UNIVERSITY OF BUEA

FACULTY OF SCIENCE

DEPARTMENT OF COMPUTER SCIENCE

DESIGN AND IMPLEMENT A SECURED UNIVERSITY CAMPUS

BACHELOR OF SCIENCE
NETWORK IN COMPUTER
WITH AAA SCIENCE
USING MIKROTIK

Project Report

BY

EBONG HALLE ETOH

(SC20A892)

SUPERVISOR

DR. ACHANKENG LEKE PETER

JULY 2024

i
 CERTIFICATION

This is to certify that this report entitled “Design and Implement a secured University
network with AAA using Mikrotik” is the original work of Ebong Halle Etoh with
registration number SC20A892, student at the Department of Computer Science at the
University of Buea. All borrowed ideas and materials have been acknowledged by means of
reference and citations. The report was supervised in accordance with the procedures laid
down by the University of Buea. It has been read and approved by:

Dr. ACHANKENG LEKE DATE

Supervisor

Dr. NKWETEYM DENIS DATE

Head of Department of Computer Science

i
 DECLARATION

This report has been written by me and has not received any previous academic credit at this
or any other situation

Ebong Halle Etoh

SC20A892

Computer Science

Faculty of Science

ii
 ACKNOWLEDGEMENT

Firstly, I will like to thank the Almighty God for giving me the strength and wisdom to do
this project from beginning to the end. Next, I will like to acknowledge my supervisor Dr.
Leke for helping me through out this project. Finally, I will like to thank my father and
mother Mr. and Mrs. Ebong Halle for always having faith and believing in me. My brothers
and sisters for always being available when ever I need help and to my friends who never left
my side

iii
 DEDICATION

I am dedicating this project to my brothers and sisters.

iv
 ABSTRACT

This project aims to design and implement a secure university campus network using
Mikrotik RouterOS and its AAA (Authentication, Authorization, and Accounting)
capabilities. The goal is to create a scalable, reliable, and highly secured network
infrastructure that can effectively manage and control access to the university's resources.
The project will involve a comprehensive assessment of the existing network, development of
a detailed network design, and the implementation of a robust AAA system using Mikrotik's
RADIUS server. Additionally, the project will address security concerns by implementing
access control lists, intrusion detection and prevention systems, and secure connectivity
options. The successful completion of this project will result in a highly secured and
efficiently managed university campus network, providing a reliable and controlled
environment for students, faculty, and staff to access necessary resources, and serve as a
blueprint for other educational institutions seeking to enhance their network security and
access management.

v
 TABLE OF CONTENTS
CERTIFICATION......................................................................................................................i
DECLARATION.......................................................................................................................ii
ACKNOWLEDGEMENT........................................................................................................iii
DEDICATION..........................................................................................................................iv
ABSTRACT...............................................................................................................................v
LIST OF ABREVATIONS......................................................................................................vii
CHAPTER ONE........................................................................................................................1
INTRODUCTION......................................................................................................................1
1.1. Historical Background.................................................................................................1
1.2. Significance of Project................................................................................................2
1.3. PROBLEM REPORT..................................................................................................3
1.4. Aim and objectives of Project.....................................................................................3
1.5. Scope...........................................................................................................................4
1.6. DEFINITIONS............................................................................................................4
CHAPTER TWO.......................................................................................................................5
Literature Review.......................................................................................................................5
2.1. Theoretical Framework..................................................................................................7
2.2. Conceptual Framework...................................................................................................8
2.3. Empirical Framework......................................................................................................9
CHAPTER THREE..................................................................................................................13
METHODOLOGY AND DESIGN.........................................................................................13
3.1. METHODOLOGY........................................................................................................13
3.2. DESIGN........................................................................................................................15
CHAPTER FOUR....................................................................................................................16
IMPLEMENTATION..............................................................................................................16
CHAPTER FIVE......................................................................................................................22
CONCLUSION AND RECOMMENDATION.......................................................................22
What we were unable to do......................................................................................................22
5.2. REFFERENCE..........................................................................................................23

vi
 LIST OF ABREVATIONS

AAA Authentication, Authorization and Accounting

DHCP Dynamic Host Configuration Protocol

IP Internet Protocol

PC Personal Computer

VLAN Virtual Local Area Network

WAN Wide Area Network

vii
 CHAPTER ONE

INTRODUCTION
1.1. Historical Background
In today’s interconnected world, where technology reigns supreme, the need to robust
network security measures has become paramount. This project aims to provide a detailed
and engaging guide to implement network security in a university campus network with AAA
using mikrotik.by following these steps and best practices, students can fortify their digital
infrastructure against potential treats and protect sensitive information.
Network security is the practice of protecting networks and their infrastructure from
unauthorized access, misuse, or disruption. It encompasses various technologies, polices, and
practices aimed at ensuring the confidentiality, integrity and availability of data. By
employing robust network security measures, universities can safe guard their digital assets
against cyber threats.

