Some customers choose to attach private Wireless Access Points to the campus network, typically to create private wireless service in locations not served by OIT Wireless Service. These private Wireless Access Points include both standalone hardware devices and software-based implementations that run on normal computers that have both Ethernet and Wireless interfaces.
The purpose of this document is not to describe what a Wireless Access Point does, or to provide detailed documentation for configuring one. (We assume that a customer who chooses to operate a private Wireless Access Point understands what the device does, and has documentation from the device's vendor.) Instead, this document is intended to describe just the issues specific to connecting a private Wireless Access point to Princeton University's campus network.
Although this document discusses private Wireless Access Points, it should not be construed as a statement of OIT support for these devices.
Our experience is that customers who purchase these devices and attach them to the campus network usually misconfigure them; this typically interferes with other wired and wireless network services on campus, sometimes creating widespread disruptions. Even when properly configured, often these devices degrade or disrupt network service, due to defects (e.g. bugs) in many models.
This document, and others referenced by it, are intended to reduce the likelihood of such events. This document is also intended to spell out some of the requirements and responsibilities involved in operating a private Wireless Access Point.
OIT does not support private Wireless Access Points; you are responsible for operating your private Wireless Access Point in a way that does not interfere with the operation of OIT's wired and wireless networks. If you cannot configure it to operate in such a way, you will have to disconnect it. It is quite common for misbehaving private Wireless Access Points to cause such widespread disruptions that we must turn off network service at the point where the misbehaving device is attached to the campus network. OIT support staff are not responsible for assisting you in configuring or troubleshooting your Wireless Access Point.
You should be aware that it is possible that your Wireless Access Point will interfere with other RF (radio frequency) services in the area, or fail to work due to such interference. Examples of other RF services might include nearby OIT Wireless Service, Temporary Visitor Wireless Network Access (TVWNA), or another person with her own private Wireless Access Point. It could even interfere with services unrelated to computing; e.g. cellular phones, or other Princeton University RF-based services. In the event your Wireless Access Point interferes with any of these services now or in the future, you may be required to disconnect your Wireless Access Point. Note that even if your own Wireless Access Point functions without interference today, it may not do so in your next office or dorm room, or as OIT Wireless Service is expanded to cover more areas, or if OIT Wireless Service is expanded to use additional radio frequencies, or other University RF-based services are deployed.
Individuals are not permitted to attach to the campus network any device operating as a Wireless Access Point in those University dormitories and apartment buildings where OIT Wireless Service is installed. (Such service is installed in all University dormitories, and in the majority of University apartment buildings.)
There may be some University apartment buildings where OIT Wireless Service is not currently installed. This restriction does not apply in those buildings at this time; it will apply if/when OIT Wireless Service is installed in those buildings.
When OIT becomes aware of any problem that involves a device operating as a Wireless Access Point that is attached to the campus network in violation of this policy, OIT will require that the customer disconnect it from the campus network, and not reconnect it in any building where this policy applies. If the device is later re-attached to the campus network in violation of this policy, the customers' use of the campus network may be blocked, and the matter referred to appropriate University disciplinary staff.
As per Princeton University Information Technology Resources and Internet Access -- Guideles for Use , the following restriction applies to wireless access points installed by individuals:
"Wireless access points may not be installed by individuals in campus instructional, administrative, or service buildings without authorization from the department responsible for the area involved. If authorization is provided, the individual must comply with any rules regarding the wireless access point established by the department."
If there are multiple departments responsible for the area involved, you must obtain authorization from all of those departments, and comply with rules set by all of them.
Related to this restriction is the fact that if OIT wireless services are installed in the area, your wireless access point will significantly degrade the OIT service, as described in the following section.
When OIT becomes aware of any problem that involves a Wireless Access Point that is attached without such authorization, OIT will require that the customer disconnect it, and not reconnect it in any building where this policy applies. If the device is later re-attached in a manner that violates this policy, your network service may be blocked, and the matter referred to appropriate University disciplinary staff.
