Greg - Can you detail where this information is stored on CCA layer 2
mismatches? Can you access it via the CAM's web interface in the
"Event logs" section, or do you need to be logging to an external
syslog server? Thanks.
Walt
On Sep 5, 2008, at 8:35 AM, Scholz, Greg wrote:
CCA has had some level of NAT restriction and what they call "strict
L2"
whereby the server checks the MAC in the header of the users
authentication/assessment packet against the MAC reported by the CCA
client written in the payload of the authentication packet.
If the MAC of the header is different than the MAC in the payload it
is
restricted from getting on. There are 2 problems with this.
1) many consumer grade routers/wireless units clone the first mac/ip
that go through it so the unauthorized device looks just like the
computer and it is allowed through.
2) when it does clone that first device and they work fine, what
happens
to the unsuspecting next door neighbor who's wireless card finds the
offenders router and attempts to go through it?
Even though it is imperfect we are still using this feature and
finding
mixed results. Most importantly though the syslogs (not the gui
logs) do
show when the event occurs with a fairly detailed entry of what the
packet looked like (e.g. header mac and all client reported macs) so
we
can find them on the network.
Greg
-----Original Message-----
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Berman
Sent: Friday, September 05, 2008 7:58 AM
To: [email protected]
Subject: Re: [WIRELESS-LAN] Wireless Router Policy
This is basically our position as well. The prohibition is in our
"Computing
Ethics and Responsibilities" policy, which, along with the Privacy
Policy
constitute our AUP. The wording is in the section on tampering and
says:
"You may not modify residential computing network services or wiring
or
extend those beyond the area of their intended use. This applies to
all
network wiring, hardware, and cluster and in-room jacks. Gateways and
firewalls designed for home use, such as Cable/DSL routers and
Wireless
Access Points, can disrupt the normal operation of the Williams
network
and
are not allowed."
A recent upgrade of our Impulse Point policy enforcement appliance
gave
us
the ability to locate and automatically shut down NAT gateways and
we're
about to turn that function on.
- Mark
--
Mark Berman, Director for Networks & Systems
Williams College, Office for Information Technology
*** Please consider the environment before printing this message
-----Original Message-----
From: Tony Fellows [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 04, 2008 10:58 AM
Subject: Re: Wireless Router Policy
Hi,
I picked up on this issue because some years ago, I too had a problem
with our small university college and the reluctance of management to
prohibit rogue device connectivity to the central network. So rather
than create a new policy I modified the AUP (acceptable Use Policy) -
which every student and staff member signs up to (electronically) each
new academic year. I submitted clauses in the policy banning any
device from being connected to the central network - which isn't the
property of the university - which hasn't been vetted for use - or
which is deemed unsuitable by IT Services staff. It is pointed out
that disciplinary action will be taken if any device is found to be
illegally connected.
To support these clauses - the security and integrity of the network
was the main mission. To manage data traffic and ensure a level of
bandwidth throttling which is sustainable for all users and services.
I think a previous contributor from Georgia State - Charles - was spot
on when he implied that without certain controls, central networks
would quickly become unreliable, unruly and unfit for purpose.
Tony Fellows BSc (Binftech) CITP MBCS
Head of IT Services
Newman University College
Birmingham B32 3NT
Email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
Tel: 0121 476 1181 ext. 2223
Mob: 07887 902999
________________________________
From: The EDUCAUSE Wireless Issues Constituent Group Listserv on
behalf of Phillips, Chris
Sent: Thu 04/09/2008 3:23 PM
To: [email protected]
Subject: Re: [WIRELESS-LAN] Wireless Router Policy
Mike,
We are vetting a new Residence Network Policy that, if approved, would
make student routers not acceptable and subject to sanctions including
losing network authentication.
Chris Phillips
Ass't V.P., Technology
Univ. of Maryland, Baltimore
________________________________
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Martin Jr.,
D. Michael
Sent: Thursday, September 04, 2008 8:34 AM
To: [email protected]
Subject: [WIRELESS-LAN] Wireless Router Policy
As we prepare to expand our wireless coverage into our residence
halls, I would like to poll this list to see how many of you have
policies prohibiting the use of student (or other) routers in your
environments? My institution, the University of Montevallo, is a
small public liberal arts university which historically has been
reluctant to "prohibit" almost anything in the past, so we have no
current policies in place to prevent the installation of such devices.
In fact, our Helpdesk manager even approached me yesterday about
assisting students in the setup and configuration of their routers.
Any advice any of you could give on such matters would be greatly
appreciated.
Thanks,
D. Michael Martin, Jr.
Network Administrator
University of Montevallo
********** Participation and subscription information for this
EDUCAUSE Constituent Group discussion list can be found at
http://www.educause.edu/groups/. ********** Participation and
subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE
Constituent
Group discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE
Constituent
Group discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at http://www.educause.edu/groups/
.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
