[unisog] fw: insecure wireless LAN deployment at .edu

Paul Schmehl pauls at utdallas.edu
Thu Jan 24 18:31:43 GMT 2002

I feel compelled to respond to some of this.

--On Wednesday, January 23, 2002 5:10 PM -0700 Uthacalthing 
<utht-rosetta-reg-20020117 at sandbar.river.com> wrote:
> While most users and visitors can handle logins and passwords, they cannot
> generally handle figuring out their current machine's MAC address.

This has not been our experience.  We have a web site where users can enter 
their MAC address so that it can be "registered" in the hosts.master file, 
and it includes an explanation of how to obtain the MAC address for various 
OSes.  We have not had more than a handful of people who haven't been able 
to do this without requesting assistance.

> Moreover, the admins in charge of the base stations have no desire to be
> spending 1.5 FTE changing allowed MAC address lists on the base stations.

Ours are done centrally, by our Help Desk staff, so this isn't an issue for 
us.  The admins that handle wireless aren't involved at all.
> MAC address locking is not practicable given user abilities and system
> management time available.

Obviously that depends on how it's done and the various factors that affect 
your particular campus.  On ours it works rather flawlessly with very 
little hassle.
> Rather, toss userids into an authentication db (local, kerberos, radius,
> authsrv, etc.), then have the users authenticate to an SSH 2 gateway or
> HTTPS gateway before they can reach anything off the wireless ghetto.
> That will provide more effective protection.

We do both.

In response to the point that MAC addresses can be changed in wireless 
clients, yes we're aware of that, but it has not been an issue here.  If 
someone were to do that, the "legitimate" owner of the MAC address would be 
unable to get an IP, and we would hear about it at the Help Desk.

Nothing is foolproof, and no one method should be relied upon to address 
security issues.  For us, registering MAC addresses is just one part of a 
bigger puzzle.

Paul Schmehl (pauls at utdallas.edu)
Supervisor of Support Services
The University of Texas at Dallas
AVIEN Founding Member

More information about the unisog mailing list