[unisog] Encrypted wireless for students

John York YorkJ at brcc.edu
Wed Aug 22 13:08:35 GMT 2007


We need to provide easy wireless access for students, but also have to
meet a state requirement that all wireless traffic be encrypted.  The
standard hotel/coffee shop setup won't work for us.  2Back in the WEP
days we decided to go with a captive net connected to a VPN
concentrator.  The wireless itself is wide open, but the only way to
escape the captive net is by using a VPN client and the concentrator.
This works pretty well, but means the students have to install the
(Cisco) VPN client.  Most of the students need assistance with this,
which puts a load on the student help desk, and students regularly blame
us or the client for the viruses or spyware they inflict upon
themselves.

Of all the WPA flavors, the only one we've had much success with users
configuring themselves is WPA-PSK.  WinXP-sp2 with patches does a pretty
good job of recognizing WPA-PSK and normally the user just has to enter
the password/key.  WPA with PEAP would be most secure, but we've had
terrible luck with Windows users getting it to work without a
third-party client.

One solution we are considering is using WPA-PSK to provide the
encryption, and then using a web portal for authentication.  The main
problem with this is that the pre-shared key would be common knowledge.
We could limit that slightly by having the students install a registry
file with the settings and key, but the key would still be available.

**Question**:  If you know the pre-shared key, is it possible to sniff
and decrypt WPA-PSK traffic?  If so, is it something a script-kiddie
could do or is it more advanced?  I'm worried that we would be
technically meeting the encryption requirement, but giving our students
a false sense of security.

If WPA-PSK doesn't work, what other solutions are available?  The
solution has to allow all ports, and not be restricted to 80/443.  I've
tried an ssl/vpn client, but had problems because it had to install
itself on the student laptop.

Thanks
John

John York
Network Engineer
Blue Ridge Community College



More information about the unisog mailing list