Network security encompasses a range of measures designed to protect computer networks

from unauthorized access, data branches, and malicious activities. It involves both hard ware
and software components, as well as proactive policies and procedures aimed at mitigating
risks. By understanding the fundamental principles of network security, universities can lay
the foundation of a robust and resilient security infrastructure.
Before implementing network security measures, it is crucial to conduct a comprehensive
assessment of potential risks and vulnerabilities. This involves identifying potential entry
points, evaluating existing security measures, and analyzing the potential impact of security
branches. By conducting a thorough risk assessment, organizations can develop an effective
security strategy tailored to their specific needs.

 Authentication: As the first, authentication provides a way of identifying a user,

typically by having them enter a valid username and password before access is
granted. Other authenticated processes can be used instead, such as biometrics or
smart card.

The authentication process is based on each user having a unique set of criteria for gaining
access. AAA server compares the user’s credentials in the authentication request with the
user credential store in database. If the credentials match, the user is granted access to the

1
network. If the credentials don’t match, authentication fails, and the user is denied network
access.

Once authenticated, the user is limited to the performing actions that don’t access specified
data or resources configured by network administrators.

 Authorization: following authentication, the user must be authorized to perform

certain task. After logging into a system, for instance, they might try to issue
commands. The authorization process determines whether the user has the authority to
issue such commands. Simply put authorization in the process of enforcing policies
by determining what type of qualities of activities, resources or services the user is
permitted. Usually, authorization occurs within the context of authentication. Once
the user is authenticated, they can be authorized for different type of activities.
 Accounting: measures the resources the user consumes during access. This can
include the amount of system times or data the user has sent and received during a
session. Accounting logs sessions statistics and usage information and is used for
authorization control, billing, trend analysis, resources utilization and capacity
planning activities.

1.2. Significance of Project

Your network is the first line for your company’s sensitive data and system. If your network
is not secure, malicious actors will find a way in and start wreaking havoc on all of your other
defenses.

Network security is the practice of securing computer networks from attack. These network
typically handle sensitive information, such as customer data and financial data. As such it is
important to keep network security strong. If not, hackers can steal this data and cause a host
of other problems.

Network security address three key areas of concern: Confidentiality, Integrity and
Availability. Confidentiality is the assurance that data is only used by authorized individuals
and it is not disclosed to others. Integrity ensures that data is not altered in any way during
transmission or storage and availability ensures that the network is accessible when
authorized owners need it.

One of the most important aspects of protecting your network is to protect criteria data. This
includes customers data, financial data, and employee data. By keeping your network secure,

2
you reduce the risk of a data breach, which can severely impact your organization reputation
and bottom line. This is especially important in today’s increasingly connected world where
data is more portable than ever before.

In other to protect data, you need to trust your network, system, and devices are secure. This
is accomplished through a variety of robust security measures, such as encryption, firewalls,
antivirus software, password manager, and employee training.

1.3. PROBLEM REPORT

The aim of this research is to design and to implement network security in internal web
testing using AAA and Mikrotik Router on campus server of university. Data analysis
techniques that possible to use is descriptive method. [10]

1.4. Aim and objectives of Project

The main aim of this project is to set up a secured network with authentication, authorization
and accounting. Hence, prevent unauthorized access to a network. The main objectives of
security are: confidentiality, Integrity and availability. Network security is an essential aspect
of cybersecurity that protects network data and resources from attackers. Network security
has three main objectives to prevent unauthorized access, to detect and stop cyberattacks, and
to ensure secure access for authorized users.

 Confidentiality: this is the assurance that information is not disclosed to unauthorized

individuals, groups, processes, or devices. Highly confidential data must be encrypted
so third parties cannot easy decrypt it. Only those who are authorized to view the
information are allowed access.
 Integrity: the accuracy and completeness of vital information must be safeguarded.
Data should not be altered or destroyed during transmission and storage. This
involves making sure that an information system is not tampered by any unauthorized
entities. Policies should be in places so that users know how to properly utilize their
system.
 Availability: This means the authorized users have timely and easy access to
information services. IT resources and infrastructure should remain robust and fully-
function at all times even during adverse conditions, such as data base conundrum or
fall-over. It involves protecting against malicious codes, hackers, and other threats
that could block access to the information system.