You should be aware that when you operate a private 802.11b, or 802.11g Wireless Access Point, you significantly degrade performance for all customers using OIT Wireless Service and Temporary Visitor Wireless Network Access (TVWNA) in the same area covered by your private Wireless Access Point. The same is true for an 802.11n Wireless Access Point, if it is operated in the 2.4 GHz frequency range.
Even if the OIT services are not installed in your location at the time you install your private Wireless Access Point, if/when OIT services are expanded to cover your location, the performance problems will occur.
This is because there are not enough non-overlapping channels in the 2.4 GHz frequency range used by 802.11b/g/n. The services provided by OIT already use all available non-overlapping channels (and that's still not enough to provide the desired quality of service). No matter how you configure your private Wireless Access Point, it will interfere with those operated by OIT.
When this happens, there will be no obvious indication of it to you, to other customers, or to OIT. (I.e. it is unlikely anyone will immediately come knocking at your door to inform you of the problem.) Instead, everyone experiences poorer wireless performance and reliability for no apparent reason.
OIT's experience is that the majority of Wireless Access Points attached by customers to the campus network have at one time or another caused serious network disruptions, interfering with many other customers. Or the Wireless Access Point functioned acceptably, but extended campus network service to Wireless clients that in turn have disrupted or degraded network service.
As with any device attached to the campus network and causing a serious disruption or degradation of network service, we disable network service to the offending device in whatever way is necessary to restore service to the remainder of the network.
In the case of a misbehaving Wireless Access Point, or a wireless client behind a private Wireless Access Point, we typically disable network service at the point where the Wireless Access Point is attached to the campus network. As a result, that location (e.g. dormitory room, apartment, office) may lack network service for an extended time (days). If you choose to attach a Wireless Access Point to the campus network, you should keep in mind that it is likely this will happen to you, perhaps repeatedly.
As with any device attached to the campus network, if the device repeatedly disrupts service, or repeatedly behaves in a way that degrades service to other customers, OIT may insist the device be permanently disconnected from the campus network. If the device is later re-attached and is again the source of a similar problem, your network service may be blocked, and the matter may be referred to appropriate University disciplinary staff.
When configuring your Wireless Access Point, you will need to specify what "network name" you would like your private wireless network to have. This is also known as its "SSID" (Service Set Identity).
This is the network name that wireless clients see, and select to join your private wireless network.
We recommend you name your wireless network after the hostname registered for your Wireless Access Point. For instance, if your Wireless Access Point is registered as in the Host Database jxydoe-wap.princeton.edu, then make your wireless network name jxydoe or perhaps jxydoe's network. Using the same name as your Wireless Access Point's hostname will help identify the wireless network to anyone who stumbles across it, and may be helpful for diagnostic purposes.
Be sure that you do not specify puwireless as your network name, or any network name that begins with puwireless. That wireless network name (a.k.a. SSID) is reserved for use by OIT Wireless Service. Other names that begin with that word are reserved for possible future use by OIT Wireless Service. if you were to name your private wireless network the same way, it would confuse clients who stumble across it, and could cause difficulty for users of OIT's service.
Also do not specify puvisitor as your network name. or any network name that begins with puvisitor. That wireless network name (a.k.a. SSID) is reserved for use by Temporary Visitor Wireless Network Access (TVWNA). Other names that begin with that word are reserved for possible future use by TVWNA. If you were to name your private wireless network the same way, it would confuse clients who stumble across it, and would cause difficulty for users of TVWNA service.
If your Wireless Access Point supports 802.11g (as do most sold since Spring 2003), it is important you configure it so that it does not interfere with existing 802.11b devices.
Any access point that includes 802.11g support should have a configuration setting that determines in which one of the following ways it will operate:
You must select one of the two latter choices; you must not configure the access point so that it operates in a way that is only compatible with other 802.11g equipment. Some vendors may refer to the third choice as enabling 802.11g's "protection mechanism"; it is important that the protection mechanism be enabled.
