Well, Europe is about 5 years ahead of US .edu's, so your sense of what's normal for eduroam is better than mine. I'm surprised, though. If the same person visits mpifr-bonn and uni-bonn and cam.uk, they might need three different passwords, and they must accept three different certificates for three different RADIUS servers. It starts to get less simple, and less secure.
We simply let guests who don't have eduroam at home on our open "Registration" SSID. When they log on, PacketFence changes their VLAN (or firewall rules, if you're running in-line). We find that we need an open SSID anyway because some devices (mainly gaming consoles and older smartphones) still do not support WPA2-Enterprise/802.1X. We have also had a few visitors whose corporate IT security policies prevent them from accepting 802.1X certificates. If you are concerned about guest wireless privacy, consider: - Turn on WEP or WPA2-PSK for your Registration SSID (supported by more devices than WPA2-Enterprise) - If it's easy to get a Guest account, does encryption really help? An attacker could ARP-spoof almost as easily. -- Rich Graves http://claimid.com/rcgraves Carleton.edu Sr UNIX and Security Admin ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
