Overview
The Secure Wireless Service is intended to provide secure connectivity for clients with valid Tufts credentials (UTLN). The traffic will be secure as it leaves the wireless endpoint and is terminated on the Tufts wireless controllers. This new wireless network, (SSID: tufts-secure) does not require advanced registration - all that is needed is a valid Tufts SSO account.
IP addressing
Clients that connect to the Secure Wireless network will receive an IP address on private space. For access to resources on the Internet, traffic will look like it's coming from the IP address of the wireless controller which will be based on 130.64 network space. For services that live within the 130.64 netblock (such as Trunk and Exchange) there will be no manipulation of IP addressing.
How to Connect
It is easy to connect to the Tufts guest wireless network, as it is intended to be a public service to visitors on our respective campuses. A wireless device should see the wireless network SSID: tufts-guest and be able to connect instantly.
Technical Service Description
- This new SSID (tufts-guest) will be "open" to wireless clients like other public wifi hotspots and registration will not be required.
- There will be no restrictions for wifi protocol, as it will offer 802.11a/b/g/n (n where available) to Guest wireless users.
- This service is intended to allow "open" client guest access, and as such there will no tie in to the TUNIS/Host Registration System to the Guest Wireless infrastructure. The wireless controllers will be directly providing IP address assignment through DHCP, and these addresses will be inaccessible in the Proteus and Host Registration systems.
- Users wishing to access secure university assets, should continue to use the Tufts full wireless service via SSID "tuftswireless".
- Since the wireless controller will be performing NAT between the client and the rest of the network including the Internet, no inbound services will be available to guest users.
- Each device will have its bandwidth limited to 5Mbps download and 1Mbps upload.
- Only a subset of IP Ports and Protocols will be allowed out the wireless controller to the rest of Tufts and the Internet (see chart).
Network Ports Allowed On Guest Wireless Service (SSID: tufts-guest)
Protocol |
Port |
Description |
|---|---|---|
tcp |
21 |
FTP—control (command) |
tcp |
22 |
Secure Shell (SSH)—used for secure logins, file transfers (scp, sftp) and port forwarding |
tcp |
53 |
Domain Name System (DNS) |
udp |
53 |
Domain Name System (DNS) |
tcp |
80 |
Hypertext Transfer Protocol (HTTP) |
tcp |
88 |
Kerberos—authentication system |
udp |
88 |
Kerberos—authentication system |
udp |
123 |
Network Time Protocol (NTP)—used for time synchronization |
tcp |
143 |
Internet Message Access Protocol (IMAP)—management of email messages |
tcp |
389 |
Lightweight Directory Access Protocol (LDAP) |
tcp |
406 |
Interactive Mail Support Protocol |
tcp |
443 |
HTTPS (Hypertext Transfer Protocol over SSL/TLS) |
tcp |
444 |
SNPP, Simple Network Paging Protocol (RFC 1568) |
tcp |
446 |
DDM-RDB |
tcp |
447 |
DDM-RFM |
tcp |
465 |
URL Rendesvous Directory for SSM (Cisco protocol) |
udp |
500 |
Internet Security Association and Key Management Protocol (ISAKMP) |
tcp |
587 |
e-mail message submission (SMTP) |
tcp |
636 |
Lightweight Directory Access Protocol over TLS/SSL (LDAPS) |
tcp |
993 |
Internet Message Access Protocol over SSL (IMAPS) |
tcp |
995 |
Post Office Protocol 3 over TLS/SSL (POP3S) |
tcp |
1494 |
Citrix XenApp Independent Computing Architecture (ICA) thin client protocol |
tcp |
1723 |
Microsoft Point-to-Point Tunneling Protocol (PPTP) |
tcp |
1863 |
MSNP (Microsoft Notification Protocol), used by the .NET Messenger Service and a number of Instant Messaging clients – MSN Instant Messanger |
tcp |
3389 |
Microsoft Terminal Server (RDP) officially registered as Windows Based Terminal (WBT) |
tcp |
3653 |
Tunnel Setup Protocol |
udp |
3653 |
Tunnel Setup Protocol |
tcp |
5000 |
VTun—VPN Software |
tcp |
5050 |
Yahoo! Messenger |
tcp |
5190 |
ICQ and AOL Instant Messenger |
tcp |
5222 |
Extensible Messaging and Presence Protocol (XMPP) client connection --Google Talk (Jabber) |
tcp |
5223 |
Extensible Messaging and Presence Protocol (XMPP) client connection over SSL |
tcp |
5900 |
Virtual Network Computing (VNC) remote desktop protocol (used by Apple Remote Desktop and others) |
tcp |
8444 |
FireScope Management Interface. |
tcp |
10000 |
NDMP, Network Data Management Protocol. |
ah protocol |
|
Authentication Header |
esp protocol |
|
Encapsulating Security Payloads |
gre protocol |
|
Generic Routing Encapsulation |