Nathan,
At Emory, we initially had a security/access model that was an open SSID, but
required users to initiate a VPN session to encrypt the air link and
authenticate the user. We finally retired this model as of the first of the
year. We are now using WPA-Enterprise (802.11i/802.1x) for authentication and
encryption. We used the following steps to migrate students to the new access
method (and our helpdesk/support teams touched a lot of machines to help with
the transition):
Fall 2005 - brought up a second SSID to support WPA, we already had an open
SSID for VPN authenticated access and guest access using a captive portal. We
added pdf's to the captive portal describing steps to connect using VPN and WPA.
School year 2005-2006 - Held pizza parties, and "Wireless Wednesdays" clinics
to assist students to connect using WPA. Started a media campaign
(posters/newspaper ads) to publicize the "new" way of connecting to the
wireless network.
Summer of 2006 - Plan for "sunsetting" VPN access. Turned off VPN & Guest
access in dorms & student apartments. Developed automated scripts for our
Emory Online CD to assist students in setting up WPA on Windows & Mac machines.
Move-In Weekend 2006 - Held connectivity clinics in each dorm to assist
students connecting to our WPA SSID. The support staff touched a lot of
machines this weekend and got very good at setting up WPA on student machines
quickly. Without VPN access in the dorms, student's had to use WPA to get
connected wirelessly (or use a wired connection).
Fall 2006 - Sent a series of emails to known VPN access wireless users (culled
from authentication logs) informing them that wireless VPN access was going
away. VPN usage levels are very low - about what they were during summer break.
January 3rd, 2007 - turned off wireless VPN access. We received no complaints
that users couldn't get on the network.
Over this same period (starting Move-In Weekend 2006), our wireless usage more
than doubled - All WPA growth. We now support two access methods -
WPA-Enterprise (EAP-PEAP-MSCHAPv2) and guest access (captive portal
authentication, then Web browsing only - bandwidth limited to 500kbps).
EAP-PEAP-MSCHAPv2 is supported natively in both Windows & Mac. Ther is Linux
support available as well. We don't officially support other devices (Wii,
Tivo, etc.), but are working on defining a secure and supportable method to do
so.
Our wireless infrastructure is Aruba, and it handled this transition seamlessly.
>>-> Stan Brooks - CWNA/CWSP
Emory University
Network Communications Division
404.727.0226
[EMAIL PROTECTED]
AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED]
________________________________
From: Nathan Hay [mailto:[EMAIL PROTECTED]
Sent: Wednesday, April 25, 2007 9:25 AM
To: [email protected]
Subject: [WIRELESS-LAN] Transition from open to encrypted
We've been running our main SSID without encryption to make it easier for
students to connect and to make life easier for our help desk. Not
surprisingly we've started to have problems with students sniffing packets and
capturing the IM passwords, etc of other students.
Because of this, we are working on a plan to make our main SSID encrypted by
the start of next school year.
Does anyone have a recommended scheme for encryption that supports a wide
variety of clients? We have Windows, Mac, Linux, Nintendo Wii, and many
different types of handheld devices on campus. Our wireless network is Meru.
We don't have any 802.1x experience, but we are willing to learn if that is
where we need to head. We'd like a scheme that makes it as easy for the client
to connect as possible, but still provides a good level of security.
Any thoughts or suggestions would be appreciated,
Nathan
Nathan P. Hay
Network Engineer
Computer Services
Cedarville University
www.cedarville.edu <http://www.cedarville.edu/> ********** Participation and
subscription information for this EDUCAUSE Constituent Group discussion list
can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
