[37886] in Resnet-Forum
Re: Wireless Access
daemon@ATHENA.MIT.EDU (Greg Bowser)
Fri Jan 18 15:57:02 2013
X-URI-Submission-From: topnotcher@mail.uri.edu
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Message-ID: <983034493.17002952.1358542574587.JavaMail.root@mail.uri.edu>
Date: Fri, 18 Jan 2013 15:56:14 -0500
Reply-To: Resnet Forum <RESNET-L@LISTSERV.ND.EDU>
From: Greg Bowser <bowser@URI.EDU>
To: RESNET-L@LISTSERV.ND.EDU
In-Reply-To: <7E64DBDB85032D40BE50168C91A3D2A363D8C98A37@stg-mail.kent-school.edu>
We're using Aruba/Safe*Connect. As a compromise for allowing unauthenticated guest access, we "tiered" the guest access. The basic, unauthenticated guest access, puts guests in an Aruba role with the following restrictions:
- 512kbps bandwidth limit (horrible, I know...)
- can only access http, https
- access only valid on weekdays, 0800-2200
- only provides internet access (i.e. direct access to OUR network is blocked)
The login page has a message clearly informing guests of the restrictions and that they can be lifted by contacting the Help Desk to obtain a guest account.
If I had allow access to the internal network, I limit the access to subnets containing public-facing assets (university website, etc)
- Greg
-------------------------------
Greg Bowser
Information Technologist
Information Security Office
University of Rhode Island
bowser@uri.edu
(401) 874-7285
1 Tyler Hall
9 Green House Rd
Kingston, RI 02881
----- Original Message -----
From: "Joe Sec" <JoeSec@KENT-SCHOOL.EDU>
To: RESNET-L@LISTSERV.ND.EDU
Sent: Friday, January 18, 2013 3:18:58 PM
Subject: Re: Wireless Access
We have younger students than you, but our first concern with this was how to keep them from using it all of the time.
If for no other reason than that they would not be able to get to network resources they require.
In the end, self-registration on a separate vlan through our Aruba boxes seems to have worked well.
It’s enough trouble and you have to renew it every day that students don’t want to bother.
You still have to be concerned about someone using your network for nefarious purposes…
Adam
From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU] On Behalf Of James Colunio
Sent: Friday, January 18, 2013 3:00 PM
To: RESNET-L@LISTSERV.ND.EDU
Subject: Wireless Access
Greetings,
I have been asked to investigate the possibility of providing access for campus visitors/guests/etc. WITHOUT authenticating. We are currently using Bradford's NAC solution to handle all WIFI devices here and provide scans and access. It is my thinking (and please correct me where I'm wrong) that another SSID and/or VLAN would be needed. I have the same question into Bradford Support, but there's nothing like getting feedback from people that have already been there.
I would appreciate any feedback by anyone that is doing this AND from those of you that see security problems with this approach. Because I have just received this request, my initial reaction is a concern for security, but if there's an approach that works and does NOT put the network at risk, then I have to pursue this.
I want to thank any and everyone in advance for their input.
Jim
--
Jim Colunio
Network-Systems Administrator
Elmira, College
One Park Place
Elmira, NY 14901
Ph. (607) 735-1921
___________________________________________________ You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.EDU/archives/resnet-l.html ___________________________________________________ ___________________________________________________ You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.EDU/archives/resnet-l.html ___________________________________________________
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
