[unisog] fw: insecure wireless LAN deployment at .edu
tep at SDSC.EDU
Thu Jan 24 22:53:29 GMT 2002
>>>>> On Thu, 24 Jan 2002 13:16:34 -0800, "Ben Curran" <bdc1 at humboldt.edu> said:
Ben> One of our concerns with authenticating users to radius, kerberos
Ben> etc. is that our only student password/login pair granted during
Ben> initial registration to all students, is their POP3 account logins.
Ben> (They also have separate logins for Banner web reg) We don't want
Ben> network admin to get involved in managing student accounts since
Ben> this is handled nicely by enrollment management & help desk staff.
Ben> Any recommendations for "offloading" these existing accounts to
Ben> "new" wireless (or otherwise) authentication databases?
I think that the answer is to actually use the features of Kerberos to
solve this problem. "Least privilege" and "role" accounts are key.
Use separate instances of the user principal to control access to
username/pop pop access
username/dial RADIUS access
username/archive archival storage
username/wireless wireless net access
This give each user a single "account" with multiple passwords for
various functions. And you can probably do things in the KDC to make
sure that passwords are distinct.
If the client and server software append the appropriate instance,
then this is invisible to the user; they will just have to know that
there are different passwords for different functions.
Tom E. Perrine (tep at SDSC.EDU) | San Diego Supercomputer Center
http://www.sdsc.edu/~tep/ | Voice: +1.858.534.5000
"The French are glad to die for love..." - Moulin Rouge
More information about the unisog