We are in the process of switching our entire SSID infrastructure around for the same reasons you are asking about. We have a number of devices that don't support 802.1x. For this and a handful of other reasons, we are rolling out 3 brand new SSID's.
wustl-2.0 = Open SSID. Authentication is based on a DHCP captive portal from Infoblox (our IPAM system). wustl-guest-2.0 = Guest network. Only ports 80 and 443 are open. The bandwidth is also limited per IP. This is our way of making it painful so normal users won't try to use this. wustl-encrypted-2.0 = 802.1x SSID. Note: we use a version number on our SSID's so we can make major changes without affecting old users during the transition period. Our theory behind the open ssid with captive portal was this... The vast majority of our users are used to coffee shop style wireless. A large number of high visibility servies are using end-to-end (https) encryption. If this does not work for you, we have a SSID with the word encryption in it. The end users can make their own decision for what works best for them. We originally thought about running WPA2 with a common shared key for encrypting the connection, but there are security issues with this. Anyone with the key could decrypt the traffic if they wanted. We felt like we would be giving our users a false sense of security if we offered a shared key WPA2 solution. I would be happy to discuss this further if you want, my phone number is in the sig below. -- Jason E. Murray Sr. Systems Engineer Washington University in St. Louis Phone: 314-935-4865 Email: [email protected] Web: http://nts.wustl.edu/~jemurray/ On Tue, Jun 4, 2013 at 2:37 PM, Danny Eaton <[email protected]> wrote: > I seem to remember seeing some discussion a while ago about non 802.1x > capable devices on wireless. We’re a Cisco wireless shop, and currently > run 2, about to be 3 (with the addition of eduroam) SSID’s. Is anyone > running a specific SSID for these non-802.1x capable devices? Perhaps > using WEP and MAC address authentication? Feel free to contact me off > list… I’m just trying to get some examples of “best practice” (or at least > implemented practices) from other institutions.**** > > ** ** > > ** ** > > ** ** > > Respectfully,**** > > ** ** > > Danny Eaton**** > > ** ** > > Snr. Network Architect**** > > Networking, Telecommunications, & Operations**** > > Rice University, IT**** > > Mudd Bldg, RM #205**** > > Jones College Associate**** > > Staff Advisory Committee**** > > Employee Activities Subcommittee Chair**** > > Office - 713-348-5233**** > > Cellular - 832-247-7496**** > > [email protected]**** > > ** ** > > Soli Deo Gloria**** > > Matt 18:4-6**** > > ** ** > > G.K. Chesterton, “Christianity has not been tried and found wanting. It’s > been found hard and left untried.”**** > > ** ** > > ** ** > > ** ** > > ** ** > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > -- Jason E. Murray [email protected] http://www.zweck.net/ ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
