[unisog] fw: insecure wireless LAN deployment at .edu

Ryan J Standish rjs9 at lurch.cit.buffalo.edu
Wed Jan 23 22:07:42 GMT 2002

> > - Filter Mac addresses at the AP to allow access only by known clients
> > 
> Are (m)any of you doing this for your campus-wide wireless deployments?  
> If so, I'd be interested in any feedback on technologies, tools, and
> procedures that have worked well.  My experience is that manual management
> of MAC address filters does not scale very well for a large number of
> users.
> Thanks,
> Brian
> --
> <reillyb at georgetown.edu>

UB has a pretty good aproach.  Our main goal apears to be accountability,
interoperability and security.  We too also decided that MAC address
filters is not ideal.  We decided to put all wireless access points on a
subnet that spans the entire campus.  This subnet is connected to the
campus backbone through a firewall.  So if anyone wants to talk off of the
subnet, they have to authenticate to the firewall using https.  This
allows the use of almost any OS and 802.11b NIC.  For further security we
allow users to use our VPN client that provides 128 bit encryption.  This
is the same client they use to access UB resources from other ISPs.  This
does not gaurentee that users will use the VPN client on the wireless
network, but it is at least offered and very very convienent.


More information about the unisog mailing list