[unisog] fw: insecure wireless LAN deployment at .edu
utht-rosetta-reg-20020117 at sandbar.river.com
Thu Jan 24 00:10:36 GMT 2002
At 15:13 -0500 on 1/23/02, Brian Reilly wrote:
> On Wed, 23 Jan 2002, Jose Nazario wrote:
>> - Filter Mac addresses at the AP to allow access only by known clients
> Are (m)any of you doing this for your campus-wide wireless deployments?
> If so, I'd be interested in any feedback on technologies, tools, and
> procedures that have worked well. My experience is that manual management
> of MAC address filters does not scale very well for a large number of
No, we're not doing it, simply because of the management hassles.
While most users and visitors can handle logins and passwords, they cannot
generally handle figuring out their current machine's MAC address.
Moreover, the admins in charge of the base stations have no desire to be
spending 1.5 FTE changing allowed MAC address lists on the base stations.
MAC address locking is not practicable given user abilities and system
management time available.
Rather, toss userids into an authentication db (local, kerberos, radius,
authsrv, etc.), then have the users authenticate to an SSH 2 gateway or
HTTPS gateway before they can reach anything off the wireless ghetto. That
will provide more effective protection.
More information about the unisog