Re: [WIRELESS-LAN] residence all security
We are redoing our wireless from scratch here at the college and I'll share a few of the options that we've considered. Our wireless system encompasses our entire campus and we want to seperate the students from the faculty. The faculty for the most part use laptops owned by the college so we can make some assumptions based on our setup of what kind of security levels we can use. First off we have a Windows 2003 Active Directory setup on our campus, all the computer's times are synced to an ntp server and we have a local CA. Before this we had one SSID for both students and staff with 802.1x authentication using their active directory credentials. This worked great as long as we didn't want to get any Vista machines on the wireless or people that don't have an account (think conferences). The Vista issue was the biggest reason we're redoing our wireless. The problem (I'm guessing, we never actually figured it out) was something to do with the root certificates and our self-signed server certificate (even though we had Validate server certificate unchecked on the clients). What we are currently planning is to use 802.1x authentication on a faculty/staff SSID as we haven't moved to Vista for them officially and don't have plans too anytime soon. Students on the other hand we can't control what operating system they have and it's a sad fact of life for us that most of them will be coming back to campus with Vista. In light of this we are going to be using a WPA key for the students and a captive portal to identify them. We haven't decided how long the timeout for the captive portal authentication will be. We considered WPA2 but we also run into the compatibility problem again, but have decided that WPA provides a reasonable amount of security. Our student and staff/faculty SSID both route to different VLANs. We use a packeteer to limit the bandwidth on the student portion of the network and let the staff/faculty have unrestricted access to the pipe. I hope I have given you some ideas and would love to hear some criticism/concerns about this setup. If there are gaping flaws that I have missed it sure would be good to know before rolling it out. Entwistle, Bruce wrote: I will apologize in advance, as I believe this has been discussed in the past. During the upcoming summer we will be installing a wireless network in our residence halls. We are looking at different options of how we are going to authenticate and secure the network connections. If you could please share what methods have or have not worked in addressing the authentication and security issues I would appreciate it. Thank you Bruce Entwistle Associate Director of Enterprise Services University of Redlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] residence all security
We use WPA PEAP 802.1x with AD (MSCHAPv2) with Vista nicely (even WPA2 on some networks) so I am a bit confused by your statements. Our DHCP based NAC worked pretty well on 802.1x but we are implementing Impulse for the fall for additional functionality. Randy Grimshaw, Syracuse University -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Sam Stelfox Sent: Wednesday, May 21, 2008 1:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] residence all security We are redoing our wireless from scratch here at the college and I'll share a few of the options that we've considered. Our wireless system encompasses our entire campus and we want to seperate the students from the faculty. The faculty for the most part use laptops owned by the college so we can make some assumptions based on our setup of what kind of security levels we can use. First off we have a Windows 2003 Active Directory setup on our campus, all the computer's times are synced to an ntp server and we have a local CA. Before this we had one SSID for both students and staff with 802.1x authentication using their active directory credentials. This worked great as long as we didn't want to get any Vista machines on the wireless or people that don't have an account (think conferences). The Vista issue was the biggest reason we're redoing our wireless. The problem (I'm guessing, we never actually figured it out) was something to do with the root certificates and our self-signed server certificate (even though we had Validate server certificate unchecked on the clients). What we are currently planning is to use 802.1x authentication on a faculty/staff SSID as we haven't moved to Vista for them officially and don't have plans too anytime soon. Students on the other hand we can't control what operating system they have and it's a sad fact of life for us that most of them will be coming back to campus with Vista. In light of this we are going to be using a WPA key for the students and a captive portal to identify them. We haven't decided how long the timeout for the captive portal authentication will be. We considered WPA2 but we also run into the compatibility problem again, but have decided that WPA provides a reasonable amount of security. Our student and staff/faculty SSID both route to different VLANs. We use a packeteer to limit the bandwidth on the student portion of the network and let the staff/faculty have unrestricted access to the pipe. I hope I have given you some ideas and would love to hear some criticism/concerns about this setup. If there are gaping flaws that I have missed it sure would be good to know before rolling it out. Entwistle, Bruce wrote: I will apologize in advance, as I believe this has been discussed in the past. During the upcoming summer we will be installing a wireless network in our residence halls. We are looking at different options of how we are going to authenticate and secure the network connections. If you could please share what methods have or have not worked in addressing the authentication and security issues I would appreciate it. Thank you Bruce Entwistle Associate Director of Enterprise Services University of Redlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] residence all security
Sam, What are you using to distribute the WPA key to your students? Hector Rios Louisiana State University -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Sam Stelfox Sent: Wednesday, May 21, 2008 12:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] residence all security We are redoing our wireless from scratch here at the college and I'll share a few of the options that we've considered. Our wireless system encompasses our entire campus and we want to seperate the students from the faculty. The faculty for the most part use laptops owned by the college so we can make some assumptions based on our setup of what kind of security levels we can use. First off we have a Windows 2003 Active Directory setup on our campus, all the computer's times are synced to an ntp server and we have a local CA. Before this we had one SSID for both students and staff with 802.1x authentication using their active directory credentials. This worked great as long as we didn't want to get any Vista machines on the wireless or people that don't have an account (think conferences). The Vista issue was the biggest reason we're redoing our wireless. The problem (I'm guessing, we never actually figured it out) was something to do with the root certificates and our self-signed server certificate (even though we had Validate server certificate unchecked on the clients). What we are currently planning is to use 802.1x authentication on a faculty/staff SSID as we haven't moved to Vista for them officially and don't have plans too anytime soon. Students on the other hand we can't control what operating system they have and it's a sad fact of life for us that most of them will be coming back to campus with Vista. In light of this we are going to be using a WPA key for the students and a captive portal to identify them. We haven't decided how long the timeout for the captive portal authentication will be. We considered WPA2 but we also run into the compatibility problem again, but have decided that WPA provides a reasonable amount of security. Our student and staff/faculty SSID both route to different VLANs. We use a packeteer to limit the bandwidth on the student portion of the network and let the staff/faculty have unrestricted access to the pipe. I hope I have given you some ideas and would love to hear some criticism/concerns about this setup. If there are gaping flaws that I have missed it sure would be good to know before rolling it out. Entwistle, Bruce wrote: I will apologize in advance, as I believe this has been discussed in the past. During the upcoming summer we will be installing a wireless network in our residence halls. We are looking at different options of how we are going to authenticate and secure the network connections. If you could please share what methods have or have not worked in addressing the authentication and security issues I would appreciate it. Thank you Bruce Entwistle Associate Director of Enterprise Services University of Redlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
residence all security
I will apologize in advance, as I believe this has been discussed in the past. During the upcoming summer we will be installing a wireless network in our residence halls. We are looking at different options of how we are going to authenticate and secure the network connections. If you could please share what methods have or have not worked in addressing the authentication and security issues I would appreciate it. Thank you Bruce Entwistle Associate Director of Enterprise Services University of Redlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
