Hello there folks!
I am an entry level network administrator at a public university. I am assigned to work with the students who live on campus and assist them with any issues they have (wired or wireless). I have a fair amount of knowledge with many technologies, but little depth in most of them. Jack of all trades, master of none type of deal.
One of my most common requests is to help students play online games such as Call of Duty or Rainbow 6: Siege with the same solid connectivity they are familiar with having from when they live at home. However, users rarely understand that an enterprise network is very different than a home network.
We currently have a solution for these students in place, but we certainly have the understanding that this is FAR from best practice and it requires a ton of manual labor. I will describe my process as well as I can to include the types of network devices we use at this university.
To resolve a student's online gaming woes, we ask that they connect to our wireless gaming SSID (Cisco 3502 AP's, Cisco 5508 controllers). This SSID is secured by PSK with the key posted on university intranet website---certainly not secure but we didn't feel comfortable with an open SSID. The users then submit their MAC and IP address through an online form on our website. Once we receive the MAC and IP, I go through four basic steps:
1) Create a DHCP reservation for the user on our Windows NPS, verifying that the information they sent us is correct by just double checking the IP lease to make sure the MAC they gave us is the MAC we see. I then add the ticket number in the description of the DHCP reservation.
2) Create a 1 to 1 NAT on our Palo Alto firewall, giving the user a public IP address from a pool of available addresses.
3) Add the user's IP address to an address group that belongs to a security rule allowing common inbound game ports that are listed on different sites (3074 for Xbox, 6112 for Blizzard, etc)
4) Contact user to verify connection is working.
Honestly, each request doesn't take that much time but in the world of networking I know fully well that a more experienced administrator would have this as a solved problem and an afterthought. I have processed over 300 of these requests this year, and I imagine I am just now approaching the threshold where if I spent every bit of that time working on a way to automate this, I would be breaking even.
A few notes:
-
The current process we are following is a suggested resolution posted on the Palo Alto forums from other folks dealing with the same issues. To me, it just seems like a band-aid fix and not really a solution.
-
We have considered just handing out public IP's to these folks, but our gaming SSID with PSK currently has 2100 devices connected to it (needless to say these are NOT all gaming devices, since users get cheeky and start punching the PSK into devices that have 802.1x capability). Since we have a /19, we technically have the room to accommodate all these users but with the subnets we have remaining available we will be cutting it too close for comfort.
-A colleague has suggested ipv6 as a solution, but I have a huge knowledge gap I need to overcome to get there. I have not been able to figure out if this solution is worth pursuit and would absolutely appreciate input on that.
At the end of the day, we have two challenges at hand:
1) How do we balance security and convenience for these users to get their non 802.1x devices onto the network? PSK just kind of sucks for this use-case, as we've found.
2) How can we efficiently ensure that game servers can initiate inbound connections to our students' devices without going through all the trouble of assigning each device a public IP one at a time?
Thank you for your time!
No comments:
Post a Comment