3
  Authenticity: the security measure is designed to establish the validity of a
transmission, message, or a means of verifying an individual and individual’s
authorization to receive specific information. Authentication prevents impersonation
and requires users to confirm their identities before being allowed access to systems
and resources. This includes user names, password, emails, biometrics, and others.
 Non-Repudiation: These attributes assures the sender of data is provided with proof of
the sender’s, receiving, or access the data. Security principles should be used to prove
identities and to validate the communication process.

Boundaries are used to specify the range of devices and services that are allowed on the
network. Network boundaries are also used to protect the network from unauthorized access
and malicious attacks. Network boundaries are important for organizations because they help
to secure their networks from external threats. In this project, the network security will be just
within the university campus.

1.5. Scope
This project is for a university campus network so, Mikrotik server version 7.0 is going to be
used. The number of users that will be connected to this system are in three different
categories namely: Administration, Lecturers and Students.

1.6. DEFINITIONS
 Authentication: this is the process of verifying a user or device before allowing access
to a system or resource.
 Authorization: this a process by which a server determines if the client has permission
to use a resource or access a file.
 Accounting: Cybersecurity systems and risk management plans that protects accounts
and accountants firms from some of the risk from cyber attacks and data breaches.
 Integrity: data is complete, trustworthy and has not been modified or accidentally
altered by an unauthorized user.
 Availability: ensuring timely and reliable access to and use of information.
 Confidentiality: preserving authorized restriction on information access and
disclosure, including means for protecting personal privacy and propriety information.
 Authenticity: the property of being genuine and being able to be verified and trusted.
 Non-Repudiation: a user cannot deny(repudiate) having performed a transaction.

4
 CHAPTER TWO

Literature Review
In this chapter we see the approach and solutions others have developed concerning this
project. A background study of a secure campus network based on Mikrotik, and Windows
Server would involve an in-depth analysis of the hardware and the software components,
network design, security measures, and best practices in network engineering and
administration.

Existing network infrastructure: it could be important to understand other current network

infrastructure and how well it meets their organization’s needs, as well as any limitations or
vulnerability that may exist.

Technical specifications and capabilities of each technology: determining the specific

technical capabilities of the Mikrotik , and a Window server solutions can help to identify
potential strength and weakness of the proposed network architecture.

Potential cost: understanding the cost of purchasing and deploying the equipment required
for the secure campus network, as well as any ongoing maintenance or operational expenses
is also important to consider.

Network security: it is essential to analyze the network security features of each proposed
technology and create a comprehensive frame work to help ensure that the network is secured
against both internal and external threads.

Compatibility issues: ensuring that the hard ware and software being proposed for the
network are compatible with existing equipment and software is also important to consider.

The network management practices and procedures should be studied to ensure that the
network can be easily managed and monitored[1]. Mikrotik Router OS are software that can
be used to make the computer become a reliable network router, covering various features
made for IP networks and wireless networks, suitable for use by ISP and hotspot provider.
For the installation of Mikrotik is not required additional soft wear or other additional
components. Mikrotik is designed to be easy to use and very well used for the purposes of
computer network administration such as designing, and building a small to complex
computer network system though[2]. The campus network of our study is designed in a

5
hierarchical manner which is common practice of campus and enterprise network. It provides
a modular topology of building blocks that allow the network to evolve easily.

A hierarchical design avoids the need for fully meshed networks in which all network nodes
are interconnected.

Designing a campus network may not appear as interesting or exciting as designing an IP

telephony network, an IP video network, or even designing a wireless network. However,
emerging applications like these are built upon the campus foundation. Much like the
construction of a house, if the engineering work is skipped at the foundation level, the house
will crack and eventually collapse.

Here are some proposed steps for mitigating the known attacks of a campus network:

 Creation VLANs (Virtual LAN) for Security:

It’s easy to see why virtual LANs have become extremely popular on networks of all sizes. In
practical terms multiple VLANs are pretty much the same as having multiple separate
physical networks within a single organization- without the headache of managing multiple
cable plans and switches. Because VLANs segments a network, creating multiple broadcast
domains, they effectively allow traffic from the broadcast domains to remain isolated while
increasing the networks bandwidth, availability and security.

