[37895] in Resnet-Forum
Re: Wireless Access
daemon@ATHENA.MIT.EDU (Christopher Wieringa)
Wed Jan 23 13:45:51 2013
X-Barracuda-Envelope-From: cwieri39@calvin.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Message-ID: <50FE955F020000C6000C2C41@gwdom.calvin.edu>
Date: Tue, 22 Jan 2013 13:34:23 -0500
Reply-To: Resnet Forum <RESNET-L@LISTSERV.ND.EDU>
From: Christopher Wieringa <cwieri39@CALVIN.EDU>
To: RESNET-L@LISTSERV.ND.EDU
In-Reply-To: <CAKnNXMirxeoYcK1qdkOv-XJbzDjtNL2a_jQX1vbVdx_Casn8Cw@mail.gmail.com>
Thought I would chime in on this. I just finished a project to implement campus-wide guest access. We wanted to deploy a system that users could do by themselves, and not require users to visit any central-desk to register or receive credentials. We deployed the open-source PacketFence NAC solution in self-registration mode only. It is sitting on a separate SSID and uses the VLAN switching capabilities of our Cisco wireless system (through RADIUS) to switch users between registration and registered VLANs.
Users connect to the open SSID, open a web browser and get redirected to the registration captive portal. They type in their information and accept our EULA. Afterwards, they can choose their registration method to verify themselves - a SMS text message, an email link to click (with a 5-minute open window for them to check their email), or a Faculty/Staff sponsorship through email to the faculty/staff member.
For security, we try to treat all the traffic as closely to external (Internet) hosts as we can.
It works well so far. We reset registrations after 24 hours.
Chris
>>> On 1/18/2013 at 3:00 PM, James Colunio <jcolunio@ELMIRA.EDU> wrote:
> Greetings,
>
> I have been asked to investigate the possibility of providing access for
> campus visitors/guests/etc. WITHOUT authenticating. We are currently using
> Bradford's NAC solution to handle all WIFI devices here and provide scans
> and access. It is my thinking (and please correct me where I'm wrong) that
> another SSID and/or VLAN would be needed. I have the same question into
> Bradford Support, but there's nothing like getting feedback from people
> that have already been there.
>
> I would appreciate any feedback by anyone that is doing this AND from those
> of you that see security problems with this approach. Because I have just
> received this request, my initial reaction is a concern for security, but
> if there's an approach that works and does NOT put the network at risk,
> then I have to pursue this.
>
> I want to thank any and everyone in advance for their input.
>
> Jim
>
> --
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