Misconfiguring this setting causes your access point to interfere with any other 802.11b equipment (both access points and clients) operating within its RF range on the same (or overlapping) channels. While you may not notice the problem, it allows the devices' transmissions to interfere with each other. That leads to more retransmissions for all devices, and therefore lower performance for all devices. In particular, it reduces performance for customers of OIT Wireless Service and Temporary Visitor Wireless Network Access.
Some vendors sell "Super G" Wireless Access Points, advertised as providing higher speed than 802.11b or 802.11g provides. "Super G" is a proprietary (non-standard) system that boosts speed by using three channels simultaneously. There are reports that "Super G" causes severe performance problems for any nearby 802.11b or 802.11g equipment.
Some vendors sell "802.11n" Wireless Access Points, advertise as providing higher speed than 802.11b or 802.11g provides. The IEEE is in fact drafting an 802.11n standard; it is expected to support higher speeds than the 802.11g standard. Currently 802.11n is still in draft, has not been finalized. You should be wary of any equipment advertised today as being "802.11n".
Industry reports during 2006 is that such "pre-standard" 802.11n equipment often causes severe performance degradation for other 802.11b and 802.11g equipment operating in the same area. This might be because 802.11n uses so much of the available channel space, or because there were design problems in the 802.11n drafts, or because there were implementation problems in the pre-standard 802.11n equipment.
If you install any "Super G" or so-called "802.11n" equipment, and it causes problems for any OIT-provided services, you may be required to disconnect it.
When you attach a private wireless access point to the campus network, you have also taken on some responsibility for any clients that use your wireless access point to gain access to the campus network and the Internet.
This is part of of a basic principle: when a connection to the campus network is provided to you (e.g. in your dormitory room, in your office), you have some responsibility for the use made of the connection. This is easy to understand for a wired (e.g. Ethernet) connection: if devices are attached to that Ethernet connection operate in ways that violate University policies or break the law, you may be held responsible. If you allow that Ethernet connection to be used by devices that are not eligible to be attached to the campus network, you may be violating University policies.
When you attach a wireless access point to an Ethernet connection, you are in effect extending the availability of that network connection to any wireless devices within radio range of the wireless access point. Since that range can be hundreds of feet in all directions, it may encompass a substantial volume, perhaps even extending outside the physical boundaries of the University.
As the wireless access point redistributes your campus network access to other devices, you may be held responsible for the activities of any devices that connect to the network via your wireless access point, even if they do so without your explicit permission. By redistributing your network connectivity with a wireless access point, you've implicitly taken on some responsibility for devices that make use of the network service you have chosen to provide. If those wireless devices disrupt network service other otherwise are the source of network problems, we may turn off network service at the point where your wireless access point is attached to the campus network.
Before attaching a private wireless access point to the campus network, you may wish to consider the ramifications of the additional responsibilities this implies. If you do choose to attach a wireless access point, you would be well-advised to take all possible measures to limit the service it provides to only devices you can be assured will operate in accordance with University guidelines and with the law. Measures we strongly suggest you take include:
Enable encryption on your wireless access point. This allows you to create a network password; to connect to your wireless access point, a wireless client will need to specify this password.
All access points available today support a form of encryption called WEP (Wired Equivalent Privacy). Many access points sold since mid-2003 also support a newer form of encryption called WPA (Wi-Fi Protected Access).
All access points and wireless clients available today support WEP.
You may be able to choose between 40-bit WEP and another version that uses more bits (often labelled 104-bit or 128-bit) for its secret key. All devices that support 40-bit WEP should be able to interoperate. Some that claim to speak 128-bit WEP may not be able to interoperate, due to differing interpretations of what "128-bit WEP" means. As WEP can be cracked in essentially the same amount of time regardless of which version you use, longer key lengths do not add any additional security.
