Re: [WIRELESS-LAN] Guest WLAN Configuration

[Justin Hao]

Howdy, We sell the encrypted (wpa/wpa2) network to our users as being safer, faster, and less hassle (configuring it in windows/etc to auto-login etc.). Our guest ssid forces users to a web portal where they still have to login manually with an pre-assigned guest id/password before having access to the network.  We don't allow our regular users to authenticate using the guest ssid at all anymore except in special situations.  We currently avoid any type of wide open guest access because that limits our ability to track security concerns and address user  complaints/troubleshooting. Also, depending on how your users are accustomed to authenticating against wireless (your bluesocket solution is a NAC/web portal right?), a transition period (and possibly a new ssid indicating wpa required) would probably be best for you (and your helpdesk's sanity) so you don't have every user suddenly asking for help setting up wpa or asking why the wireless isn't working.  We also provide our users reference pages for configuring wpa across a variety of OSes/platforms and you may want to considering getting similar documentation available to your users and support staff before asking them to setup wpa on their own. Our own ssid configuration consists of 3 primary ssids, our wpa secure, a guest ssid with web authentication, and a wide open "help" ssid that only allows access to a website help destination with general wireless information and documentation on how to configure wpa/wpa2. -- Justin Hao Network Engineer Texas A&M University Networking and Information Security j...@tamu.edu (979)862-2162 PS - I would avoid supporting TKIP from the get-go if you're going to establish WPA/WPA2 policies, most non-archaic wireless drivers/clients should support wpa-aes at the very least and tkip should be considered compromised similar to wep. Williams, Mr. Michael wrote:       We purchased a Cisco WISM and the WCS software to form a centralized wireless network.  We are planning on putting it into production during the next semester break.  Most of our FAT APs (80+)have been upgraded and are now controlled by the WISM.   We currently only have one SSID (no encryption) with all network traffic feeding into out Bluesocket authentication gateway.  We plan on setting up multiple networks, one for encrypted access and another for guest access.     The question I have is as follows:  How do most folks handle guest access?  I want to create a guest VLAN and restricted access to the internet only (DNS, HTTPS, HTTP), but is this the best way to approach this?       My users just use their network credentials to access to  wireless network, I want to encourage (force) them to use the new encrypted network.  My intent is to configure the current  SSID to require WPA/WPA2 and create a new SSID for guest access, this should steer most folks towards the encrypted network.        Any lessons learned on guest access you would like to share?      Thanks   Mike   v/r   Michael M. Williams Network Systems Analyst Information Technology Services Tarleton State University 201st St. Felix Str. Box T-0220 Stephenville, TX Tel: (254) 968-1850 Fax: (254) 968-9393 mmwilli...@tarleton.edu                 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Justin Hao Network Engineer Texas A&M University Networking and Information Security j...@tamu.edu (979)862-2162 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.