Firewall Wizards mailing list archives
Re: Locking down public wireless access
From: "Dale W. Carder" <dwcarder () doit wisc edu>
Date: Tue, 22 Feb 2005 22:30:25 -0600
On Feb 19, 2005, at 12:30 PM, Chris Bills wrote:
At my university, the computer science department would like to offer wireless access to computer science students
Similar problem here, and soon to be campus-wide.We decided to take a multi-prong approach since we know we have to deal with users that may be in any one or more of faculty, staff, students, guests, the community, etc. We're working on rolling out a solution for this fall:
- End all centralized campus services that have clear text anything, and switch users to imap over ssl and the like.
- Start a marketing campaign to encourage everyone to use our big VPN concentrator when on the wireless network, at home, or whenever for that matter. Then we can forget all of this WEP64/WEP128/WPA/WPA2 crap plus cards and drivers that don't support anything reasonable and just put on a client the helpdesk already knows how to support.
- Create the ability for many key campus folks to create temporary accounts and be responsible for the actions of those people. (this will handle conferences well)
- Roll out a "captive portal" style network admission box. The captive portal also strongly encourages the use of VPN (and allows them to get the client before allowed through) when on the wireless network, but acts as a fallback mechanism for those without: the vpn client, clue, admin on their machines, or who are otherwise guests.
There's several free captive portal thingys out there like NoCatAuth, PacketFence, and then the vendors like Perfigo (now vendor C), BlueSocket, and BSi. We found that they all had limitations one way or another, so choose your poison carefully!
As others have noted, WEP is dead. Look at WPA at least. Or maybe WPA plus radius is for you, and I think that maybe even the latest stock linksys's can do that now. I ran hacked up firmware on linksys box at home and wound up disappointed in the end. I haven't looked at WPA2 just yet, maybe others on the list have.
Dale ----------------------------------------------- Dale W. Carder Network Engineer University of Wisconsin at Madison http://net.doit.wisc.edu/~dwcarder _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Locking down public wireless access Chris Bills (Feb 22)
- Re: Locking down public wireless access ArkanoiD (Feb 22)
- Re: Locking down public wireless access Jim Seymour (Feb 22)
- Re: Locking down public wireless access Kevin Sheldrake (Feb 22)
- Re: Locking down public wireless access Paul D. Robertson (Feb 22)
- RE: Locking down public wireless access Mark Gumennik (Feb 22)
- RE: Locking down public wireless access John Adams (Feb 22)
- Re: Locking down public wireless access Dale W. Carder (Feb 23)
- Re: Locking down public wireless access David Lang (Feb 24)
- <Possible follow-ups>
- RE: Locking down public wireless access Smith, Aaron (Feb 22)