When specifying a password for your wireless network, do not use the same password you assigned to protect the wireless access point's configuration, nor the same password you use for any other system or computer account. It is easy for an unscrupulous person to discover your wireless network's password by "snooping" on its radio transmissions; programs are freely available that will capture your traffic, analyze it, determine the network password you used, then display both the network password, and your network traffic.
Note well that WEP is considered to be completely insecure; it has been "cracked." You should assume it provides no real privacy, access control, or integrity. However, it adds a level of inconvenience that prevents other wireless clients from unintentionally connecting to your wireless access point.
Many newer access points and wireless clients also support WPA. WPA is intended as a short-term replacement for WEP, addressing security deficiencies in WEP. (A longer-term replacement is 802.11i, is not yet generally available.)
If your access point and all your wireless clients support WPA, we recommend you use it instead of WEP. Because WPA is still relatively new, it is possible you will encounter WPA incompatibilities among different equipment.
When specifying a pass phrase for your wireless network, do not use the same pass phrase you assigned to protect the wireless access point's configuration, nor the same pass phrase you use for any other system or computer account. Also be sure to choose one more than twenty characters long; WPA pass phrases shorter than that may be more vulnerable to being cracked.
If your wireless access point supports it, configure it to restrict access to a list of wireless hardware addresses. Specify only the wireless hardware address(es) of your wireless client(s).
Wireless access points that support this feature do so in different ways. Some will truly prevent any unlisted clients from connecting to the wireless access point. Otherwise will allow unlisted clients to connect to the access point and allow them to communicate with other wireless clients connected to the access point, but block the unlisted clients from communicating across the access point, to the Ethernet side (i.e. the campus network).
Note well that this does not provide any real security. An unscrupulous individual can still configure a wireless client to spoof another's hardware address, for example, a hardware address you have configured the access point to allow. However, this still adds a level of inconvenience that will at least prevent other wireless clients from unintentionally connecting to your wireless access point.
If your wireless access point supports it, configure it so it does not advertise its wireless network name (a.k.a. "SSID").
If your wireless access point advertises its wireless network name, wireless clients will display the network name for the user to select, perhaps even automatically selecting it for the user. By not advertising your wireless network name, you prevent the name from appearing in the client's list of wireless networks; the client must be told the network name (e.g. by you), and enter it manually in order to connect to your wireless access point.
Wireless access points that support this feature may refer to it by different names, for example:
Note well that this does not provide any real security. An unscrupulous individual can still discover your wireless network's name (SSID) by snooping on its radio transmissions. However, this steps adds a level of inconvenience that will at least prevent other wireless clients from unintentionally connecting to your wireless access point.
There are anecdotal reports that when wireless access points are configured to not advertise their wireless network name, some wireless clients (perhaps only specific operating systems) have difficulty connecting. It's unclear if the reports are legitimate, or if this simply due to misconfiguration of the wireless clients (e.g. entering the network name in uppercase while the access point uses lowercase, etc.). If you find that your wireless client is unable to connect to your access point despite configuring both correctly, you may have to reconfigure your access point advertise its wireless network name.
Some Wireless Access Points have the ability to be configured to act as repeaters, or to redistribute (extend) service from a remote Wireless Access Point. While you are free to use this feature among your own wireless access point(s), it is unacceptable to use this feature to redistribute OIT Wireless Network Service or Temporary Visitor Wireless Network Access (TVWNA).
For example, say OIT Wireless Service is available in a location, but you want to use extend the coverage area of OIT Wireless Service further than it would otherwise reach. You install your own Wireless Access Point within the coverage area of the OIT Wireless Service, and configure your Wireless Access Point to obtain its network service from OIT Wireless Service. Your Wireless Access Point then allows other wireless clients (or other private Access Points) to connect to it. This is unacceptable.
Redistributing OIT Wireless Service or TVWNA is unacceptable because:
Every Wireless Access Point functions either as a bridge or as a NAT (Network Address Translator, a.k.a. NAT Router). Some models are capable of functioning as either, based on the way you configure it. (It never makes sense to try to function simultaneously as a bridge and a NAT.)
