[unisog] Encrypted wireless for students

Michael Holstein michael.holstein at csuohio.edu
Wed Aug 22 15:26:27 GMT 2007

> We need to provide easy wireless access for students, but also have to
> meet a state requirement that all wireless traffic be encrypted.
Perhaps I'm missing something, but isn't this exactly what Radius (with 
EAP) and dynamic keying (TKIP) is supposed to address?

On our campus, we require 802.1x on the wireless .. works fine in 
XP/Mac/*nix (although *nix requires a bit of tinkering), every user gets 
a unique server-assigned encryption key that changes periodically (at 
the moment, I think it's a session key, but it could be regenerated 
every $n minutes, or $n bytes). We use Cisco's ACS, but it can be done 
with FreeRadius (et.al.) and most any "enterprise-class" access-point.

Sure, this breaks a lot of "consumer gizmos" (notably the PSP and 
iPhone) since they don't support enterprise authentication methods, but 
that's not been a big issue.


Michael Holstein CISSP GCIA
Cleveland State University

More information about the unisog mailing list