 Implementing Firewall for Internal and External Security:

A firewall works to monitor and block or allow network traffic, both incoming and outgoing,
on a private network. While there is a hard ware firewall to help protect the campus network
security, these firewall affects certain out bound traffic and prevents unauthorized inbound
traffic. Net BIOS, SMTP and other miscellaneous ports determined to pose a security risk are
blocked in the outgoing direction. This does not impact the majority of academic work-
related programs used on the campus.

 Virtual private network (VPN) used for branched campus:

A virtual private network (VPN) extends a private network across a public network, such as
the internet. It enables a computer, or network-enabled device to send and receive data across
shared or public networks as if it were directly connected to the private network, while
benefitting from the functionality security and management policies of the public network. A
VPN is created by establishing a virtual point-to-point connection through the use of

6
dedicated connection, virtual tunneling protocols, or traffic encryption. Major implementation
of VPN includes: OpenVPN and IP sec. Campus VPN provides a full tunnel VPN service that
is a secure(encrypted) connection to the network from off campus. Common uses of the
campus VPN includes: access to file sharing/shared drives and certain application that require
a campus IP address. The campus VPN has a 20-hours session limit[3].

Designing your security system, consider the following questions that your standard probably
doesn’t address:

 Are there any caveats to these hardening standards in a redundant design?

 In a high load environment, what will be the performance impact of these standards?
Do we need to upgrade our devices as a result?
 `Are there other settings we should implement on a router in an internet connection
beyond the published standards?[4].

2.1. Theoretical Framework

 Network Asset Detection

The method of network asset information collection can be divided into a statistical method
and a detection method. The statistical metho depends mainly on statistic software which is
essentially a manual operation, so it is time consuming and has management cost. Obviously,
the statistical method is not fit for the campus size. The detection technology can obtain the
network equipment and its connection information by deploying the server and analyzing
traffic flow from the host. Therefore, this type of technology is mainly used to obtain network
asset information in the Web Hunt.

The detection method can also be divided into passive detection and active detection
according to whether it is necessary to construct data packets. Active detection identifies the
port, system, service and application by establishing a connection with the target host and
sending constructed special packets. Active detection can be implemented in various ways
such as a TCP three-way handshake and ICMP ping.

These implementations can be divided into the full-link scan, semi-link scan and hidden scan
depending on whether a three-way handshake link needs to be established. Passive detection
identifies special service by collecting and analyzing traffic flow with probe device deployed
in specific network locations. The traffic flow must be enough for the identification of the
specific service.

7
The common passive asset detection tools are p0f, PRADS, Satori and so on. The p0f is a
pure passive fingerprint identification tool, which achieve fingerprint recognition by sniffing
and analyzing the data packets. The category of information the p0f recognizes are poor. In
other to cope with the surge of network traffic caused by the growth of network scale, Barnes
et al, proposed to deploy p0f in the Linux kernel space, which greatly speeds up analysis of
network traffic.

PRADS passively listens to network traffic and gathers information on host and services. The
information can map the network, letting the user know that services and host are active.
Satori identifies the network assets and their operating system based on the DHCP messages
options and its order feature.

 Fingerprint Extraction and Matching

Fingerprint matching is a method to determine the type of a host or a device. The target of
finger print identification include: port service identification and Web application
identification. Most of the existing web server fingerprint tools focus on the feature value
matching, such as “server” in the header of the responds packet. Lee et al, proposed a method
of determining the type of HTTP server by requesting a URL sub-link that does not exist in
the target system. The content of the web page returned by the Apache server is “not found
object”. The difference could be evident to identify Apache and Microsoft IIS.

 Network Vulnerability Assessment

The network vulnerability assessment is a type of security service based on network asset
intelligence. Network vulnerability assessment can be divided into intrusion detection and
non-intrusion detection according to whether generating detecting traffic may disturb normal
work.

OpenVAS and Nessus are popular vulnerability assessment tools that identify device type
and its exploitable vulnerabilities by sending specialized packets to the target. However,
artificial traffic may cause potential damage to the target network, such as denial of service.
For that reason, permission from the device owner is necessary before vulnerability
assessment. Moreover, Nessus is not flexible. The specialized plug-ins for different OS are
indispensable, and cost much because minor changes in the service description string (banner
information) may cause tool failure[5].

8
 2.2. Conceptual Framework
MikroTik RouterOS: This is the heart of MikroTik's solution. It's a powerful operating
system specifically designed for routers and can be installed on MikroTik's RouterBOARD
devices or even a standard PC or a Virtual box. RouterOS offers a wide range of features,
including:

 Routing: Efficiently directing network traffic across different paths.