The selection between a Wireless Access Point that functions as a bridge versus one that functions as a NAT is the most fundamental choice to make. Each approach has advantages and disadvantages. This section provides a summary of the differences between the two approaches, to help you decide which approach is best for you.
If acting as a bridge, a Wireless Access Point simply copies traffic back and forth between its Ethernet and Wireless interfaces. A data frame transmitted by a wireless client to the Wireless Access Point is simply retransmitted by the Access Point out its Ethernet interface; when the data frame arrives on the campus Ethernet, it still has the source hardware address of the wireless client (not that of the Wireless Access Point). The frame might contain any protocol, such as IP, AppleTalk, or IPX; the Wireless Access Point simply bridges the two networks transparently. Other than reformatting necessary to move the data between the two dissimilar media (Wireless and Ethernet), the Wireless Access Point does not rewrite the contents of the data frames. (Since IP addresses are contained within the data frames, they are not rewritten.) In fact, other devices on the Ethernet network cannot tell the difference between wireless devices behind the Wireless Access Point and Ethernet devices attached directly to the Ethernet wire. The Wireless Access Point acts as a transparent bridge between the two media. Because this approach is so simple, it doesn't interfere with communication software installed on the wireless devices.
If acting as a NAT, the Wireless Access Point operates in a very different way. Although it still copies data back and forth between its Ethernet and Wireless interfaces, it rewrites the data in each direction, and in fact blocks some of the data as well. When the Wireless Access Point receives a data frame from a wireless client and chooses to transmit the data out its Ethernet interface, the Access Point rewrites the data frame so it appears to come from the Access Point's Ethernet hardware address, and from the Access Point's IP address. When the frame arrives on Ethernet, it no longer has the source hardware or IP address of the wireless client. Only IP packets may be transmitted; other protocols (such as AppleTalk and IPX) do not travel across the Wireless Access Point. Other devices on the Ethernet network see only the Wireless Access Point; they do not see the wireless devices' hardware addresses or IP addresses. Because this approach is more complex, it can interfere with communication software installed on the wireless devices. However, in return it can provide benefits such as sharing one IP address among multiple wireless devices, or providing DHCP service to wireless devices that might otherwise have been ineligible to receive DHCP service.
If you are considering using a Wireless Access Point that acts as a NAT, then before proceeding, you should familiarize yourself with what a NAT does, and what's involved in using one at Princeton. See Connecting a Private Network Address Translator to the Campus Network.
Trade-offs you should consider when deciding between operating a bridge or a NAT include:
Running a NAT provides different services to the wireless clients than they would receive had they been attached to the Ethernet network to which the Wireless Access Point is attached. For example, assuming the NAT has an embedded DHCP server (it normally does), it will provide DHCP service to the wireless clients; this may provide DHCP service to clients that would otherwise not have received such service had the Access Point been configured as a bridge. On the other hand, the quality of the DHCP service provided by the NAT may not be the same as OIT's service; it might not provide all the same information to the client.
OIT does not support diagnosing or resolving problems with software that functions correctly in the absence of a NAT, but fails to work across a NAT. If you encounter these problems, diagnosing and resolving them is entirely up to you.
If the Access Point belongs to a student and is attached to Dormnet, you must subscribe it to Dormnet; since there are no fees associated with Dormnet subscriptions, there is no charge for the device. Otherwise you must register it as an office device in the Host Database; most office devices, are subject to the monthly Tigernet Host Charge.
The wireless clients behind the NAT do not need to be subscribed to Dormnet (or registered as office devices). (However, if these clients will sometimes be attached to the campus network in other locations, they would need to be subscribed to Dormnet or registered as office devices.)
The Access Point should be registered in the Host Database as an office device (regardless of whether it belongs to a student and is used in Dormnet) as described below.
The wireless clients behind the bridge must be registered in the Host Database; they do need to be subscribed to Dormnet (if they belong to a student and the Access Point is attached to Dormnet), or registered as office devices.
