RE: [WIRELESS-LAN] wireless guest access
It is great to hear what everyone is doing, it's a great confirmation of what we too are doing. We have a website that allows anyone to create an account. It works by sending the user a website to visit after filling out some preliminary information and has at least a little verification in that the e-mail address is at least checked. In conjunction with this we have a sponsored account. We try to use this the most. It allows a department to create accounts for their guests and or allows the guest to make their own accounts on behalf of the department they are working for. All of these accounts are in our LDAP and RADIUS servers. Cheers, -Original Message- From: Jonn Martell [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 2:23 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Re: [WIRELESS-LAN] wireless guest access What we did at UBC, was to allow any faculty and staff to "sponsor" guests. Much like a faculty member can grant a visiting faculty member the use of their office, meeting room etc. we felt it sense to allow them to do this for network access. The Faculty/Staff is effectively responsible to properly identify the user by providing all the details and ultimately, the sponsors are responsible since they granted them access. Since I left IT last year, I won't comment on things that aren't public. For non-affiliated commercial users, the two options available was to create a commercial/hotspot service to validate users based on billing information or just partner with a commercial Hotspot provider. Last summer, the decision was made to partner with a private sector operator for a one year pilot/trial. So UBC students, staff and faculty have free roaming to Fatport locations in exchange for Fatport selling commercial services on campus via a dedicated SSID/BSSID which they are responsible for on the AUP side of things. Not a bad approach if you have the size to attract the commercial provider(s). I can't provide any information except what is in the public domain; please refer to the URLs below for more specific info and contact information. http://www.it.ubc.ca/internet/wireless/fatport.html http://fatport.com/aboutus/press_releases/press58.php It should be interesting to see if the trial agreement turns into a long term one. . Jonn Martell, PMP, CWNE, CWNT Martell Consulting, www.martell.ca [EMAIL PROTECTED] Tech instructor - UBC [EMAIL PROTECTED] On 2/26/07, Landau, Gary <[EMAIL PROTECTED]> wrote: > > At LMU we have a guest/visitor account that a faculty/staff member can > request the password to and we change the password periodically. This is > akin to what Ken Connell indicated they're doing at Ryerson Univ. > > Our library also provides paid admittance to the Library for people in the > community and they give out the password when that is done. This was > initially a concern, but we learned that libraries are exempt from CALEA. > > -Gary > > Gary Landau, CISSP, CCNP > Director | Network Services > - > Loyola Marymount University > Information Technology > One LMU Drive | Los Angeles, CA 90045 > p.310.338.4434 f.310.338.2326 > [EMAIL PROTECTED] | http://its.lmu.edu > - > LMU|LA IT: We Deliver! > > > > From: Scholz, Greg [mailto:[EMAIL PROTECTED] > Sent: Monday, February 26, 2007 10:16 AM > > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] wireless guest access > > > > > Very timely. I am about to launch a project called "public port security and > guest access" that will attempt to define exactly this. I would like to hear > all other responses as well. (I suggest if you are considering Wireless > guests, you should be considering wired as well) > > * Currently we have NO guest access on wireless. > > * We recently changed all our "public lab" computers to use AD > authentication (e.g. no more public/guest access) > > * We use CCA in reshalls and enable the guest button JUST FOR THE > SUMMER (for all the conferences/camps we have during that time) so > effectively no guest access except for summer > > * The ONLY real guest access we have right now is any network port in > a publicly accessible location can be used by anyone without any type of > check. (These are the "public ports" referred to in my project title above). > INCLUDING if someone unplugs a lab/office/kiosk computer and plugs in their > own. > > * We will attempt to balance the tremendous desire for wireless & > wired guest access, CALEA, security and manageability. > > > > I am thinking we may wind up w
RE: [WIRELESS-LAN] Re: [WIRELESS-LAN] wireless guest access
It is great to hear what everyone is doing, it's a great confirmation of what we too are doing. We have a website that allows anyone to create an account. It works by sending the user a website to visit after filling out some preliminary information and has at least a little verification in that the e-mail address is at least checked. In conjunction with this we have a sponsored account. We try to use this the most. It allows a department to create accounts for their guests and or allows the guest to make their own accounts on behalf of the department they are working for. All of these accounts are in our LDAP and RADIUS servers. Cheers, -Original Message- From: Cal Frye [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 5:23 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Re: [WIRELESS-LAN] wireless guest access Lee Badman wrote: > Anybody rethinking any of their sponsored guest/open access policies > because of CALEA concerns? Bingo. We are just beginning to roll out a means of provisioning sponsored accounts. Basically, a student, faculty, or staff member will be able to create N number of guest accounts with a duration of X days, limited rights granted to the network. It's expected that maximum values of N and X will vary with the role of the creator. Sponsored accounts will have a standard prefix to avoid collision with existing usernames, and passwords will be generated at account creation. These sponsored accounts will then in turn be permitted to authenticate to the network via Cisco NAC. All wired and wireless communications will pass through Cisco NAC, so we'll catch everybody. This will replace the built-in guest access provisions of Cisco NAC. We're doing this as a part of a self-service password reset application we were already considering -- that's the carrot to go along with the stick. -- Regards, -- Cal Frye, Network Administrator, Oberlin College www.calfrye.com, www.pitalabs.com "In American work places, bosses routinely snoop into personal e-mails and monitor our web-surfing practices. How did it come about that so many Americans have grown to accept such demeaning intrusions into our privacy?" -- Phil Rockstroh. