On Fri, May 16, 2014 at 01:30:30AM +0000, Peter P Morrissey wrote: > What is also interesting is that the CALEA recommendations really seem to > focus on giving Law enforcement access, and not necessarily identifying users > in the past. I do wonder why we in .edu's seem to obsess about identifying > people. As has been pointed out, it is wide open in enough restaurants, city > streets and airports. IN addition, I have never heard of a case of someone > getting in trouble for offering open access. If this has ever happened, I > would love to hear the details.
We currently have a sponsored-guest type system where a username/password needs to be acquired from one of a hundred or so administrative assistants, helpdesk, or network staff, then emailed/texted/printed and given to the user. This has been deemed too high of a bar for some classes of visitors (trustees) or events (commencement) so we were asked to "create an open network" for those. Apparently it is too hard for trustees to get a password from the same people they get their visitor parking pass from, or for commencement visitors to read a password off a poster hung all around campus. It is hard to say no for those types of use cases, but it undermines our ability to require user/host registration for the rest of the population. If we've suspended a machine from accessing the network due to policy violations or security incidents, how do we prevent them from using the open network? How do we prevent just anyone who isn't part of our community from accessing materials that are only licensed to members of our community (such as library resources like Safari Books Online which "authenticates" by source IP address)? Most airport or city networks that I've seen are behind at least a click-through agreement captive portal. MIT used to have an honor-system based guest access system where they asked you for your name, phone, and email, and then let you on immediately. It remembered your MAC address for 6 months or a year or somthing like that so you didn't have to "register" again for that amount of time. I don't know if they are still doing that, but that seems like a good compromise. The splash-page gives you a branding opportunity and the user some "assurance" that they are connecting to your network and not someone who is spoofing the SSID, especially if you use an SSL captive portal. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
