While it's possible that someone will crack the password and distribute it, I think it's a reasonable first step - simpler than putting up a captive portal.
And, if it doesn't work, the captive portal can be done later. I'll definitely be looking at that. Kurt On Wed, Feb 6, 2013 at 11:49 AM, Ziots, Edward <[email protected]> wrote: > Kurt, > > Even with the password idea, you would have to rotate it daily if not weekly > or someone will just leave it out where others can gain access. Honestly, > anyone smart enough with AirCrack could get the password you put on the SSID. > > You could limit the DHCP scope to say 64 address and that might help limit > the scope or number of people that can get on the Wireless network, or setup > MAC filtering ( Again can bypass that with MAC Spoofing) but it would be a > bit more manual process. > > I am thinking your idea about a portal process and authorization is probably > the way to go, > > Z > > Edward E. Ziots, CISSP, Security +, Network + > Security Engineer > Lifespan Organization > [email protected] > > This electronic message and any attachments may be privileged and > confidential and protected from disclosure. If you are reading this message, > but are not the intended recipient, nor an employee or agent responsible for > delivering this message to the intended recipient, you are hereby notified > that you are strictly prohibited from copying, printing, forwarding or > otherwise disseminating this communication. If you have received this > communication in error, please immediately notify the sender by replying to > the message. Then, delete the message from your computer. Thank you. > > > > > -----Original Message----- > From: Kurt Buff [mailto:[email protected]] > Sent: Wednesday, February 06, 2013 2:36 PM > To: NT System Admin Issues > Subject: OT: Guest network security > > All, > > Quite some time ago, I set up an unsecured guest VLAN in our network, > providing wireless access to all of the sundry devices that staff and > visitors carry. I set up a small FreeBSD machine to serve IP addresses via > DHCP, and that was dead simple. > > It is a layer2 VLAN, traversing our backbone, and terminating on our > corporate firewall. > > However, there are now other tenants in our building, and the subnet is > getting too much bandwidth and address consumption - the range I set up is > completely filled, and the VLAN is consuming about half of our Internet pipe, > which is far too much for my comfort. > > I suspect the other tenants are leeching. > > What I've read of captive portals seems to indicate that the portal is part > of the firewall. I could be wrong about that, though. Regardless, the > corporate firewall will not be allowed to be part of this solution. > > The only other alternative I see right now is to set up a password on the > SSID, and have the front desk hand it out to guests, after mailing it to > staff, and I'm getting pushback on that from my manager. > > Does anyone have some ideas I could pursue on this? > > Thanks, > > Kurt > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