OIT may periodically verify that devices registered as bridges in the Host Database, to verify that they indeed are operating only as bridges (e.g. not as NATs). Because bridges are free while NATs are often not, it is a violation of OIT policy to register a device as a bridge while it in fact operates as a NAT.
Your private Wireless Access Point must be registered in the Host Database. The proper procedure varies depending on whether it functions as a NAT or as a bridge.
Simply registering the device as a bridge doesn't cause it to behave as a bridge; similarly, simply registering it as a NAT doesn't cause it to behave as a NAT. How the device actually behaves depends on the device itself (and in some cases, how you have configured the device). When you register the device in the Host Database, you tell OIT how the device behaves.
It is your responsibility to ensure that it is properly registered given the function it performs; if you choose to replace it or reconfigure it later to perform differently, you are responsible for changing its registration appropriately.
If the Wireless Access Point will function as a NAT (not a bridge), follow the instructions in Connecting a Private Network Address Translator to the Campus Network to register it in the Host Database.
If the Wireless Access Point will function as a bridge (not a NAT), follow these instructions to register it in the Host Database:
We do not normally record locations of devices in dorm rooms or apartments, as requiring customers to update these location fields as they relocate yearly is burdensome, particularly for BRIDGEs (as the Host Database entry will be locked).
If the Wireless Access Point is not located in a dorm room or apartment, specify accurate BUILDING and ROOM fields.
If you are not a student or the Wireless Access Point does belong to a University department, then specify an accurate DEPARTMENT-NUMBER field.
If you are not a student or the Wireless Access Point does belong to a University department, specify an accurate University account number for the ACCOUNT-NUMBER field.
Assuming you follow the rest of the instructions in this document, there will be no Tigernet Host Charge for the Wireless Access Point configured as a bridge.
When you register the device in the Host Database with an ENTRY-TYPE of BRIDGE and specify that it should be assigned an IP address,
OIT may choose to assign to it an IP address that is blocked from reaching the Internet. As there should be no need for a bridge to communicate with the Internet, this does not reduce the bridge's functionality, and has no effect on the ability of devices behind the bridge to reach the Internet. To prevent the device from reaching the Internet via OIT VPN Service, it may also be blocked from communicating with OIT VPN Service.This practice helps discourage mis-registering a host or Network Address Translator as a BRIDGE to avoid paying the Tigernet Host Charge typically assessed other devices such as hosts or NATs. (If the device actually is a host or a NAT and you mis-register it as a BRIDGE, this inability to reach the Internet will limit its functionality.)
When you register the device in the Host Database with an ENTRY-TYPE of BRIDGE, OIT
will generally "lock" the Host Database entry. This ensures the entry's IP address (if any) or ENTRY-TYPE (or in fact any field in the entry) cannot be changed without OIT's intervention. If after registering a device as a BRIDGE, you later decide you want to configure it to be a NAT, but find its Host Database entry is locked, send email to hostmaster@princeton.edu describing the change to the Host Database entry you wish to make.Sometimes we are asked why OIT does not recommend specific Wireless Access Point (WAP) models that will work acceptably with the campus network.
We do not do so for several reasons:
Most customers who choose to install their own private wireless service do so because they want service in a location not yet covered by OIT's services.
As OIT is not currently funded to install wireless service campus-wide, the service is currently installed in those locations where funding has been available, and in those academic and administrative buildings where department(s) in the building have decided to pay OIT to install the service.
Departments in buildings not currently served by OIT Wireless Service and TVWNA and considering purchase of private wireless access points would be better advised to have OIT expand service to their buildings. Given the difficulties caused by private WAPs on the campus network and the labor expended in handling these problems, any short-term cost-savings experienced by the department are likely offset by the additional long-term costs to the University.
Given that OIT does not support private WAPs, and discourages their use, devoting OIT labor to helping customers who insist on using private WAPs anyway does not seem prudent.