We provide GUEST access as follows: - The SSID is not hidden - Static WEP. They are given the key (don't want every Tom, Dick & Harry associating just because) - Captive Portal with limited rights - Given an ID for x amount of days which is in LDAP
We have a group/dept that deals with users coming on-site for conferences, meeting, and so on... They have a GUI to input guest names into LDAP and provide basic support for the "guest" users. Ken Connell Intermediate Network Engineer Computer & Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 ----- Original Message ----- From: "Casey, J Bart" <[EMAIL PROTECTED]> Date: Tuesday, January 31, 2006 12:07 pm Subject: [WIRELESS-LAN] Guest Access > Hey All, > > > > It has been deemed necessary by the powers that be that we provide > somelevel of wireless access to guests on our campus. Some of > these people > might include members of the Media for athletic events, alumni > visitingthe campus, and guest professors/speakers. While I am not > exactlythrilled about the idea, I can certainly understand the > need. I would > like some feedback on how other schools are handling issues such as > this. > > > > Our current wireless network is comprised solely of Cisco Aironet 1200 > series APs. We use a single SSID which allows authenticated users > to be > placed in a wireless VLAN. We do not beacon our SSID. In order to > connect to the wireless network, our users must know the SSID. We > require users to install a secure certificate, and also require > them to > authenticate their domain user credentials against a radius > server. We > currently use IAS but are migrating to CSACS. > > > > My initial plan is as follows: > > > > 1. Determine which APs are going to provide this guest access. > Guest access won't be necessary for all APs > 2. Configure the selected APs with a second SSID > 3. Create a new VLAN for the second SSID > 4. Place users who use the second SSID into the new VLAN > 5. Only allow the new VLAN to access the internet > 6. Limit the bandwidth to the internet to about 512Kbps (This > should be sufficient for the Media's needs and allow any guest to > checkemail etc.) > 7. Provide some sort of security but not as in depth as we > currently use. > > > > > > What are your comments on beaconing the new SSID? > > What are you thoughts on security and encryption? > > Does a user that connects to our network have expectations of security > and encryption? > > Are we obligated to provide some sort of security and encryption to > protect these guest users? > > At what point does administrative burden overcome security? > > > > > > Your thoughts and ideas are greatly appreciated. > > > > Thanks in advance, > > > > J. Bart Casey > > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
