RFP
Supply, installation and maintenance of a WiFi access system in the ILO building
A. Objective
To install in the meetings area on floors R2, M2, R3, M3, south-side of the building a high-speed wireless IT network. This means providing users with a wideband connection. Initially, the aim is to allow simultaneous access for some 450 users in the meetings area including the library.
Any proposed solution will need to be compatible with the standards and protocols already in use at the ILO (the equipment used is of the Avaya type).
B. General specifications
1. Technical specifications of the proposed system
The proposed wireless network will have to allow connection of portable computers coming from five continents and thus based on technologies different from those current in Europe. The proposal will therefore need to be compatible with the principal world standards and allow for further upgrades.
It must be possible for 450 people to be connected simultaneously in the meetings area including the library.
The supplier must specify:
· whether the proposal could support handover (*) inter Access-Point (AP);
· whether the specifications of the handover would allow the use of the WiFi network with VoIP/WiFi phones.
2. Managing different user categories
The proposal must allow management of the following different categories of users:
· Visitors from outside the ILO
· ILO staff based in Geneva
· ILO staff on mission/temporary assignment to Geneva
· Delegates taking part in votes
· Others
Depending on his or her profile (internal or external), the user will have access either to the Internet alone or to the Internet and to the ILO's existing IT network.
This means that the system proposed must be "multi-SSID" and must support VLAN technology. The system must allow activation and de-activation of SSID groups on request, for example during voting sessions (see paragraph 6).
3. Internet access
The proposal must include Internet access (ADSL, leased line with direct connection to an internet access provider, etc.) dedicated to the WiFi network. The proposal will include installation and any necessary equipment. The subscription will be registered in the name of the supplier, who will then charge the ILO for this service.
The access bandwidth must be determined by the proposer but must allow for a minimum speed of 2 Mbps.
4. Environmental constraints
Particular attention must be paid to the cabling. The supplier must, if it is considered appropriate, make a proposal for replacement of cables, in which case all cables must be concealed. Cables must be laid within ducts provided for this purpose. If false ceilings are used, cables must be protected and secured in such a way as to prevent accidental damage that might occur during maintenance operations or other subsequent work.
Access points (APs) must be integrated as inconspicuously as possible into the ILO environment.
5. User authentication
User authentication will have to be effected through two redundant RADIUS (*) servers which should be included in the proposal.
These servers will have access, through the LDAP protocol, to the following databases:
- the NOVELL e-directory database, for ILO users;
- the access management system database (SQL Base), for visitors.
As these databases are connected to two independent network segments, it is envisaged that the two segments will be connected by a router which will filter traffic so as to allow only the SQL and RADIUS servers to communicate via a TCP port. The necessary hardware for this connection must be included in the proposal.
The RADIUS servers must record registration data and allow generation of usage statistics (number of simultaneous users, duration of individual connections, etc.).
6. Electronic voting and specific applications
The proposal must allow the use of existing PC tablets for voting sessions and for other specified applications in the future.
These tablets have a 802.11b WiFi access and are connected to an application installed on a Windows 2000 server. The supplier must explain how the proposed system will meet the following specific requirements:
6.1. Independence of each room from the others
It must be possible to conduct votes in each meeting room separately. As regards the WiFi, it must be possible to isolate each room from the others and from the rest of the building. This must be achievable with a minimum of effort and within one hour.
Radio interference between access points in adjacent rooms should be reduced to a minimum. In any given room, it should be possible to create an independent network comprising access points, an authentication server and an application server, all isolated from the cable network.
6.2. Isolation of rooms from the outside
Some meetings held in these rooms are confidential and it must be possible to prevent them from being broadcast over the WiFi network. For example, during a voting session, access to the Internet should be blocked. In each meeting room holding 200 or more people, it must be possible to use at least the 174 voting tablets simultaneously or spread between 3 rooms.
The authentication system of certain specific applications, such as the electronic voting system, will take precedence, and users of any of these applications will obtain authentication only via that authentication system.
7. Management Interface
The system must provide a graphic user interface for WAP configuration, security, fault, performance and/or accounting management. The provider must clearly state how each of these requirements are achieved.
8. Help service
A help service (in French and English) for ILO users must be proposed by the supplier, who will also be required to maintain the WiFi system as a whole (servers, filters, management tools, both hardware and software). Requests for assistance will be directed via the ILO's IT HelpDesk service (ITCOM).
C. Possible options
1. Extension to all or part of the rest of the building
Consideration should be given to extending the proposed system to all or part of the rest of the ILO building. Any proposal must be such that extension to other areas can be achieved without any reconfiguration of or impact on the existing WiFi network.
2. Integration of a VoIP WiFi service (use of IP WiFi phones)
Consideration must be given to the possibility of using VoIP/WiFi phones on the WiFi network. Such a facility should be built into the system from the beginning, or alternatively, it should be possible to add on such a facility at a later date by simply updating the software.
Where this is done, the supplier must indicate how the proposal meets the requirements for the use of VoIP/WiFi telephony, in particular with regard to quality of service (QoS) and handover (*).
3. Network printers
The proposal may include one or more network printers. These printers must be dedicated exclusively to the meetings area.
D. Adaptability
Increasing capacity
It must be possible to increase the number of simultaneous connections at low cost. For the meetings area, up to 700 extra users would need to be covered.
The supplier must specify the technical limitations of the proposed solution, particularly in terms of the number of simultaneous users and the number of access points (APs).
