[unisog] insecure wireless LAN deployment at .edu

Richard Johnson rdump at river.com
Fri Mar 8 02:09:51 GMT 2002


At 17:44 -0500 on 07/03/2002, Bob Smith wrote:
> We were wondering how some of you are managing the assignment of the SSIDs
> and WEP passwords for your clients especially for the students.


SSIDs are broadcast in the beacons.  Anyone in range may associate freely.
WEP is not in use.

We don't do shared passwords, in general, but that's all WEP is.  It's also
a pain in the tuckus to rotate WEP keys without a flag day, especially
given the fact that some broken clients (Hi, Apple :-) refuse to use
anything but key #1, and others (Hi Compaq!) hash their 'password' into all
4 keys at once.

We don't do MAC locking on the base stations either, due to the manpower
requirements of doing that across hundreds of units on our particular model
Cisco base stations.  Others have had better results trying that.


> Do you have authorized staff configure the devices or do you provide the
> student/faculty/staff member with the information and let them do it?


All staff/scientists/students can use their gateway login and password to
free up access to the world for whatever IP they happen to be using on the
wireless side.  Prior to authentication and startup of an encrypted channel
heartbeat, they can only reach other wireless clients on the same segment.

Any staff member can also create short term accounts for guests and seminar
attendees.  The staff member is responsible for their guests.  Just like
regular users, the guests can be turned off, with open connections
optionally nuked, if they turn out to be rogues.

I've found that users can understand and follow instructions to "boot your
computer, connect to http://wireless/, and log in with your username and
password" or "boot your computer, and bring up your VPN client" far better
than they can deal with configuring WEP keys and selecting non-broadcast
SSIDs.


Richard



More information about the unisog mailing list