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] wireless guest access
Lee Badman wrote: > Anybody rethinking any of their sponsored guest/open access policies > because of CALEA concerns? Bingo. We are just beginning to roll out a means of provisioning sponsored accounts. Basically, a student, faculty, or staff member will be able to create N number of guest accounts with a duration of X days, limited rights granted to the network. It's expected that maximum values of N and X will vary with the role of the creator. Sponsored accounts will have a standard prefix to avoid collision with existing usernames, and passwords will be generated at account creation. These sponsored accounts will then in turn be permitted to authenticate to the network via Cisco NAC. All wired and wireless communications will pass through Cisco NAC, so we'll catch everybody. This will replace the built-in guest access provisions of Cisco NAC. We're doing this as a part of a self-service password reset application we were already considering -- that's the carrot to go along with the stick. -- Regards, -- Cal Frye, Network Administrator, Oberlin College www.calfrye.com, www.pitalabs.com "In American work places, bosses routinely snoop into personal e-mails and monitor our web-surfing practices. How did it come about that so many Americans have grown to accept such demeaning intrusions into our privacy?" -- Phil Rockstroh. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: RE: [WIRELESS-LAN] wireless guest access
I am not aware of the "piggy-back" compliance concept in the CALEA regulations. The lack of CALEA compliant devices does not excuse an organization that needs to be CALEA-compliant from becoming so. Most service providers are becoming compliant by other buying the appropriate probes or establishing a relation with a trusted third-party who does so on their behalf. All educational institutions should have discussed questions surrounding CALEA with their legal counsel prior to the February 12 filing date, even if they believe it doesn't apply to their school. Regards, Frank -Original Message- From: Casey, J Bart [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 2:49 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: RE: [WIRELESS-LAN] wireless guest access As for the CALEA issue, we have spent a fair amount of time discussing CALEA and its implications internally and with our 2 ISPs and have come to the conclusion that even though we provide anonymous access, we are exempt for the following reasons: 1) Both of our ISPs are CALEA compliant. So, we "piggy-back" off of their compliance. 2) There are no CALEA compliant devices available to our organization at this point in time. I hope that helps. J. Bart Casey Network Engineer Wofford College -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 1:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wireless guest access Would like to expand out Kevin's question- what of wireless access for guests, and for the non-affiliated folks (anonymous) that might end up on campus? Anybody rethinking any of their sponsored guest/open access policies because of CALEA concerns? Regards- Lee Badman Network/Wireless Engineer Syracuse University 315 443-3003 >>> Kevin Lanning <[EMAIL PROTECTED]> 2/26/2007 12:46:48 PM >>> Wondering what academic institutions are doing these days regarding wireless access for guests? -- -- Kevin Lanning lanning at unc.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] wireless guest access
Kevin and Lee, We are providing Guest access via a beaconed SSID on our Cisco Aironet 1230s. When a user connects to that SSID, they are placed into a VLAN for one of our DMZs and are assigned IP addressing and DNS information by a Linux Box running a Captive Portal Package (NoCat Auth). We limit the DHCP scope to 126 devices as we don't have many guests connecting to our "guest wireless network". When users connect they are required to click-to-accept an AUP before being provided access to the internet. Their connectivity is valid for a period of 24 hours or 5 minutes of inactivity (these are adjustable); whichever comes first. At the point of expiration, the user is required to re-accept the AUP before continuing. All of their information is logged to include assigned IP address, system name, and MAC-Address. All of the bandwidth is rate-shaped to 256Kbps Up/Down via 2 CBQ configuration files (one for ingress and one for egress). Since this software is iptables based, we are also able to limit the type of traffic that is allowed for these guests. We allow http, https, pop3, imap, telnet, and SSH. Everything else is explicitly denied including SMTP as we don't want to provide the ability to spam from our network. This system has no access to our internal network at all which helps keep our internal systems and traffic secure in relation to the Guest Network. We provide "authorized wireless access" through a non-beaconed SSID on the same access point and a different VLAN. We also use PEAP on the "authorized wireless network" which helps keep the two methods of access further separated. Yes, I'm aware there are better methods for securing our "authorized wireless network" but due to the dynamic nature of our "authorized clients" and political boundaries, we have opted for a path with minimal resistance. As for the CALEA issue, we have spent a fair amount of time discussing CALEA and its implications internally and with our 2 ISPs and have come to the conclusion that even though we provide anonymous access, we are exempt for the following reasons: 1) Both of our ISPs are CALEA compliant. So, we "piggy-back" off of their compliance. 