 Firewall: Defining security rules to control incoming and outgoing traffic.
 DHCP Server: Assigning IP addresses to devices on the network automatically.
 Wireless Access Point Functionality: Turning a RouterBOARD into a Wi-Fi hotspot.
 VPN Server: Enabling secure remote connections to the network.
 AAA (Authentication, Authorization, Accounting): As discussed previously,
providing centralized user management and access control

MikroTik RouterBOARDs

 These are physical network devices pre-loaded with RouterOS. They come in various
configurations with different processing power, memory capacities, and port options.
Here are some common RouterBOARD types:
o Wired Routers: Focus on wired network connectivity with multiple Ethernet
ports for connecting switches and other network devices.
o Wireless Routers: Combine wired and wireless capabilities, functioning as a
router and Wi-Fi access point.
o Switches: Designed to connect multiple network devices and manage data
flow within the network.
o Industrial Routers: Built for harsh environments and offer features like wide
operating temperature ranges[6].

2.3. Empirical Framework

Some empirical studies have shown that students refer social networking sites as an
interactive site where people communicate and interact with one another. An empirical study
conducted by IEEE (2011), among other things upholds the fact that the use of social media
as a means of communication has been adopted in Nigeria. The study examines the use of
social media among Nigerian youths. From the title, it is crystal clear that some findings of

9
the study shall be relevant here as many youths fall into the age bracket of most students in
the universities[7].

The system developed two types of secure VPN connection (remote-access and site-to-site)
with IPCop firewall software, using all four network interfaces to protect a with an internal
(Green) network, an Internet or WAN connection (Red), a DMZ containing more than one
Server (Orange), and a wireless segment (Blue) with an IPSec VPN system. On the Green
interface, the system permits connectivity to all interfaces, as workstations and Servers within
the Green segment are managed service workstations on which users do not have the
necessary level of access to cause damage to the resources to which they have access. The
Port Forwarding feature of firewall policy is invoked on external (RED) interface to access
mail and secure web services to the mail server on port 25 in the DMZ, and also to port 443
(HTTPS) on the mail server in order to allow connections to the business webmail system. At
this part, host-to-Net VPN connection is configured with IPSec feature of the IPCop firewall
in order to grant remote access to staff, lecturers and professors who work remotely and to
provide remote connectivity for support purposes for the university resources and third-party
software and hardware vendors. The university is providing connectivity via an IPSec VPN
for clients in order that they can access services run from Servers internally on the Green
segment and DMZ segment at the BLUE interface. Vendors and visitors are allowed access
to the Green segment through use of WPA in pre-shared key mode configured on the wireless
access point. The university always communicates and transfers data to the office of Ministry
which places in remote via the Internet. The traffic between these two offices travels over an
“open” channel, risking confidentiality (unauthorized snooping of data) and integrity
(unauthorized tampering of data). To overcome these risks, the site-to-site or net-to-net VPN
feature proposed to encrypt traffic over the Internet. The two private networks, main office of
university and the office of ministry are connected using inexpensive Internet bandwidth. For
data security, the tunnel is implemented between IPCOP1 of university and IPCop2 for office
of ministry. All traffic flowing through it is encrypted, to ensure confidentiality and integrity.

A VPN relies on a VPN server and a VPN client to establish a secure connection for the
university. When the connection is established, an encrypted tunnel is created between the
client and the server. The external users or users of remote office request any connection
through the client to the web or mail servers are encrypted and sent to the server. Afterwards,
the server decrypts the requests and forwards them to respective server services or resources.

10
Once the requested data is received, it is encrypted by the server, and then sent back to the
client.

When the university uses secure VPN connection in data processing with external users and
staffs of remote office, a VPN hides the original IP address of LAN and encrypts the data
transmitting traffic, it essentially makes sure that nobody can’t be tracked digital footprints of
data processing on the Internet. Online hackers won’t be able to use the real IP address of
LAN and to find out any information of university, and government surveillance agencies and
ISPs won’t get to monitor what do online by snooping on university traffic[8].

The invention of technology changes people’s life. It has altered and reshaped many aspects
of existence living. Technology unquestionably has a significant impact on all aspects of life.
People could easily participate in some activities, and they believe that technology have some
negative impacts for social relationship. Technology use has grown to be a critical component
of learning both inside and outside of the classroom. It benefited from and been enhanced
using technology.

The study of discussed that the majority of educational institutions use an online system to
track students and faculty entry within the school vicinity. For student and teachers to
effectively use technology in monitoring entries and exits, they must cover technology in a
high-quality manner .

