[unisog] Encrypted wireless for students

Frank Bulk frnkblk at iname.com
Thu Aug 23 01:17:58 GMT 2007


John:

There's no shortcut to success: 802.1X is where you need to go for securing
your wireless network.

Frank 

-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of John York
Sent: Wednesday, August 22, 2007 8:09 AM
To: unisog at lists.dshield.org
Subject: [unisog] Encrypted wireless for students

We need to provide easy wireless access for students, but also have to
meet a state requirement that all wireless traffic be encrypted.  The
standard hotel/coffee shop setup won't work for us.  2Back in the WEP
days we decided to go with a captive net connected to a VPN
concentrator.  The wireless itself is wide open, but the only way to
escape the captive net is by using a VPN client and the concentrator.
This works pretty well, but means the students have to install the
(Cisco) VPN client.  Most of the students need assistance with this,
which puts a load on the student help desk, and students regularly blame
us or the client for the viruses or spyware they inflict upon
themselves.

Of all the WPA flavors, the only one we've had much success with users
configuring themselves is WPA-PSK.  WinXP-sp2 with patches does a pretty
good job of recognizing WPA-PSK and normally the user just has to enter
the password/key.  WPA with PEAP would be most secure, but we've had
terrible luck with Windows users getting it to work without a
third-party client.

One solution we are considering is using WPA-PSK to provide the
encryption, and then using a web portal for authentication.  The main
problem with this is that the pre-shared key would be common knowledge.
We could limit that slightly by having the students install a registry
file with the settings and key, but the key would still be available.

**Question**:  If you know the pre-shared key, is it possible to sniff
and decrypt WPA-PSK traffic?  If so, is it something a script-kiddie
could do or is it more advanced?  I'm worried that we would be
technically meeting the encryption requirement, but giving our students
a false sense of security.

If WPA-PSK doesn't work, what other solutions are available?  The
solution has to allow all ports, and not be restricted to 80/443.  I've
tried an ssl/vpn client, but had problems because it had to install
itself on the student laptop.

Thanks
John

John York
Network Engineer
Blue Ridge Community College

_______________________________________________
unisog mailing list
unisog at lists.dshield.org
https://lists.sans.org/mailman/listinfo/unisog



More information about the unisog mailing list