2) There are no CALEA compliant devices available to our organization at this point in time. As a side note, the Captive Portal box is also configured to provide guest access to the wired network which will be of great use as we convert the campus to support 802.1x for wired connections. Through this method, guests have the option to log in using RADIUS credentials and gain access to the secure certificates and configuration instructions or connect as a guest using the same method listed above with the wireless guest access. We provide a larger DHCP scope for our wired users (1022) since more people connect to the wired network. Since RADIUS is clear text and I haven't found a package that supports TACACS authentication yet we don't provide this option to wireless users. I hope that helps. J. Bart Casey Network Engineer Wofford College -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 1:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wireless guest access Would like to expand out Kevin's question- what of wireless access for guests, and for the non-affiliated folks (anonymous) that might end up on campus? Anybody rethinking any of their sponsored guest/open access policies because of CALEA concerns? Regards- Lee Badman Network/Wireless Engineer Syracuse University 315 443-3003 >>> Kevin Lanning <[EMAIL PROTECTED]> 2/26/2007 12:46:48 PM >>> Wondering what academic institutions are doing these days regarding wireless access for guests? -- -- Kevin Lanning lanning at unc.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] wireless guest access
Are libraries really exempt from CALEA? "It depends", is probably a better answer. See http://www.merit.edu/events/mjts/meetings/pdf/Abshere_MJTS.pdf for some details, and review www.educause.edu/calea for more info. The main concern is the extent of public access. It seems that if such usage is incidental and minor that it shouldn't require the institution to be CALEA-compliant, but having an open SSID on a campus-wide wireless network might swing things the other way. Frank _ From: Landau, Gary [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 12:32 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wireless guest access At LMU we have a guest/visitor account that a faculty/staff member can request the password to and we change the password periodically. This is akin to what Ken Connell indicated they're doing at Ryerson Univ. Our library also provides paid admittance to the Library for people in the community and they give out the password when that is done. This was initially a concern, but we learned that libraries are exempt from CALEA. -Gary Gary Landau, CISSP, CCNP Director | Network Services - Loyola Marymount University Information Technology One LMU Drive | Los Angeles, CA 90045 p.310.338.4434 f.310.338.2326 [EMAIL PROTECTED] | http://its.lmu.edu - LMU|LA IT: We Deliver! _ From: Scholz, Greg [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 10:16 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wireless guest access Very timely. I am about to launch a project called "public port security and guest access" that will attempt to define exactly this. I would like to hear all other responses as well. (I suggest if you are considering Wireless guests, you should be considering wired as well) * Currently we have NO guest access on wireless. * We recently changed all our "public lab" computers to use AD authentication (e.g. no more public/guest access) * We use CCA in reshalls and enable the guest button JUST FOR THE SUMMER (for all the conferences/camps we have during that time) so effectively no guest access except for summer * The ONLY real guest access we have right now is any network port in a publicly accessible location can be used by anyone without any type of check. (These are the "public ports" referred to in my project title above). INCLUDING if someone unplugs a lab/office/kiosk computer and plugs in their own. * We will attempt to balance the tremendous desire for wireless & wired guest access, CALEA, security and manageability. I am thinking we may wind up with a 1x solution to determine appropriate port settings (security/vlan/etc) based on recognition of user, computer, or both and then computer health for non-campus managed computers. _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --Lead, follow, or get out of the way. (author unknown) -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 1:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wireless guest access Would like to expand out Kevin's question- what of wireless access for guests, and for the non-affiliated folks (anonymous) that might end up on campus? Anybody rethinking any of their sponsored guest/open access policies because of CALEA concerns? Regards- Lee Badman Network/Wireless Engineer Syracuse University 315 443-3003 >>> Kevin Lanning <[EMAIL PROTECTED]> 2/26/2007 12:46:48 PM >>> Wondering what academic institutions are doing these days regarding wireless access for guests? -- -- Kevin Lanning lanning at unc.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] wireless guest access