In contrast to the previous techniques that are time-consuming and inefficient, student
attendance has recently been recognized as one of the critical components or concerns that
represent the academic accomplishments and performance provided to any university.

The use of RFID technology may be integrated in monitoring students and personnel on the
premises by setting up scanners at several sites. In Central Philippines State University, an
academic institution in Kabankalan City with almost six thousand enrolled students and with
many nearby communities around its premise, security personnel received several reports of
disturbances inside the campus caused by unidentified individuals who seems to try to get in
or invade to harsh most especially those with female students that are being alone.

This is due to the lack of close monitoring in letting unknown and known people in the
campus. Because of this scenario, the researchers came up with an idea to develop a
monitoring system that would solve the problem in terms of security purposes. This project is
entitled “Campus-Based Monitoring using RFID.”

11
This project aimed to analyze, design, develop, and implement a system that would secure
the vicinity of the University most especially the people inside such as students, employees,
visitors, and the community including vehicles entering the campus by implementing a
security system with RFID integration. The platform would monitor the incoming and
outgoing of students, and personnel using RFID and generate daily reports for incoming and
outgoing of visitors. It can track anyone who comes in and leaves the campus. An identity
card with RFID will be supplied to each respondent. The security officers in the radio room
can monitor the system since it is connected via a network. The technology is only meant to
be used on the main campus of CPSU.

METHODOLOGY The study described the procedures used to gather, present, and evaluate
the data and information required to answer the study's objectives and questions. The
research tools, data sources, data gathering methods, and analytical methods employed are
explained and justified. The study’s outline of the method used to compile, present, and
assess the data and information necessary to address the study's goals and open-ended
questions. The used research instruments, data sources, data collection techniques, and
analysis techniques are described and justified. The agile model was used by the researchers.
It is an iterative and incremental approach to software development that emphasizes
flexibility, collaboration, and rapid delivery of working software [9].

12
 CHAPTER THREE

METHODOLOGY AND DESIGN

3.1. METHODOLOGY
The agile model was used by the researchers. It is an iterative and incremental approach to
software development that emphasizes flexibility, collaboration, and rapid delivery of
working software.

The system design of a secured campus network based on AAA and mikrotik involves the
selection and configuration of several hardware and software components that work together
to provide a reliable and secure network infrastructure for a large number of users and
devices in a campus environment.

The main hardware of the system include; routers and switches, mikrotik routers and servers
running window server-based services such as Active Directory, DNS, and DHCP. These
devices must be carefully selected and configured to support the specific needs of the campus
network, with appropriate IP addresses, routing, VLAN’s and firewall policies being set up as
required.

In addition to the hardware components, the system design must also include the appropriate
software components such as firewalls, VPN, an IPSec. These components work together to
provide robust security measures to protect against unauthorize access and attacks including
access control lists that restricts traffic to specific devices or services, VPN tunnel that
securely access the campus network remotely, and IPSec that encrypts and authenticates
traffic between network devices.

Finally, the system design must include appropriate monitoring and management tools to
ensure that the network is operating effectively, with network monitoring tools such as
SNMP and NetFlow being used to monitor network traffic, logging an alerting being
implemented for network events, and regular vulnerability scans being performed to detect
potential security issues. Regular maintenance task such as updates and backup must be
scheduled to ensure the ongoing health and performance of the campus network.

Overall, the system design of a secured campus network based on AAA, mikrotik and
windows server requires careful planning and execution to ensure that the network is reliable
and secure, with appropriate hardware and software components being selected and
configured to support the specific needs of the campus environment[11].

13
  In the world, there are quite a number of universities, which implemented wireless
network to replace existing fixed local area network. However, in Cameroon,
designing and implementing local area network by using mikrotik in university is a
new issue. The advantages of wireless network are many such as improving the
quality of delivery of education as students and teachers are able to access teaching
material instantaneously. Enhance the interaction between parents, student and
teachers through IP communication tools. Increase productivity of staff by using IP
communication tools. Cultivate student’s interest in learning process.

Increase student productivity as they can gain access to portal web and proceed with
assignments without the constraint of place and time. Enhance safety in the campus by
having video-based surveillance. Overlaid wireless network on existing Ethernet can be used
in order to solve problem of installing additional ports endlessly.

The scale network depending on receive and distributed information through network, the
structure of network depends on issues (building size, number of buildings, and user
requirement). The issues of this network uses wireless technology. As shown in figure
3.1[12].

