[unisog] fw: insecure wireless LAN deployment at .edu

Peter Van Epp vanepp at sfu.ca
Thu Jan 24 16:59:34 GMT 2002


>
> Are (m)any of you doing this for your campus-wide wireless deployments?
> If so, I'd be interested in any feedback on technologies, tools, and
> procedures that have worked well.  My experience is that manual management
> of MAC address filters does not scale very well for a large number of
> users.
> 

	No, like other people that have responded we don't believe it either
scales or works (MAC addresses are changeable, despite many network gear
manufacturer's charming confidence that they can't be :-)).
	We have moved over the last several years from the U of A's OpenBSD
based gateway (users didn't like the telnet interface, boss wanted commercial
support), to Nokia (support problems) and now to Vernier 
(http://www.verniernetworks.com) after a suggestion on this list. 
	As usual, we have warped the box in directions the manufacturer never
expected (and I think in some cases, believe are nuts :-)), but they have 
been responsive when we manage to break things and/or want to do something 
they consider odd. 
	Accessing any web page from behind the gateway diverts the
web browser to an SSL secured login page which backends to radius, kerberos
or ldap (and probably more, with certainly more coming). So at least logins
are encrypted on air. If the user then switchs to SSH they can be (if they 
wish to / need to) secure for the entire connection. If they only want to
web browse they can unencrypted on air (and of course they can log in via 
telnet somewhere and compromise their account, but at least we haven't done it
to them :-)).
	Another nice feature is that if the machine is "misconfigured" (i.e.
doesn't do dhcp and doesn't have an IP address on the local net) the Vernier
box NATs the machine and does the appropriate external IP source/dest address
port number logging to syslog so in conjunction with an argus log you can 
associate a connection with a logged in user. We intend on deploying this 
in our teaching spaces (wired and wireless) so that a faculty member can take
a laptop (with a fixed address) from their office in to a lecture hall and 
have it magically just work without them having to reconfigure the machine.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada



More information about the unisog mailing list