All, The FWNA (Federated Wireless Network Auth) working group from Internet2 is putting together a "visitor access" survey. It should be up in less than 2 weeks, the final results will be presented at the April Member Meeting (Arlington, VA)and results will be online as well. This is a pretty extensive survey (Sponsoring , Calea, 802.1x, ...) So hold you breath and save us some energy please ;-) We will send the link to the survey to this list. Thanks, Philippe Hanset University of TN On Mon, 26 Feb 2007, Kevin Lanning wrote: > Wondering what academic institutions are doing these days regarding > wireless access for guests? -- -- Kevin Lanning lanning at unc.edu > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] wireless guest access
What we did at UBC, was to allow any faculty and staff to "sponsor" guests. Much like a faculty member can grant a visiting faculty member the use of their office, meeting room etc. we felt it sense to allow them to do this for network access. The Faculty/Staff is effectively responsible to properly identify the user by providing all the details and ultimately, the sponsors are responsible since they granted them access. Since I left IT last year, I won't comment on things that aren't public. For non-affiliated commercial users, the two options available was to create a commercial/hotspot service to validate users based on billing information or just partner with a commercial Hotspot provider. Last summer, the decision was made to partner with a private sector operator for a one year pilot/trial. So UBC students, staff and faculty have free roaming to Fatport locations in exchange for Fatport selling commercial services on campus via a dedicated SSID/BSSID which they are responsible for on the AUP side of things. Not a bad approach if you have the size to attract the commercial provider(s). I can't provide any information except what is in the public domain; please refer to the URLs below for more specific info and contact information. http://www.it.ubc.ca/internet/wireless/fatport.html http://fatport.com/aboutus/press_releases/press58.php It should be interesting to see if the trial agreement turns into a long term one. .. Jonn Martell, PMP, CWNE, CWNT Martell Consulting, www.martell.ca [EMAIL PROTECTED] Tech instructor - UBC [EMAIL PROTECTED] On 2/26/07, Landau, Gary <[EMAIL PROTECTED]> wrote: At LMU we have a guest/visitor account that a faculty/staff member can request the password to and we change the password periodically. This is akin to what Ken Connell indicated they're doing at Ryerson Univ. Our library also provides paid admittance to the Library for people in the community and they give out the password when that is done. This was initially a concern, but we learned that libraries are exempt from CALEA. -Gary Gary Landau, CISSP, CCNP Director | Network Services - Loyola Marymount University Information Technology One LMU Drive | Los Angeles, CA 90045 p.310.338.4434 f.310.338.2326 [EMAIL PROTECTED] | http://its.lmu.edu - LMU|LA IT: We Deliver! From: Scholz, Greg [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 10:16 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wireless guest access Very timely. I am about to launch a project called "public port security and guest access" that will attempt to define exactly this. I would like to hear all other responses as well. (I suggest if you are considering Wireless guests, you should be considering wired as well) · Currently we have NO guest access on wireless. · We recently changed all our "public lab" computers to use AD authentication (e.g. no more public/guest access) · We use CCA in reshalls and enable the guest button JUST FOR THE SUMMER (for all the conferences/camps we have during that time) so effectively no guest access except for summer · The ONLY real guest access we have right now is any network port in a publicly accessible location can be used by anyone without any type of check. (These are the "public ports" referred to in my project title above). INCLUDING if someone unplugs a lab/office/kiosk computer and plugs in their own. · We will attempt to balance the tremendous desire for wireless & wired guest access, CALEA, security and manageability. I am thinking we may wind up with a 1x solution to determine appropriate port settings (security/vlan/etc) based on recognition of user, computer, or both and then computer health for non-campus managed computers. _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --Lead, follow, or get out of the way. (author unknown) -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 1:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wireless guest access Would like to expand out Kevin's question- what of wireless access for guests, and for the non-affiliated folks (anonymous) that might end up on campus? Anybody rethinking any of their sponsored guest/open access policies because of CALEA concerns? Regards- Lee Badman Network/Wireless Engineer Syracuse University 315 443-3003 >>> Kevin Lanning <[EMAIL PROTECTED]> 2/26/2007 12:46:48 PM >>> Wondering what academic institutions are doing these days regarding wireless access for guests? -- --
Re: [WIRELESS-LAN] wireless guest access
Thus spake Kevin Lanning ([EMAIL PROTECTED]) on Mon, Feb 26, 2007 at 12:46:48PM -0500: > Wondering what academic institutions are doing these days regarding > wireless access for guests? In general, a person not affiliated with the institution may not use our network. However, anyone on payroll (including students) can authorize individual guest access by generating a temporary ID that will only allow access through a captive portal. http://www.doit.wisc.edu/security/policies/guest_NetID.asp http://www.doit.wisc.edu/services/guestid/index.asp The id can last up from 1-31 days. It they need access for longer, there is a more formal affiliation procedure used (that can also optionally allow access to other systems). One nice thing I like about our system is that it can generate many id's at once which is crucial for conferences. Dale -- Dale W. Carder - Network Engineer University of Wisconsin at Madison http://net.doit.wisc.edu/~dwcarder ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] wireless guest access
