CCA has had some level of NAT restriction and what they call "strict L2" whereby the server checks the MAC in the header of the users authentication/assessment packet against the MAC reported by the CCA client written in the payload of the authentication packet.
If the MAC of the header is different than the MAC in the payload it is restricted from getting on. There are 2 problems with this. 1) many consumer grade routers/wireless units clone the first mac/ip that go through it so the unauthorized device looks just like the computer and it is allowed through. 2) when it does clone that first device and they work fine, what happens to the unsuspecting next door neighbor who's wireless card finds the offenders router and attempts to go through it? Even though it is imperfect we are still using this feature and finding mixed results. Most importantly though the syslogs (not the gui logs) do show when the event occurs with a fairly detailed entry of what the packet looked like (e.g. header mac and all client reported macs) so we can find them on the network. Greg -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Mark Berman Sent: Friday, September 05, 2008 7:58 AM To: [email protected] Subject: Re: [WIRELESS-LAN] Wireless Router Policy This is basically our position as well. The prohibition is in our "Computing Ethics and Responsibilities" policy, which, along with the Privacy Policy constitute our AUP. The wording is in the section on tampering and says: "You may not modify residential computing network services or wiring or extend those beyond the area of their intended use. This applies to all network wiring, hardware, and cluster and in-room jacks. Gateways and firewalls designed for home use, such as Cable/DSL routers and Wireless Access Points, can disrupt the normal operation of the Williams network and are not allowed." A recent upgrade of our Impulse Point policy enforcement appliance gave us the ability to locate and automatically shut down NAT gateways and we're about to turn that function on. - Mark -- Mark Berman, Director for Networks & Systems Williams College, Office for Information Technology *** Please consider the environment before printing this message -----Original Message----- From: Tony Fellows [mailto:[EMAIL PROTECTED] Sent: Thursday, September 04, 2008 10:58 AM Subject: Re: Wireless Router Policy Hi, I picked up on this issue because some years ago, I too had a problem with our small university college and the reluctance of management to prohibit rogue device connectivity to the central network. So rather than create a new policy I modified the AUP (acceptable Use Policy) - which every student and staff member signs up to (electronically) each new academic year. I submitted clauses in the policy banning any device from being connected to the central network - which isn't the property of the university - which hasn't been vetted for use - or which is deemed unsuitable by IT Services staff. It is pointed out that disciplinary action will be taken if any device is found to be illegally connected. To support these clauses - the security and integrity of the network was the main mission. To manage data traffic and ensure a level of bandwidth throttling which is sustainable for all users and services. I think a previous contributor from Georgia State - Charles - was spot on when he implied that without certain controls, central networks would quickly become unreliable, unruly and unfit for purpose. Tony Fellows BSc (Binftech) CITP MBCS Head of IT Services Newman University College Birmingham B32 3NT Email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Tel: 0121 476 1181 ext. 2223 Mob: 07887 902999 ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Phillips, Chris Sent: Thu 04/09/2008 3:23 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Wireless Router Policy Mike, We are vetting a new Residence Network Policy that, if approved, would make student routers not acceptable and subject to sanctions including losing network authentication. Chris Phillips Ass't V.P., Technology Univ. of Maryland, Baltimore ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Martin Jr., D. Michael Sent: Thursday, September 04, 2008 8:34 AM To: [email protected] Subject: [WIRELESS-LAN] Wireless Router Policy As we prepare to expand our wireless coverage into our residence halls, I would like to poll this list to see how many of you have policies prohibiting the use of student (or other) routers in your environments? My institution, the University of Montevallo, is a small public liberal arts university which historically has been reluctant to "prohibit" almost anything in the past, so we have no current policies in place to prevent the installation of such devices. In fact, our Helpdesk manager even approached me yesterday about assisting students in the setup and configuration of their routers. Any advice any of you could give on such matters would be greatly appreciated. Thanks, D. Michael Martin, Jr. Network Administrator University of Montevallo ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