E. Security and Quality of Service (QoS)
1. WPA2 (802.11i)
The supplier must ensure that the equipment provided is compatible with the 802.1x and 802.11i standards, also known as WPA2 (WPA version 2).
The equipment must also be compatible with WPA (version 1) and WEP standards.
It must also be able to support RC4 and AES encryptions.
Depending on the category of user (internal, external, VoIP), the ILO will need to be able to select different authorization protocols. For example, the ILO will need to be able to opt for an open network which redirects to a portal where a username and password can be entered by external users, whilst secure authentication will be needed for ILO collaborators to access the intranet.
2. QoS
Since the solution provided must be multi-SSID in order to facilitate management of different categories of user, the ILO will need to be able to assign specific categories of services to each user category. Maximum priority will need to be given to VoIP traffic (either from the outset or after a software update).
3. Failover (*)
The supplier must specify how the proposed system architecture will ensure that the system is unaffected by a single point of failure.
4. Theft of an AP
The proposed solution must ensure that theft of an access point does not compromise the system's overall security. Under no circumstances should the theft of an access point require all APs in service to be reconfigured for security reasons.
5. Public WiFi management
Since the objective is to have the minimum configuration possible on the client machine, the supplier must propose a hotspot management tool which allows for this. (e.g. DHCP, depending on the proposal).
On arrival at the ILO, at the security barrier, visitors receive a badge in exchange for an identity document. If they wish to access the ILO's WiFi network, they will have to apply to reception, with their badge, and will be given a ticket (printed as needed) with a username (corresponding to their badge number) and password. In order to ensure that users with ILO WiFi access can be traced, the proposed mechanism must provide a connection between scanning the visitor’s badge and printing the ticket.
6. Web page
A web page on which external users can enter their username and password must be provided. This page should contain all information on how the WiFi network functions, together with the ILO’s regulations for its use. This page should be designed in accordance with ILO standards and in consultation with the ILO.
A URL will be indicated on which, once connected, users can find all relevant directions and regulations for use.
Internal users will be taken to an ILO web page with a link to the intranet and other services the ILO may wish to offer. To access this internal network, a WPA2-compatible terminal must be used. Without a WPA2 card, the user will be refused access to the internal network, will have to log on to the external network (visitors) and will have access to the Internet only.
Users within the ILO will be able to buy approved WPA2 cards. The practical arrangements will need to be agreed with the ILO.
7. Filtering (firewall, proxy, mail filtering)
Internet connections will be made via a filtering system (standards and protocols compatible with those of the ILO, if possible) in order to comply with existing security policies. The supplier will be responsible for providing, installing and maintaining the system.
8. Redundancy
In order to ensure sufficient redundancy, two ADSL providers must be proposed.
F. Cabling
If the supplier considers it appropriate to replace existing cabling, the following requirements must be borne in mind:
· the work must be carried out in accordance with relevant regulations by a company possessing the relevant technical expertise;
· cables must be certified, category 5 at least (bearing in mind the limitations of Ethernet, in particular with regard to cable length);
· the company must take account of the significant depth of ceiling spaces in the building and install appropriate equipment whilst ensuring compliance with current safety regulations;
· the company shall provide one or more 19-inch racks for installing its equipment;
· the equipment shall be installed at two locations provided for the purpose.Fibre optic or category 5 RJ 45 cables to link the two locations will be provided by the ILO.
G. Maintenance
1. The proposer company must submit a proposed contract for maintaining its installations (rolling preventative maintenance, software updates, etc.).
2. The company must also be available to carry out work at two hours’ notice in the event of a problem during office hours.
3. The company shall state its hourly rate, including callout charges, for work involving repairs not covered by the maintenance contract.
4. The company may be required to carry out work on a "24/7" basis at certain periods when the Organization is holding meetings.
H. Site visit
1. Site visit
A site visit will be organized for Tuesday 19 September 2006 (from 09h30 to 11h30). The meeting will take place at the visitors’ entrance R2 North, ILO building, at 09h30. Kindly confirm your arrival to PROCUREMENT by e-mail, no later than 17September 2006. Plans of the areas involved (R2, R3, M2 and M3) will be made available to candidate companies during this visit.
2. Survey of radio coverage and capacity
During the visit, candidates will have the opportunity to request a second (individual) meeting to carry out any tests or measurements they consider necessary in order to draw up their proposals.
3. Cabling
If cabling is included, candidate companies must, during the site visit or a second meeting, take all necessary action in order to prepare their proposals.
I. Security audit
The ILO reserves the right to arrange for a third party to audit the WiFi service as installed before accepting final delivery of the system.
J. Glossary
1. Handover:
User’s ability to roam within the coverage area using successively different access points. The candidate should specify whether there is a seamless redirection of traffic from one access point to another for sensitive applications such as VoIP.
2. Failover:
Architecture in which the same service is provided by two standby (redundant) servers. Failure of one of the servers goes unnoticed by users. It should be possible, in the event of server failure, for the single active server to transmit an alert message warning of the other server's failure.
3. RADIUS:
Remote Authentication Dial-In User Service.
A server compliant with RFC 2865 and 2866. The database should allow for updates, via the network, from a server belonging to the ILO.
K. Quantitative data
Item / Description / Total price, excl. VAT1 / Preliminary survey to determine the number and type of access points and the type of antenna needed for the desired coverage and simultaneous connections
2 / Cable installation as required (cables must be concealed).
3 / Provision of an ADSL line, including the necessary router - fixed charges