Fig.3.1 Block diagram of large-scale network(wireless)

14
 3.2. DESIGN
In the design of a digital campus, both infrastructure and ac hoc topologies will be used.
Types of topologies chosen for the design will depend on the structure of the buildings.
Design of the university campus network is shown below.

Fig 3.2 Rough sketch of a university campus network architecture

The mikrotik router contains three VLANs. One for the administration, one for the lectures
and the last for the student. The router is going to be placed at the central administration.
From the central administration, everybody that has access to the network is going to be able
to access it.

15
 CHAPTER FOUR

IMPLEMENTATION
 Access control:

Access control is a critical aspect of network security. It is important to implement strong

access policies and to regularly test these policies to ensure that only authorized users and
devices can access the network. Recommendation; implement multi-factor authentication,
such as using a combination of passwords and security tokens, to provide an extra layer of
security.

 Encryption:

Encryption is important for protecting sensitive data as it moves across the network. It is
important to implement strong encryption standards and to regularly test these standards to
ensure that data is properly protected. Recommendation; use end-to-end encryption whenever
possible, such as using HTTPS for web traffic or SFTP for file transfers.

 Incident respond:

Incident respond is important for quickly detecting and responding to security incidents. It is
important to implement strong incident responds procedures and to regularly test these
procedures to ensure that they are effective. Recommendation; conduct regular tabletop
exercises to simulate security incidents and test the effectiveness of the incident response
procedure.

 VLAN segmentation:

VLAN segmentation is important for isolating and securing different parts of the network. It
is important to implement strong VLAN segmentation and to regularly test this segmentation
to ensure that each VLAN is properly isolated. Recommendation; use virtual technologies,
such as virtual LANs(VLANs) or virtual private network(VPNs), to create logical network
segments and isolate traffic between them.

 Hotspot authentication:

Hotspot authentication is important for ensuring that only authorized users can access the
network. It is important to implement strong hotspot authentication procedures and to
regularly test these procedures to ensure that only authorized users can access the network.

16
Recommendations; implement captive portals and require users to provide valid credentials
before accessing the network.

1. Set up your Mikrotik router with the necessary network configurations.

2. Configure the Hotspot depending on your network design.
3. Set up a RADIUS server that will handle the AAA process.
4. Integrate with Active Directory if you’re using Microsoft services for user
management.
5. Configure your Mikrotik router to use the RADIUS server for authentication,
authorization, and accounting.
6. Create interfaces that is a WAN and a LAN
7. Create VLANs for the different set of users which are Administration, Lecturers and
Students
8. Assign IP address to the interfaces

# Set up WAN interface

/interface ethernet
Set ether1 name=WAN
Explanation:
* The first command renames the Ethernet interface ether to wan, which is the
wide area network (WAN) interface.
* The second command assigns the IP address 203.0.113.100/24 and the
gateway
203.0.113.1 to the wan interface.
* The third command adds a source network address translation (SNAT) rule
to the firewall, which will masquerade (or translate) the source IP addresses of
outgoing traffic from the local network to the WAN interface IP address.
* This configuration sets up the WAN interface, assigns it a public IP address,
and enables the necessary network address translation for the local network to
access the internet.

17
/ IP address
Add address=203.0.133.100/24 interface=WAN gateway=203.0.113.1

/ IP firewall NAT
Add chain=srct action=masquerade out-interface=WAN

#set up LAN interface

/interface ethernet
Set ether2 name=LAN
Explanation:
* The first command renames the Ethernet interface ether1 to lan, which is the
local area network (LAN) interface.
* The second command assigns the IP address 192.168.1.1/24 to the lan
interface, which will be the gateway for the local network.
* This configuration sets up the LAN interface and assigns it a private IP
address, which will be used as the default gateway for devices on the local
network.

#enable hotspot

# Set up VLANs for different user groups

/ Interface VLAN
Add interface=LAN name=vlan1 vlan-id=1 #administration
Add interface=LAN name=vlan2 vlan-id=2 #lecturers
Add interface=LAN name=vlan3 vlan-id=3 #students
Vlan1 for the administration, vlan2 for lectures and vlan3 for student
Explanation:
* These commands create three VLAN interfaces (vlan10, vlan20, and vlan30)
on the 1an interface.

18
* Each VLAN is assigned a unique VLAN ID (10, 20, and 30) to logically
separate the different user groups (faculty and administration, students, and
guests).
* This configuration allows the network to segregate traffic and enforce
policies based on the user group, improving security and network
management.

