Re: [fw-wiz] Discretionary WiFi Access

From: Chris Byrd (cbyrd01_at_gmail.com)
Date: 07/08/05

  • Next message: Jim Seymour: "Re: [fw-wiz] Discretionary WiFi Access"
    To: Dave Null <noid23@gmail.com>
    Date: Fri, 8 Jul 2005 08:57:05 -0500
    
    

    Many APs support 802.1x with dynamic VLAN membership. This means that
    authenticated users get into a internal access VLAN (still should be
    seperated from the internal network by firewall - this is the
    firewalls list after all), non-authenticated users get an Internet
    access VLAN. You can use queueing techniques to rate-limit the
    guests.

    A captive portal would allow you to make guests sign off on acceptable
    use terms before giving them access.

    - Chris

    On 7/7/05, Dave Null <noid23@gmail.com> wrote:
    > Its not firewall related, but there's some smart minds on this list.
    > My company has started looking into campus-wide WiFi. I'll keep my
    > personal feeling on this to myself though. One thing that keeps
    > comming up is that one of the largest user communities that would take
    > advantage of this would be non-employees. Vendors, Salesmen, people
    > meeting with GMs/VPs/Execs are probably going to be the main users of
    > this. My question is, if you currently have a similar situation in
    > your work environment, how do you handle granting these people
    > temp/guest WiFi access.
    >
    > Access controls for employees can be fairly stringent (i.e. only
    > connect from company owned assets who's MAC is inventoried, use of 2
    > factor authentication, etc), but a lot of this isnt applicable for
    > temporary visitors. I know one company that would give you a WiFi card
    > when you signed in that was in their database of 'allowed' MAC
    > addresses (I know, dont get me started on MAC spoofing), however I
    > would bet cash money that those cards walked away regularly. Similar
    > thing with issuing a temporary token fob (SecureID or the like).
    >
    > I know the easy answer here is 'Dont give them WiFi access', but I
    > don't think that is going to be an option. Thoughts, comments, flames?
    >
    > -noid
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Jim Seymour: "Re: [fw-wiz] Discretionary WiFi Access"

    Relevant Pages

    • Re: Wifi in USA hotels?
      ... my daily fix of wifi access from my iPad. ... explicitly refer to 'free wifi', which is fine (although I also need to be ... This makes me think of the time when Internet and cell phones were luxuries ...
      (rec.travel.usa-canada)
    • Re: [fw-wiz] Discretionary WiFi Access
      ... > advantage of this would be non-employees. ... Vendors, Salesmen, people ... > I know the easy answer here is 'Dont give them WiFi access', ... access to the Internet with little or no firewalling or access ...
      (Firewall-Wizards)
    • Re: Cutting my cable bill expense
      ... My cable bill is now $140 dollars, includes tv, internet, and phone. ... A lot of my surfing time is at work where I have wifi access but ... I'm looking for a cheap or free isp to gain access to the net over ...
      (alt.internet.wireless)
    • Re: Choosing best conneciton
      ... wifi access point, it says will this connect me to the internet or to ... and i set them all to internet. ... both to being INTERNET connections rather than being Work ... are selecting how the device actually connects to the internet. ...
      (microsoft.public.pocketpc)
    • Re: wireless internet connection
      ... researcher wrote: ... Is the internet service provided as one of the features of living in the ... Unless they're intentionally leaving their WiFi access ... Also I'd be wary about doing secure stuff on an unprotected network. ...
      (comp.sys.mac.system)