Bart, Seems like a good plan.
for your special visitors you may consider EDUROAM in the future (http://security.internet2.edu/fwna) Only works with 802.1x though! > 1. Determine which APs are going to provide this guest access. > Guest access won't be necessary for all APs Once you enable a second SSID, you may as well enable it all over. It might become a redundancy feature the day your RADIUS is having problems or an OS vendor releases a nasty patch that breaks wireless client software. > 2. Configure the selected APs with a second SSID We don't broadcast any of our SSIDs for Wireless Hygiene reasons (read: in order to deal as best as possible with MS Wireless Zero config). When one SSID is broadcasted and others are not, some Wireless clients tend to always join the broacasted one. > 4. Place users who use the second SSID into the new VLAN > 5. Only allow the new VLAN to access the internet > 6. Limit the bandwidth to the internet to about 512Kbps (This > should be sufficient for the Media's needs and allow any guest to check > email etc.) > 7. Provide some sort of security but not as in depth as we > currently use. On additional feature: In our design we were considering NAT for the visitor network with an IP that comes from a range outside of our campus range. If the visitor network is abused, you have the option to change the IP address and not have your campus addresses banned all over the Internet! We don't provide encryption for Visitors. Encryption is optional for our campus users. In order to provide encryption for visitors you will have to deal at some point with credentials... good luck. Reminds me of these web sites that want you to create a profile with login and password to make a $5 purchase! If you give your visitors bandwidth and inform them through a "required" reading about the features of the wireless network, you should be fine. Philippe Hanset University of Tennessee > > > > > > What are your comments on beaconing the new SSID? > > What are you thoughts on security and encryption? > > Does a user that connects to our network have expectations of security > and encryption? > > Are we obligated to provide some sort of security and encryption to > protect these guest users? > > At what point does administrative burden overcome security? > > > > > > Your thoughts and ideas are greatly appreciated. > > > > Thanks in advance, > > > > J. Bart Casey > > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
