the campus network, you may wish to consider the ramifications of the additional responsibilities this implies. If you do choose to attach a wireless access point, you would be well-advised to take all possible measures to limit the service it provides to only devices you can be assured will operate in accordance with University guidelines and with the law. Measures we strongly suggest you take include:


Do not Redistribute (Extend) OIT Wireless Service or TVWNA

Some Wireless Access Points have the ability to be configured to act as repeaters, or to redistribute (extend) service from a remote Wireless Access Point. While you are free to use this feature among your own wireless access point(s), it is unacceptable to use this feature to redistribute OIT Wireless Network Service or Temporary Visitor Wireless Network Access (TVWNA).

For example, say OIT Wireless Service is available in a location, but you want to use extend the coverage area of OIT Wireless Service further than it would otherwise reach. You install your own Wireless Access Point within the coverage area of the OIT Wireless Service, and configure your Wireless Access Point to obtain its network service from OIT Wireless Service. Your Wireless Access Point then allows other wireless clients (or other private Access Points) to connect to it. This is unacceptable.

Redistributing OIT Wireless Service or TVWNA is unacceptable because:


Bridge versus NAT

Every Wireless Access Point functions either as a bridge or as a NAT (Network Address Translator, a.k.a. NAT Router). Some models are capable of functioning as either, based on the way you configure it. (It never makes sense to try to function simultaneously as a bridge and a NAT.)

The selection between a Wireless Access Point that functions as a bridge versus one that functions as a NAT is the most fundamental choice to make. Each approach has advantages and disadvantages. This section provides a summary of the differences between the two approaches, to help you decide which approach is best for you.

If acting as a bridge, a Wireless Access Point simply copies traffic back and forth between its Ethernet and Wireless interfaces. A data frame transmitted by a wireless client to the Wireless Access Point is simply retransmitted by the Access Point out its Ethernet interface; when the data frame arrives on the campus Ethernet, it still has the source hardware address of the wireless client (not that of the Wireless Access Point). The frame might contain any protocol, such as IP, AppleTalk, or IPX; the Wireless Access Point simply bridges the two networks transparently. Other than reformatting necessary to move the data between the two dissimilar media (Wireless and Ethernet), the Wireless Access Point does not rewrite the contents of the data frames. (Since IP addresses are contained within the data frames, they are not rewritten.) In fact, other devices on the Ethernet network cannot tell the difference between wireless devices behind the Wireless Access Point and Ethernet devices attached directly to the Ethernet wire. The Wireless Access Point acts as a transparent bridge between the two media. Because this approach is so simple, it doesn't interfere with communication software installed on the wireless devices.

If acting as a NAT, the Wireless Access Point operates in a very different way. Although it still copies data back and forth between its Ethernet and Wireless interfaces, it rewrites the data in each direction, and in fact blocks some of the data as well. When the Wireless Access Point receives a data frame from a wireless client and chooses to transmit the data out its Ethernet interface, the Access Point rewrites the data frame so it appears to come from the Access Point's Ethernet hardware address, and from the Access Point's IP address. When the frame arrives on Ethernet, it no longer has the source hardware or IP address of the wireless client. Only IP packets may be transmitted; other protocols (such as AppleTalk and IPX) do not travel across the Wireless Access Point. Other devices on the Ethernet network see only the Wireless Access Point; they do not see the wireless devices' hardware addresses or IP addresses. Because this approach is more complex, it can interfere with communication software installed on the wireless devices. However, in return it can provide benefits such as sharing one IP address among multiple wireless devices, or providing DHCP service to wireless devices that might otherwise have been ineligible to receive DHCP service.

If you are considering using a Wireless Access Point that acts as a NAT, then before proceeding, you should familiarize yourself with what a NAT does, and what's involved in using one at Princeton. See Connecting a Private Network Address Translator to the Campus Network.

Trade-offs you should consider when deciding between operating a bridge or a NAT include:


Host Database Registration

Your private Wireless Access Point must be registered in the Host Database. The proper procedure varies depending on whether it functions as a NAT or as a bridge.

Simply registering the device as a bridge doesn't cause it to behave as a bridge; similarly, simply registering it as a NAT doesn't cause it to behave as a NAT. How the device actually behaves depends on the device itself (and in some cases, how you have configured the device). When you register the device in the Host Database, you tell OIT how the device behaves.

It is your responsibility to ensure that it is properly registered given the function it performs; if you choose to replace it or reconfigure it later to perform differently, you are responsible for changing its registration appropriately.

Registering a Private WAP that acts as a NAT

If the Wireless Access Point will function as a NAT (not a bridge), follow the instructions in Connecting a Private Network Address Translator to the Campus Network to register it in the Host Database.

Registering a Private WAP that acts as a Bridge

If the Wireless Access Point will function as a bridge (not a NAT), follow these instructions to register it in the Host Database:

Office Device

Use the Add an Entry to the Host Database, for non-Dormnet devices form. Fill out the form as usual, keeping in mind these notes:

Dormnet Subscription

Use the Dormnet subscription forms as usual, paying particular attention to these notes:


OIT Does not Test or Recommend WAP Models

Sometimes we are asked why OIT does not recommend specific Wireless Access Point (WAP) models that will work acceptably with the campus network.

We do not do so for several reasons:


A service of OIT Network Systems
The Office of Information Technology,
Princeton University
Last Updated: November 26 2012