Find articles

By author: Todd Gould

The Nuts & Bolts of Purple Air

WARNING: Techie Talk to follow!

Williams College Wireless provides convenience and mobility, but it also presents several security challenges. Security for 802.11 networks can be broken down into three categories: the authentication framework, the authentication algorithm, and data frame encryption. The technology behind Purple Air focuses on the authentication framework and data frame encryption.

network diagram

Current authentication in the 802.11 standard is focused more on WLAN connectivity than on verifying user or station identity. For enterprise wireless security to scale to hundreds or thousands of users, the current method of authentication must be replaced by an authentication framework that supports centralized secure user authentication.

Williams uses 802.1x on the network to better protect users from security breaches. Since wireless traffic is sent over the air, it is easy for someone to intercept the traffic; 802.1x encrypts this traffic so that it is more difficult to translate data. Encrypted traffic may still be intercepted, but it cannot be easily decoded.

The 802.1x standard is designed to enhance the security of wireless local area networks (WLANs) that follow the IEEE 802.11 standard. 802.1X provides an authentication framework for wireless LANs, allowing a user to be authenticated by a central authority. The actual algorithm that is used to determine whether a user is authentic is left open and multiple algorithms are possible.

Purple Air utilizes a protocol within the WiFi protected access enterprise certification software (WPA/WPA2) called the Protected Extensible Authentication Protocol (PEAP), for message exchange during the authentication process.

PEAPv0/EAP-MSCHAPv2 is the technical term for what people most commonly refer to as “PEAP”.  There are many variations of PEAP.  Behind EAP-TLS, PEAPv0/EAP-MSCHAPv2 is the second most widely supported EAP standard in the world and is one of the reasons we chose to deploy it.

When connecting to Purple Air with 802.1X, a user (known as the supplicant) requests access to an access point (known as the authenticator). The access point forces the user (actually, the user’s client software) into an unauthorized state that allows the client to send only a PEAP start message. The access point returns a PEAP message requesting the user’s identity. The client returns the identity, which is then forwarded by the access point to the authentication server, which uses an algorithm to authenticate the user and then returns an accept or reject message back to the access point. Assuming an accept was received, the access point changes the client’s state to authorized and normal traffic can now take place.

Anyone with a Williams account can use 802.1x; however, there are restrictions on client technology:

OIT supports the following Operating Systems with 802.1x:
Microsoft Windows XP/Vista
Macintosh Mac OS 10.4.1 (Tiger) or later.

Other unsupported operating systems, such as Ubuntu, will work with Purple Air.

Williams’ implementation of 802.1x technology requires a wireless network card that supports Wi-Fi Protected Access (WPA\WPA2).  Please refer to our online support page for additional information.

More Information about Wireless Networking:

Some of the above information was drawn from Wikipedia. Wikipedia copyright notice.

Purple Help & Purple Air

The Office for Information Technology is excited to announce the launch of two new wireless network spaces, Purple Help & Purple Air.

Purple Help is what we suggest all wireless users to first connect to when arriving on campus. Once connected, launch a web browser of your choice and you’ll be redirected to our online support site for wireless. There our wireless community will find detailed instructions on how to connect to our new secure wireless network, Purple Air.

You may be asking yourself, “Why does the college want or need this new Purple Air wireless network thing?” This is a fair question that deserves an answer. Purple Air will offer very strong over the air security for the entire time a user is connected to campus wireless. The purpose is to make it nearly impossible for others to eavesdrop on you. We at OIT feel very strongly about protecting your identity from those who would use it for illegal or malicious purposes. The chances of this actually happening on our campus are likely low. However, as long as the possibility exists, we must provide a solution to protect.

Another driving force for Purple Air, has been the students’ dislike in having to log in to the wireless network through the captive web portal. Purple Air, once configured on a laptop, will automatically connect wireless users to the network. It will appear very similar to how a computer works when plugged into a wired network, albeit slower at times, depending on proximity to an access point. The only time a person should be asked to log back in is at the time of password expiration or manual password change. Windows users will have to reinstall the software utility we have provided on our Purple Help support page. Please visit http://purplehelp.williams.edu for detailed information about this exciting new change and how to use it.