Document Information: Document Title: WiFi On The Move (OTM) Tech Spec Document Version Date: 17/07/2017 Prepared By: Joe Nicastro Preparation Date: 02/06/2017 Document Version No: V 1.1
Content Document Information:... 1 1 Introduction... 3 2 Solution Overview... 3 2.1 Capabilities... 3 2.2 Coverage... 4 2.3 Landing Page... 4 3 Solution Options... 4 3.1 Internet Access... 5 3.2 Corporate Access... 6 3.3 Wi-Fi Landing Page... 7 4 Service Overview... 8 4.1 Service Request... 8 4.2 SLA... 9 5 Why Us... 9
1 Introduction There are over 76,000 staff that work directly at Heathrow Airport. Together they look after 75 million passengers a day across 1227 Hectares. Yet most staff who require access business applications to perform their work are confined to workstations and physical locations. With Commercial Telecoms Wi-Fi OTM, your staff can spend more time in front of passengers, work at the point of service and outside the boundary of a retail shop. It gives you a simpler way to build a foundation supporting enterprise-wide policies, strong security and enhanced user experience. For companies looking to introduce Machine to Machine (M2M) communications or Internet of Things (IoT) to support enhanced automation and self-service, Wi-Fi OTM will enable these new capabilities across the Heathrow estate. Wi-Fi Landing Page is an optional service that compliments Wi-Fi OTM. It allows you to take ownership of your Wi-Fi landing page to display customised messages to your target user groups. Your users can identify your network and are prevented from accidently logging into spoof networks. 2 Solution Overview Wi-Fi OTM / Landing Page is a policy and guest management platform, a component of the Heathrow WLAN infrastructure that lets you create and enforce policies that will extend across to devices and applications on your corporate network. It compliments the existing private SSID service available in Tenants demised areas. The service uses the Aruba ClearPass technology, for authenticating IT-provisioned and personal/guest mobile devices to securely connect to any network 2.1 Capabilities Wi-Fi OTM service allows device-based network access control for staff, guests, passenger and contractors across any wired, wireless and VPN infrastructure. You can have granular control over your network to provide access based on the device type, location, time of day, user role or a mixture of these. Secure and manage all your devices Ideal for handling large-scale mobile device deployments, WiFi OTM & LP lets IT securely connect devices to an Internet or Corporate network allowing connectivity to your devices whenever, or wherever you are. Auto sign-on and you re good to go Instead of a single sign-on, which requires everyone to login manually when they associate with the Wi-Fi network, WiFi OTM remembers your network login and automatically authenticates users to their mobile apps so they can get started quicker. Secure wireless network access for guests and their mobile devices Self-service guest access that s tailored to your organization s needs. mplest, most customizable visitor management system for wireless and wired.
2.2 Coverage Wouldn t it be nice if your Wi-Fi could work like cellular roaming, if users could just power up their device, and get online anywhere across the Heathrow estate? Our service makes this possible; users can also connect in problematic areas such as Head of Stands, and Check-In, where current SSID restrictions do not allow multiple airlines to connect to their service, and improve roaming capabilities across the airport without the need of deploying multiple SSIDs. 2.3 Landing Page Landing Page offers Airport Tenants the ability to have specific web pages hosted by Heathrow on your behalf to support a range of use cases for your Heathrow provisioned WLAN services, from Captive Portal to Guest sign on and presentation of Terms and Conditions to your Guest users. 3 Solution Options WiFi OTM is available as two options. 1. Internet Access 2. Corporate access Service Element Internet Access Corporate Access Authentication Automatic Reassociation Wireless Bandwidth per device MAC address Yes, within Terminal 5Mbs user name password (802.1x) Yes, within Terminal/apron 5Mbs Wireless Band A/G/N/AC A/G/N/AC Wireless Channel SSID Coverage All (outside limited to 3 on5gig) _Heathrow Wi-Fi, CT_Roaming Everywhere above SSID exists All (outside limited to 3 on5gig) "CT_Roaming" As Requested Service Straight to internet Customers VPN Backhaul lines Generic HAL BB 100Mb Customers BB (BT or HAL) Splash page None Available option
3.1 Internet Access This option provides for devices to connect to any Heathrow public Access Point and connect to the Internet automatically using a preprovisioned profile based on device MAC address. There is no need for a detailed network design to be done. Devices that that you would like to provide access to will be added to the ClearPass appliances via a formalised request process and tested thereafter. Example use case: - Engineering teams requiring internet access to support their Airport wide work An airport flow and logistics systems company operating bag drop facilities at Heathrow Airport, referred to as Auto Bag Drop (ABD), now have facilities allowing passengers to check-in baggage themselves by scanning their boarding pass and placing their luggage on the unit s conveyor belt, where a check of the bag size and weight is carried out. A requirement for internet access for handheld devices for staff was a perfect opportunity for a solution like WiFi OTM to establish connectivity for the customer. The service allowed them to have a wireless internet only service providing up to 20Mbps per user. This was achieved by applying a MAC authentication check to the existing Heathrow public Wi-Fi SSID in the following manner: MAC addresses