At LMU we have a guest/visitor account that a faculty/staff member can request the password to and we change the password periodically. This is akin to what Ken Connell indicated they're doing at Ryerson Univ. Our library also provides paid admittance to the Library for people in the community and they give out the password when that is done. This was initially a concern, but we learned that libraries are exempt from CALEA. -Gary Gary Landau, CISSP, CCNP Director | Network Services - Loyola Marymount University Information Technology One LMU Drive | Los Angeles, CA 90045 p.310.338.4434 f.310.338.2326 [EMAIL PROTECTED] | http://its.lmu.edu - LMU|LA IT: We Deliver! From: Scholz, Greg [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 10:16 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wireless guest access Very timely. I am about to launch a project called "public port security and guest access" that will attempt to define exactly this. I would like to hear all other responses as well. (I suggest if you are considering Wireless guests, you should be considering wired as well) * Currently we have NO guest access on wireless. * We recently changed all our "public lab" computers to use AD authentication (e.g. no more public/guest access) * We use CCA in reshalls and enable the guest button JUST FOR THE SUMMER (for all the conferences/camps we have during that time) so effectively no guest access except for summer * The ONLY real guest access we have right now is any network port in a publicly accessible location can be used by anyone without any type of check. (These are the "public ports" referred to in my project title above). INCLUDING if someone unplugs a lab/office/kiosk computer and plugs in their own. * We will attempt to balance the tremendous desire for wireless & wired guest access, CALEA, security and manageability. I am thinking we may wind up with a 1x solution to determine appropriate port settings (security/vlan/etc) based on recognition of user, computer, or both and then computer health for non-campus managed computers. _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --Lead, follow, or get out of the way. (author unknown) -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 1:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wireless guest access Would like to expand out Kevin's question- what of wireless access for guests, and for the non-affiliated folks (anonymous) that might end up on campus? Anybody rethinking any of their sponsored guest/open access policies because of CALEA concerns? Regards- Lee Badman Network/Wireless Engineer Syracuse University 315 443-3003 >>> Kevin Lanning <[EMAIL PROTECTED]> 2/26/2007 12:46:48 PM >>> Wondering what academic institutions are doing these days regarding wireless access for guests? -- -- Kevin Lanning lanning at unc.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] wireless guest access
Very timely. I am about to launch a project called "public port security and guest access" that will attempt to define exactly this. I would like to hear all other responses as well. (I suggest if you are considering Wireless guests, you should be considering wired as well) * Currently we have NO guest access on wireless. * We recently changed all our "public lab" computers to use AD authentication (e.g. no more public/guest access) * We use CCA in reshalls and enable the guest button JUST FOR THE SUMMER (for all the conferences/camps we have during that time) so effectively no guest access except for summer * The ONLY real guest access we have right now is any network port in a publicly accessible location can be used by anyone without any type of check. (These are the "public ports" referred to in my project title above). INCLUDING if someone unplugs a lab/office/kiosk computer and plugs in their own. * We will attempt to balance the tremendous desire for wireless & wired guest access, CALEA, security and manageability. I am thinking we may wind up with a 1x solution to determine appropriate port settings (security/vlan/etc) based on recognition of user, computer, or both and then computer health for non-campus managed computers. _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --Lead, follow, or get out of the way. (author unknown) -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 1:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wireless guest access Would like to expand out Kevin's question- what of wireless access for guests, and for the non-affiliated folks (anonymous) that might end up on campus? Anybody rethinking any of their sponsored guest/open access policies because of CALEA concerns? Regards- Lee Badman Network/Wireless Engineer Syracuse University 315 443-3003 >>> Kevin Lanning <[EMAIL PROTECTED]> 2/26/2007 12:46:48 PM >>> Wondering what academic institutions are doing these days regarding wireless access for guests? -- -- Kevin Lanning lanning at unc.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] wireless guest access