# Configure firewall rules

/ IP firewall filter
Add chain=forward action=drop src-address-list=blocked-hosts
Add chain=forward action=drop protocol=tcp dst-port=23
Add chain=forward action=drop protocol=tcp dst-port=21
Add chain=forward action=accept protocol=icmp
Add chain=forward action=accept connection-state=established
Explanation:
* The firewall filter rules are configured
as follows:
* The first rule drops traffic from any IP
address in the blocked-hosts address list.
* The second and third rules disable Telnet and FTP access by dropping traffic
destined for ports 23 and 21, respectively.
* The fourth rule allows ICMP (ping) traffic to pass through the firewall.
* The fifth rule allows established and related connections to pass through the
firewall.
* The firewall address list adds the IP address 1.2.3.4 to the blocked-hosts list,
with a comment indicating that it is a blocked host.

19
* These firewall rules help to enhance the security of the network by blocking
traffic from known malicious sources, disabling unnecessary services, and
allowing essential network traffic.

/ IP firewall address-list
Add list=blocked-hosts address 1.2.3.4
Comment= “Blocked host”

# Set up DHCP servers for each VLAN

/ IP DHCP-server
Add interface=vlan1 name=administration-dhcp
Add interface=vlan2 name=lecturer-dhcp
Add interface=vlam3 name=student-dhcp
Explanation:
* These commands set up three DHCP servers, one for each VLAN (faculty,
student, and guest).
* The DHCP server network settings are configured with the appropriate IP
address ranges and gateways for each VLAN.
* This ensures that devices connected to the respective VLANs can
automatically obtain IP addresses and network settings from the corresponding
DHCP server.

/ IP DHCP-server network
Add address=192.168.11.0/24 gateway=192.168.11.1
#administration
Add address=192.168.12.0/24 gateway=192.168.12.1 #lecturer

20
Add address=192.168.13.0/24 gateway=192.168.13.1 #student

# Set up user authentication

/ User
Add name=administration password=administration
Add name=lecturer password=lecturer
Add name=student password=student
Explanation:
* These commands set up three DHCP servers, one for each VLAN (faculty,
student, and guest).
* The DHCP server network settings are configured with the appropriate IP
address ranges and gateways for each VLAN.
* This ensures that devices connected to the respective VLANs can
automatically obtain IP addresses and network settings from the corresponding
DHCP server.

21
 CHAPTER FIVE

CONCLUSION AND RECOMMENDATION

In conclusion, a secured campus network based on AAA, Mikrotik and Windows server
technology is a crucial aspect of modern organization. It provides protection against cyber
threats, allows for efficient data management and communication, and helps to ensure
regulatory compliance. To create a secured campus network, organizations need to follow a
set of design principles, including implementing multiple layers of security, dividing the
network into smaller segments, limiting access based on least privilege, using strong
authentication and authorization mechanisms, implementing monitoring and logging tools,
and ensuring compliance with regulatory requirements.

What we were unable to do

One of the primary challenges in cybersecurity is the constantly evolving nature of cyber
threats. Hackers and cybercriminals continuously develop new methods to exploit
vulnerabilities, often staying one step ahead of defensive measures. This perpetual arms race
means that what is considered safe today may be vulnerable tomorrow.

Resources constraints. Since this is a small project there were no sophisticated devices and
much capital hence very limited resources making the project difficult to maintain and easy
target for hackers.

Limited Technology. Due to limited resources and low maintenance, sophisticated

hackers can often find ways around these technology exploiting even the smallest
vulnerability.

22
 5.2. REFFERENCE
[1] M. Rukunujjaman, “Design and implementation of a secured campus Network based on
Ciscorouter, Mikrotik, and windows server,” Bangladesh, 2023.
[2] S. Islam, “Design and implementation of login-baseed Wi-Fi hotspot network for a
university campu,” Springer Singerpore, 2021.
[3] M. Ali, “Design and implementation of a secured campus network,” 2015.
[4] N. McKeown, OpenFlow : enable innovation in campus networks. 2008.
[5] R. Zheng, “Assessing the security of campus network: the case of seven universities.,”
2021.
[6] Normunds. R, Routers OS. 2024.
[7] H. N. Eke, “The use of social networking sites amoung the undergraduate students of
university of of Nigeria, Nsukka”.
[8] N. Thin, “Design and implemention of a network connection of a university”.
[9] K. Joshua, “Design and implementations of campus monitoring,” May 2023.
[10]P. Wai, “Design and implementation of university campus network based on FTTH”.
[11]A. Yanqin, “Development of a network security system with mikrotik,” 2020.
[12]H. Mohsin, “Design and implementation of large scale networks,” 2017.

23
24