Re: [fw-wiz] Locking down public wireless access

From: Dale W. Carder (
Date: 02/23/05

  • Next message: Andras Kis-Szabo: "Re: [fw-wiz] Username password VS hardware token plus PIN"
    To: Chris Bills <>
    Date: Tue, 22 Feb 2005 22:30:25 -0600

    On Feb 19, 2005, at 12:30 PM, Chris Bills wrote:
    > At my university, the computer science department would like to offer
    > wireless access to computer science students

    Similar problem here, and soon to be campus-wide.

    We decided to take a multi-prong approach since we know we have to deal
    with users that may be in any one or more of faculty, staff, students,
    guests, the community, etc. We're working on rolling out a solution
    for this fall:

    - End all centralized campus services that have clear text anything,
    and switch users to imap over ssl and the like.

    - Start a marketing campaign to encourage everyone to use our big VPN
    concentrator when on the wireless network, at home, or whenever for
    that matter. Then we can forget all of this WEP64/WEP128/WPA/WPA2 crap
    plus cards and drivers that don't support anything reasonable and just
    put on a client the helpdesk already knows how to support.

    - Create the ability for many key campus folks to create temporary
    accounts and be responsible for the actions of those people. (this
    will handle conferences well)

    - Roll out a "captive portal" style network admission box. The captive
    portal also strongly encourages the use of VPN (and allows them to get
    the client before allowed through) when on the wireless network, but
    acts as a fallback mechanism for those without: the vpn client, clue,
    admin on their machines, or who are otherwise guests.

    There's several free captive portal thingys out there like NoCatAuth,
    PacketFence, and then the vendors like Perfigo (now vendor C),
    BlueSocket, and BSi. We found that they all had limitations one way or
    another, so choose your poison carefully!

    As others have noted, WEP is dead. Look at WPA at least. Or maybe WPA
    plus radius is for you, and I think that maybe even the latest stock
    linksys's can do that now. I ran hacked up firmware on linksys box at
    home and wound up disappointed in the end. I haven't looked at WPA2
    just yet, maybe others on the list have.


    Dale W. Carder
    Network Engineer
    University of Wisconsin at Madison

    firewall-wizards mailing list

  • Next message: Andras Kis-Szabo: "Re: [fw-wiz] Username password VS hardware token plus PIN"