Wireless Networking at LBNL
- Wireless Network Coverage Map
- Wireless Network Technical Details
- WPA/WPA2 Wireless Networking ("lbnl-employee" network) Setup Instructions
- Windows Vista with Dell wireless card
- Windows 7 (and Vista) with Intel wireless card
- Pre-Shared Key for one-week wireless access to the "lbnl-visitor-offsite" network at:
Donner Lab - Building 1
Leapfrog - Building 971
JCAP - Building 976
Potter Street - Building 977
JBEI - Building 978
Note: the "lbnl-visitor" network in the main LBNL campus is an open network and does not require the pre-shared key.
- Wireless Network Installation Costs
- Wireless Overview
- Wireless Security
- Access Point Requests
- Using lbnl.us Wireless
- Network Services Supported and Not Supported
- Supported Conference Rooms
- Finding and Connecting to Wireless
- Client Configuration Guidelines
- typical settings
- Getting Help and Support
The visitor network is an "open", non-authenticated, unencrypted wireless network, connected to the Internet (via ESnet) and logically external to the Lab’s lbl.gov network perimeter DMZ. From the perspective of the Lab’s internal lbl.gov network, devices connected on the visitor wireless network are treated like they were on a commercial ISP or any other external location (ie, outside the Lab perimeter).
The employee network on the internal lbl.gov internet domain offers a secure, encrypted connection to the local network of the building where the access point is located. Traffic on the employee network is treated as any other traffic on the lbl.gov domain.
- The wireless network is intended for use by both Berkeley site staff and affiliates.
- For casual visitors, it is the usual means of Internet access (persons without a Berkeley Lab ID are not permitted to use the wired network without explicit permission from a Berkeley Lab employee)
- For staff, it is a convenience network, primarily used for applications such as email, calendaring, etc. while in conference rooms and with mobile devices.
- Permanent equipment like desktop computers, and mission critical equipment such as business systems or scientific applications, should not be operated on the wireless network.
- Job-related activities
- Incidental personal use (unless use is explicitly forbidden; see below)
- Use for personal gain, lobbying, or unlawful activities such as fraud, embezzlement, theft, or gambling
- Use of resources to create, download, view, store, copy, or transmit sexually explicit materials or images
- Unauthorized entry into or tampering with computers, networks, or other information resources
- Use of resources in a manner intended to, or likely to result in, damage to any system, database, or intended official use (e.g., distributing viruses)
- Misusing or forging e-mail or tampering or gaining unauthorized access to the Laboratory's e-mail system
- Use of e-mail to give the impression that the user is representing, giving opinions, or otherwise making statements on behalf of the Laboratory unless appropriately authorized (explicitly or implicitly) to do so
- Use of resources in connection with conduct or activities prohibited by Laboratory policy (e.g., fabrication, falsification, or plagiarism in proposing, conducting, or reporting research; unauthorized disclosure of Laboratory proprietary information) or use in violation of applicable copyright or patent law.
- Unauthorized use of resources on behalf of outside organizations or any use that conflicts with or is inconsistent with Laboratory information resources policies or procedures
- Use of resources to store, manipulate, or remotely access any national security information, including, but not limited to, classified information, unclassified controlled nuclear information (UCNI), and naval nuclear propulsion information (NNPI)
- Any use that violates applicable federal or state laws or regulations.
Considerations on the "Open" Visitor Network:Berkeley Lab’s visitor wireless network is an "open", unauthenticated, and un-encrypted network. As with other open public wireless networks, all connections to Berkeley Lab’s visitor wireless network should be considered insecure, as un-encrypted wireless technology inherently affords no protection against traffic snooping by other devices within RF range. When using Berkeley Lab’s visitor wireless network, one must exercise the same precautions one would apply when using an open wireless network in any off-site public place.
When using the secured, employee wireless network, traffic is encrypted to offer protection against data snooping.
Firewall and Perimeter SecurityThere is a firewall at the lbnl.us network perimeter, which limits traffic to and from lbnl.us. It is important to understand that although one is physically on-site when connected to the visitor wireless network, one is "outside" the Lab with respect to network traffic to and from lbl.gov.
This has security and functional implications while you are connected to the visitor wireless network. Any lbl.gov network resources (e.g. web servers) that are restricted to "internal" access (ie, within lbl.gov domain) will not be accessible on the visitor wireless network, despite being physically on-site. Network services that are blocked at the lbl.gov perimeter will affect wireless as well -- for example, Microsoft file shares on lbl.gov cannot be accessed from the visitor wireless network (unless VPN is used.)
The lbl.gov perimeter defenses equally apply to the wireless networks. For example, a wireless computer attempting to scan lbl.gov will be blocked (both from reaching lbl.gov and from reaching the internet.) Traffic monitoring and intrusion detection are performed on the wireless networks – within the networks; between wireless and lbl.gov; and between wireless and the internet.
To best serve you and to expedite your request, we ask that you send a key plan marked up to indicated what building areas require wireless coverage. From this we will be able to provide you with a cost and time estimate.
The cost of all wireless installations is time and materials. Cost estimates are available here.
Supported and unsupported services are summarized below.
Internet to WirelessInbound TCP connections from the Internet to lbnl.us are generally not allowed. Accordingly, applications intended to serve Internet clients, such as web servers, cannot be operated on the wireless network.
Wireless to Berkeley Lab lbl.govTCP Traffic from wireless to lbl.gov is subject to a default deny policy (from lbl.gov perspective), with specific exceptions for the following services, which are allowed:
- Web: http/80 and https/443
- LDAP and LDAPS
- Printing: jetdirect and printer protocol
- Windows Remote Desktop
- Cisco VPN
Wireless to Internet trafficThere are currently no static restrictions on traffic from wireless to the Internet at large (except to lbl.gov as above).
However, note that all such traffic is fully monitored for unacceptable use and subject to both automated and manual reactive measures, such as blocking individual hosts at the wireless perimeter.
If you have questions about these services, please see the Contact section of this document.
For help with any of these networks, please call the help desk for support. (x4357)
IP Addressing on WirelessAll end-user IP addresses on the Wireless network are provided via DHCP. Static wireless addresses will not be assigned to users.
Smartphone and Tablet ConfigurationFor instructions on configuring your smartphone or tablet for wireless connectivity please click here.
- Bridging must be turned off or disabled.
Using Windows XP see Network Connections, right click on the wireless adapter. Check for bridging. Turn bridging off or disable it.
- Do not set the Network Type to 'Ad hoc.'
Using Windows XP see Network Connections, right click on wireless adapter>Properties> Wireless Networks tab>Advanced. Select 'Access point (infrastructure) networks only'.
- Mac laptops - Do not use the computer-to-computer network setting.
Using: System Preferences>Network>AirPort>Network Name. Do not use the "Create Network" option..If you have enabled this option, you may disable it by using the "Join Other Network" option or turning off Airport.
Note that the wireless network is a secondary service. There is no off-hours technical support, and during business hours, support for Berkeley Lab’s internal lbl.gov network always has precedence.
If you have a question specifically related to cyber security, such as wireless firewall policy, you may contact the Computer Protection Program (CPP) group directly via email at firstname.lastname@example.org
You may also contact the LBLnet Services Group, who maintain and operate the wireless infrastructure. Email us at email@example.com for more information.