We've discussed with the CalNet team, and would like to take the opportunity to clarify security policies and appropriate use for various wireless network options on the campus.
For guests without a CalNet affiliate status, there are currently two campus wireless options, CalVisitor and eduroam. The eduroam service is available for guests with valid accounts at participating academic institutions, and offers the same service as Airbears2. If security issues are detected on an eduroam host, the home institution will be contacted, and if problems continue the offending MAC address may be blocked from our network. CalVisitor is a free, unencrypted wireless service available to all campus visitors. Limited network services are allowed, though guests can use 3rd party VPN services to gain encryption and access to other services. When security issues are detected, the MAC address is blocked from CalVisitor. These blocks do not expire and support/troubleshooting is not offered. While AirBears2 keys can be set for SPAs, it is *not* appropriate to share these account credentials with campus guests for use on their personal devices. SPAs are designed for campus departmental users to share access to certain resources assigned to the department and not to an individual. Only those authorized in the department to use the SPA should be given access to SPA authentication keys. The use case Graham describes, using a SPA AB2 key to connect shared departmental devices to the wireless network, is consistent with this policy and is appropriate. Handing out SPA AB2 keys to guests and visitors is not, just as you would not share your personal AB2 key with a guest. If we detect security issues with an AB2 host using a SPA, we will notify the SPA administrator(s). It is up to these administrators to find the offending device using the SPA and re-mediate the issue. If this cannot be accomplished, the SPA AB2 key will be reset and all devices using it will lose connectivity. If problems continue we may block the SPA from using Airbears entirely. As such, if you are sharing AB2 keys among many devices (personal or SPA), it is important that all of those devices are under your control and that you maintain some level of inventory. Also, I would encourage anyone who feels that the current needs for wireless guest access are not being met to speak up. Letting campus service providers know about your unmet use cases is always preferable to quiet workarounds that may compromise security and violate campus policies. Thanks and let us know if you have any questions, -- Allison Henry Security Operations Manager Information Security and Policy University of California, Berkeley http://security.berkeley.edu On 9/15/15 7:57 AM, Beth Muramoto wrote: > Now that AirBears has retired and CalVisitor is being recommended for > general web surfing where encryption isn't an issue, I wondered about > short term guests who are here for more than a couple of days or for a > month maximum who are not getting CalNet IDs (or getting affiliate > status) to create AirBears2 keys, but are, for example, logging into > email servers from home institutions, some in other countries. Isn't > using CalVisitor, which isn't encrypted, ill advised to recommend? > > Also, it wasn't clear whether the AirBears guest account option is still > an available option. I've assumed that it went away with AirBears, but I > still see the link at the site. We have created 7 day guest accounts for > guests coming for meetings here. Also, it sounds like the CalNet > sponsorship option doesn't give AirBears2 access. > > Just wanted to know how all of you are handling these temporary wifi > access situations. > > Thanks as always for your perspective. > > Beth > > > -- > *********************************************** > Beth Muramoto > Computer Resource Specialist > Graduate School of Education > University of California, Berkeley > 1650 Tolman Hall > Berkeley, CA 94720 > Email: mailto:[email protected] <mailto:[email protected]> > Phone: (510) 643-0203 > Fax: (510) 643-6239 > > “Finish each day and be done with it. You have done what you could. Some > blunders and absurdities have crept in – forget them as soon as you can. > Tomorrow is a new day. You shall begin it serenely and with too high a > spirit to be encumbered with your old nonsense.” > -Emerson > > This is the essence of forgiveness. You can't change what happened but > you can make sure it doesn't have the power to prevent you from being > happy tomorrow. > > -Paul Boese > > “Kind words do not cost much yet they accomplish much.” > > -Blaise Pascal > > > *********************************************** > > > > > ------------------------------------------------------------------------- > The following was automatically added to this message by the list server: > > To learn more about Micronet, including how to subscribe to or unsubscribe > from its mailing list and how to find out about upcoming meetings, please > visit the Micronet Web site: > > http://micronet.berkeley.edu > > Messages you send to this mailing list are public and world-viewable, and the > list's archives can be browsed and searched on the Internet. This means > these messages can be viewed by (among others) your bosses, prospective > employers, and people who have known you in the past. > > ANNOUNCEMENTS: To send announcements to the Micronet list, please use the > [email protected] list. > ------------------------------------------------------------------------- The following was automatically added to this message by the list server: To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site: http://micronet.berkeley.edu Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past. ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [email protected] list.