of the devices were supplied to Commercial telecoms MAC addresses are added to a whitelist hosted on the HAL ClearPass servers User connects to the specific Heathrow Wi-Fi SSID The WLAN controller forwards the device MAC address to ClearPass ClearPass checks the whitelist and if the device matches it will be redirected onto a separate VLAN which will direct user traffic out to the internet via the HAL broadband circuits. If the device is not in the whitelist it is directed onto the existing WLAN VLAN(s) as normal Design topology Aruba Controller Clearpass Server LHR6198wana-d1 Gi8/0/33 Gi9/0/33 T5 Access Layer VLAN 799 or 801 to controller WANAGG Distribution Switch CORE Distribution Switch VLAN 969 LHR5836wana-d2 Gi8/0/33 Gi9/0/33 LHRBB VLAN 911,916-919,933,955,2045,2048,2049,2145, 2148, 809,818,859,869, 2022,2025,2044, 2046,2047,2146 Arqiva Routers Internet _Heathrow Wi-Fi SSID Public area AP s TERM Distribution Switch Internet Fibre - Trunk link UTP BAA/Customer responsibility demarcation
3.2 Corporate Access This option provides for devices to connect back to your Corporate Network at Heathrow, and will require you to have a Managed VPN/VLAN from Commercial Telecoms to in place. A detailed network design is required, which will take into account your specific security and access requirements. Example use case: - Airport staff that have handheld scanners that need connectivity back to corporate application Airline staff became the first customers of a new common SSID service CT_Roaming for their handheld devices in Terminal 2 which are logically placed onto an existing Broadband VLAN that is used for the Airline staff and lounges. Wireless access will be via existing access points installed in T2A and T2B which will have the CT_Roaming SSID deployed. The wireless controller will place the airline handheld device(s) into the right role once the enforcement service is sent from ClearPass policy manager based on certain matching attributes. Use of a username and password configured on the ClearPass policy manager as part of the enforcement attribute and network access control. Staff will now connect to the new common SSID called CT_Roaming which most if not all new wireless customers have to connect to. Segregation from other custom users of CT_Roaming will be achieved by each customer having dedicated Vlan (LAN/WLAN) and ClearPass unique username and password per customer.
3.3 Wi-Fi Landing Page With WiFi Landing Page we give you the opportunity of giving your Wireless service a professional, secure front door to your customers. A Captive Portal (Splash page) will allow customers to have internet access at designated areas such as lounges and retail units with a fully branded landing page. A suite of customizable options is available for businesses at Heathrow for; Hosted landing pages for your Heathrow wireless solution Personalisation of standard pages or your own HTML to identify your business and your Wi-Fi network Ability to present terms of use and fair use policies Capture user information for marketing purposes (in compliance with legal and data protection act) Optional bespoke HTML/CSS development for your pages There are certain constraints to the service which are outlined below, but our dedicated team will be able to define exactly what is required and concur with you the most feasible solution: Wi-Fi landing page is an optional service that complements Heathrow s Wireless LAN and broadband solutions ze limitations for pages apply Comes with unbranded HTML pages with light customisation. Full customisation available on request Ts & Cs, vouchers etc. presented at the time of access Session restrictions apply 3 as default Supported scripting none allowed on server side MAC caching for 24 hours No bandwidth limitations
A simple topology diagram of the WiFi Landing Page solution is shown below: Aruba Wireless LAN Controller Radius Traffic (MAC Caching) Management WANAGG Distribution Switch Data CORE Distribution Switch Customer BB Router Guest Portal Access ClearPass Access Switch TERM Distribution Switch Internet Aruba AP Guest SSID Guest Device 4 Service Overview The ClearPass infrastructure is managed and supported by an on-site 24/7 network team, and securely housed within 2 Data Centres and on the Heathrow side of the network will connect to the WANNAG infrastructure. This allows the connectivity to the external sources and the Wireless Controller for WLAN service. All end user devices can connect to the same SSID and segregated into separate VLANs based on role. The client traffic is tunnelled to the wireless controller. Each authenticated device has a separate encrypted connection to the controller. 4.1 Service Request Any requests for the WiFi OTM solution must go through the Commercial Telecoms route, and customers may contact the following in order for their requests to be processed: Email: - heathrow@sita.aero Phone: - 0208 745 6565 Address: - Meridian First Floor South Compass Centre Nelson Road Hounslow TW6 2GW
Once we have received the approval to commence our specialised solutions team will be ascertain your requirements and refine them to your needs in a specific design allocated to your request. General information from the customer is obtained such as: Brief description of requirement Areas / Location Number of users Any existing network configuration details, ie VPN / Broadband / VLAN 4.2 SLA Wi-Fi OTM Down for all Targets Down for some Down for one Response 30 mins 2 hours 2 hours Remote fix 2 hours 2 hours 4 hours Replacement 4 hours 4 hours 4 hours 5 Why Us Applications can stay connected always mple flexible data plans with a minimum commitment of only 6 months Add and remove devices easily 24X7X365 on site airport based support Integrate into you Heathrow based VPN Ability to provide custom splash pages at additional cost