[unisog] fw: insecure wireless LAN deployment at .edu

Tom Perrine tep at SDSC.EDU
Thu Jan 24 22:53:29 GMT 2002

>>>>> On Thu, 24 Jan 2002 13:16:34 -0800, "Ben Curran" <bdc1 at humboldt.edu> said:

    Ben> One of our concerns with authenticating users to radius, kerberos 
    Ben> etc. is that our only student password/login pair granted during 
    Ben> initial registration to all students, is their POP3 account logins. 
    Ben> (They also have separate logins for Banner web reg) We don't want 
    Ben> network admin to get involved in managing student accounts since 
    Ben> this is handled nicely by enrollment management & help desk staff. 

    Ben> Any recommendations for "offloading" these existing accounts to 
    Ben> "new" wireless (or otherwise) authentication databases?

I think that the answer is to actually use the features of Kerberos to
solve this problem.  "Least privilege" and "role" accounts are key.

Use separate instances of the user principal to control access to
different resoruces:

username                 login
username/pop             pop access
username/dial            RADIUS access
username/archive         archival storage
username/wireless        wireless net access

This give each user a single "account" with multiple passwords for
various functions.  And you can probably do things in the KDC to make
sure that passwords are distinct.

If the client and server software append the appropriate instance,
then this is invisible to the user; they will just have to know that
there are different passwords for different functions.


Tom E. Perrine (tep at SDSC.EDU) | San Diego Supercomputer Center 
http://www.sdsc.edu/~tep/     | Voice: +1.858.534.5000
"The French are glad to die for love..."  - Moulin Rouge

More information about the unisog mailing list