We have a GUEST SSID with WEP and captive portal. There is a daily username/password any faculty/staff member can get for the day, or accounts can be made for guests who need access for longer periods. So far that's worked for us... Ken Connell Intermediate Network Engineer Computer & Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: Lee Badman <[EMAIL PROTECTED]> Date: Monday, February 26, 2007 1:05 pm Subject: Re: [WIRELESS-LAN] wireless guest access To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Would like to expand out Kevin's question- what of wireless access for > guests, and for the non-affiliated folks (anonymous) that might end up > on campus? > > Anybody rethinking any of their sponsored guest/open access policies > because of CALEA concerns? > > Regards- > > > > Lee Badman > Network/Wireless Engineer > Syracuse University > 315 443-3003 > > >>> Kevin Lanning <[EMAIL PROTECTED]> 2/26/2007 12:46:48 PM >>> > Wondering what academic institutions are doing these days regarding > wireless access for guests? > -- > -- > Kevin Lanning > lanning at unc.edu > > ** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] wireless guest access
Would like to expand out Kevin's question- what of wireless access for guests, and for the non-affiliated folks (anonymous) that might end up on campus? Anybody rethinking any of their sponsored guest/open access policies because of CALEA concerns? Regards- Lee Badman Network/Wireless Engineer Syracuse University 315 443-3003 >>> Kevin Lanning <[EMAIL PROTECTED]> 2/26/2007 12:46:48 PM >>> Wondering what academic institutions are doing these days regarding wireless access for guests? -- -- Kevin Lanning lanning at unc.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Guest Access
At the moment, its pretty much up to the sponsor of the guest to get them that information, but, yes, the instructions themselves are published on a public web page. When the sponsor registers the account, the confirmation page displays a link to those web instructions, which are tailored to visitors, and invites the sponsor to email the link to his guest(s) before they arrive. --Mike On Mar 22, 2006, at 5:26 PM, Philippe Hanset wrote: Michael, How do you distribute the 802.1x material/instructions to visitors? Any web interface at any point? Philippe Hanset University of Tennessee On Wed, 22 Mar 2006, Michael Griego wrote: We require 802.1x authentications for all users on our network. As such, I recently wrote an application that will allow a FTE staff/faculty member to request a guest 802.1x login for their guest(s). The account is then autogenerated, loaded into our RADIUS servers (FreeRADIUS), and we get an email notifying us of the new account. The accounts all start with "guest-", and the users is allowed to pick an up-to-8-character identifier for their users to make the login easy to remember, so the actual username ends up being "guest- identifier". The password is autogenerated. Currently, due to limitations in our equipment, they're stuck on the same VLAN as the rest of our wireless users, however we expect to segregate these users once we get some upgraded hardware in place. The though there is to, once they've authenticated, force each user to a captive portal where they can acknowledge our AUP before continuing. So far, the application seems to have been very well received. Previously, a "sponsor" had to contact the help desk to have the MAC address of the user(s) registered and get the user set up with the correct WEP key. Now, a "sponsor" can simply follow the directions to request an account, and no help desk or other outside human intervention is required. When the account is created, the "sponsor" is given a web link on how to properly configure the wireless settings for our network that can be given to the guest ahead of time or printed for when he/she/they arrives on campus. So, the only time the help desk or other personnel get involved is when there is a problem. And, we didn't have to open up our network to allow guest access. :) --Mike Bennefield, Cully A. wrote: We are exploring the possibility of offering guest wireless access and I would like to get a feel for how others might be handling it. Any and all information and opinions will be greatly appreciated. Thanks, Cully Cully Bennefield Baylor University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. smime.p7s Description: S/MIME cryptographic signature
Re: [WIRELESS-LAN] Wireless Guest Access
Michael, How do you distribute the 802.1x material/instructions to visitors? Any web interface at any point? Philippe Hanset University of Tennessee On Wed, 22 Mar 2006, Michael Griego wrote: > We require 802.1x authentications for all users on our network. As > such, I recently wrote an application that will allow a FTE > staff/faculty member to request a guest 802.1x login for their guest(s). > The account is then autogenerated, loaded into our RADIUS servers > (FreeRADIUS), and we get an email notifying us of the new account. The > accounts all start with "guest-", and the users is allowed to pick an > up-to-8-character identifier for their users to make the login easy to > remember, so the actual username ends up being "guest-identifier". The > password is autogenerated. > > Currently, due to limitations in our equipment, they're stuck on the > same VLAN as the rest of our wireless users, however we expect to > segregate these users once we get some upgraded hardware in place. The > though there is to, once they've authenticated, force each user to a > captive portal where they can acknowledge our AUP before continuing. > > So far, the application seems to have been very well received. > Previously, a "sponsor" had to contact the help desk to have the MAC > address of the user(s) registered and get the user set up with the > correct WEP key. Now, a "sponsor" can simply follow the directions to > request an account, and no help desk or other outside human intervention > is required. When the account is created, the "sponsor" is given a web > link on how to properly configure the wireless settings for our network > that can be given to the guest ahead of time or printed for when > he/she/they arrives on campus. So, the only time the help desk or other > personnel get involved is when there is a problem. And, we didn't have > to open up our network to allow guest access. :) > > --Mike > > > Bennefield, Cully A. wrote: > > We are exploring the possibility of offering guest wireless access and I > > would like to get a feel for how others might be handling it. Any and > > all information and opinions will be greatly appreciated. > > > > Thanks, > > Cully > > > > Cully Bennefield > > Baylor University > > > > ** > > Participation and subscription information for this EDUCAUSE Constituent > > Group discussion list can be found at http://www.educause.edu/groups/. > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Guest Access
