Re: [WIRELESS-LAN] Guest Access

[Phil Trivilino]

At St. Lawrence we use Cisco APs with multiple vlans.  We do provide an "open vlan" for "guest" access.  "guests" get what they might expect if they were at home on a broadband connection, for access via an acl on the router for the guest vlan.  We provide no encryption and advertise that fact.  I think you are on the right track with your guest access.  We provide this for many reasons:  sports information, library users, conference attendees, to name a few.  We push our faculty, staff and students to use the secure, 802.1x vlans with encryption for their own use.  Actually we "entice" them, since they can not accomplish on the guest vlan what they can on the wired or authenticated vlans. Phil Casey, J Bart wrote: Hey All,   It has been deemed necessary by the powers that be that we provide some level of wireless access to guests on our campus.  Some of these people might include members of the Media for athletic events, alumni visiting the campus, and guest professors/speakers.  While I am not exactly thrilled about the idea, I can certainly understand the need.  I would like some feedback on how other schools are handling issues such as this.   Our current wireless network is comprised solely of Cisco Aironet 1200 series APs.  We use a single SSID which allows authenticated users to be placed in a wireless VLAN.  We do not beacon our SSID.  In order to connect to the wireless network, our users must know the SSID.  We require users to install a secure certificate, and also require them to authenticate their domain user credentials against a radius server.  We currently use IAS but are migrating to CSACS.    My initial plan is as follows:   Determine which APs are going to provide this guest access.  Guest access won’t be necessary for all APs Configure the selected APs with a second SSID Create a new VLAN for the second SSID Place users who use the second SSID into the new VLAN Only allow the new VLAN to access the internet Limit the bandwidth to the internet to about 512Kbps  (This should be sufficient for the Media’s needs and allow any guest to check email etc.) Provide some sort of security but not as in depth as we currently use.     What are your comments on beaconing the new SSID? What are you thoughts on security and encryption?  Does a user that connects to our network have expectations of security and encryption? Are we obligated to provide some sort of security and encryption to protect these guest users? At what point does administrative burden overcome security?     Your thoughts and ideas are greatly appreciated.   Thanks in advance,   J. Bart Casey ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.