Here at Emory, we have an open SSID for guest access as well as "legacy" VPN Student/Faculty/Staff access. We use a captive portal to present guests with 4 screens worth of our AUP, TOS, rules and regulations before requesting their email address for guest access "authentication". Guest access is limited to Web (80), Secure Web (443), DNS (53), and VPN - IPsec or PPTP. We also limit their bandwidth to 500kbps. If the guest wants to do anything besides web, like POP3 or IMAP email, FTP, IM, etc, they need to VPN to their home company or institution. We also have an 802.1X/WPA/WPA2 SSID for authenticated Student/Faculty/Staff access. Our wireless hardware from Aruba allows us to do all of this - captive portal, firewall/bandwidth limiting, and legacy VPN concentration - easily without any additional boxes. >>-> Stan Brooks - CWNA/CWSP Emory University Network Communications Division Original Message From: Bennefield, Cully A. Date: 3/22/2006 3:02 PM We are exploring the possibility of offering guest wireless access and I would like to get a feel for how others might be handling it. Any and all information and opinions will be greatly appreciated. Thanks, Cully Cully Bennefield Baylor University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless Guest Access
We use a product called "Roving Planet" that controls access by everyone to our wireless system. Our wireless system is in its own vlan with the Roving Planet acting a vlan bridge for authenticated users. The product interfaces with our Active Directory system, so we have set up a number of guest accounts that are controlled by our help desk. The help desk resets the passwords on these accounts periodically. Roving Planet also allows us to control access to wired ports using the same authentication scheme as long as the wired ports are in a specific vlan. Jim Driskell University of Puget Sound -Original Message- From: Bennefield, Cully A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 22, 2006 12:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless Guest Access We are exploring the possibility of offering guest wireless access and I would like to get a feel for how others might be handling it. Any and all information and opinions will be greatly appreciated. Thanks, Cully Cully Bennefield Baylor University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Guest Access
At Syracuse we use a captive portal. There are three levels of access: LDAP authenticated - Full Access - users in LDAP can create SQL based Guest Accounts for friends - Nearly Full Access * anonymous Free access - limited in speed and ports (perceptably annoying web,https, vpn) (We have the ability to readily boot off and deny access by MAC -- IDS sensors) (The portal is consistent with our resnet policy enforcement requirements) <>>> [EMAIL PROTECTED] 3/22/2006 3:02:33 PM >>> We are exploring the possibility of offering guest wireless access and I would like to get a feel for how others might be handling it. Any and all information and opinions will be greatly appreciated. Thanks, Cully Cully Bennefield Baylor University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Guest Access
We offer guest access with captive portal. Users must ask for access and a temp account will be created. Ken Connell Intermediate Network Engineer Computer & Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: David Gillett <[EMAIL PROTECTED]> Date: Wednesday, March 22, 2006 3:25 pm Subject: Re: [WIRELESS-LAN] Wireless Guest Access > At the moment, all of our access is "guest" except for specific > client laptops that belong to the college. This will provide access > to our portal when it comes online, so users with portal accounts > will be able to reach additional resources through that. > Eventually, deployment of Identity Management and 802.1x and VPN > may, in some combination, allow us to offer non-guest access at > the wireless connection, but that's still somewhere in the pipeline. > > Note that there are a variety of "wireless security" products > which focus on access to the wireless service, and so don't apply > if you offer "guest" access. Instead, attention needs to focus on > "where can these clients get to", and that applies as well to open > wired ports (we're starting to see these in some classrooms and > drop-in areas) as to wireless. > > David Gillett, CISSP CCNP > Foothill-DeAnza College District > > > > -Original Message- > > From: Bennefield, Cully A. [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, March 22, 2006 12:03 PM > > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > > Subject: [WIRELESS-LAN] Wireless Guest Access > > > > We are exploring the possibility of offering guest wireless > > access and I would like to get a feel for how others might be > > handling it. Any and all information and opinions will be > > greatly appreciated. > > > > Thanks, > > Cully > > > > Cully Bennefield > > Baylor University > > > > ** > > Participation and subscription information for this EDUCAUSE > > Constituent Group discussion list can be found at > > http://www.educause.edu/groups/. > > > > ** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless Guest Access
Cully, We currently have three VLANs on our wireless system: One for students (non-broadcast SSID), and one for faculty and staff (also non-broadcast). These require network credentials for authentication. Then we have the broadcasted VLAN for guests/public use. This VLAN is effectively a secondary DMZ hanging off of our firewall, and has no access to the internal LAN at all. Hope this helps, John Steely Network Manager Infrastructure Systems Department Library and Information Services Dickinson College P.O. Box 1773 Carlisle, PA 17013 [EMAIL PROTECTED] -Original Message- From: Bennefield, Cully A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 22, 2006 3:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless Guest Access We are exploring the possibility of offering guest wireless access and I would like to get a feel for how others might be handling it. Any and all information and opinions will be greatly appreciated. Thanks, Cully Cully Bennefield Baylor University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Guest Access
We require 802.1x authentications for all users on our network. As such, I recently wrote an application that will allow a FTE staff/faculty member to request a guest 802.1x login for their guest(s). The account is then autogenerated, loaded into our RADIUS servers (FreeRADIUS), and we get an email notifying us of the new account. The accounts all start with "guest-", and the users is allowed to pick an up-to-8-character identifier for their users to make the login easy to remember, so the actual username ends up being "guest-identifier". The password is autogenerated. Currently, due to limitations in our equipment, they're stuck on the same VLAN as the rest of our wireless users, however we expect to segregate these users once we get some upgraded hardware in place. The though there is to, once they've authenticated, force each user to a captive portal where they can acknowledge our AUP before continuing. So far, the application seems to have been very well received. Previously, a "sponsor" had to contact the help desk to have the MAC address of the user(s) registered and get the user set up with the correct WEP key. Now, a "sponsor" can simply follow the directions to request an account, and no help desk or other outside human intervention is required. When the account is created, the "sponsor" is given a web link on how to properly configure the wireless settings for our network that can be given to the guest ahead of time or printed for when he/she/they arrives on campus. So, the only time the help desk or other personnel get involved is when there is a problem. And, we didn't have to open up our network to allow guest access. :) --Mike Bennefield, Cully A. wrote: We are exploring the possibility of offering guest wireless access and I would like to get a feel for how others might be handling it. Any and all information and opinions will be greatly appreciated. Thanks, Cully Cully Bennefield Baylor University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless Guest Access
We allow it through Clean Access. DNS - udp 53, HTTP - port 80, and https - port 443 todd Todd Joyce Network Services Radford University - The Smart Choice [EMAIL PROTECTED] (540) 831- Keep your boots and ChapStick and ice hotels. Give me shorts and sandals and a thirty-blocker. Temperance Brennan - Monday Mourning -Original Message- From: Bennefield, Cully A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 22, 2006 3:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless Guest Access We are exploring the possibility of offering guest wireless access and I would like to get a feel for how others might be handling it. Any and all information and opinions will be greatly appreciated. Thanks, Cully Cully Bennefield Baylor University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless Guest Access
At the moment, all of our access is "guest" except for specific client laptops that belong to the college. This will provide access to our portal when it comes online, so users with portal accounts will be able to reach additional resources through that. Eventually, deployment of Identity Management and 802.1x and VPN may, in some combination, allow us to offer non-guest access at the wireless connection, but that's still somewhere in the pipeline. Note that there are a variety of "wireless security" products which focus on access to the wireless service, and so don't apply if you offer "guest" access. Instead, attention needs to focus on "where can these clients get to", and that applies as well to open wired ports (we're starting to see these in some classrooms and drop-in areas) as to wireless. David Gillett, CISSP CCNP Foothill-DeAnza College District > -Original Message- > From: Bennefield, Cully A. [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 22, 2006 12:03 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Wireless Guest Access > > We are exploring the possibility of offering guest wireless > access and I would like to get a feel for how others might be > handling it. Any and all information and opinions will be > greatly appreciated. > > Thanks, > Cully > > Cully Bennefield > Baylor University > > ** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless Guest Access
> We are exploring the possibility of offering guest wireless > access and I would like to get a feel for how others might be > handling it. Any and all information and opinions will be > greatly appreciated. our Aironet APs are setup with two SSIDs, an authenticated/encrypted SSID, and a completely open unauthenticated/unencrypted SSID for guests/visitors. The 'GUEST' ssid maps to a vLAN with quite a few firewall restrictions, not permitting anything more than basic web, vpn, instant messaging, and mail connectivity. - Gabriel Kuri | Sr. Network Analyst Instructional and Information Technology Division California State Polytechnic University, Pomona http://www.csupomona.edu/~iit | +1 909 979 6363 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.