RE: Wireless solutions with multiple keys

["Danny Puckett" <dpuckett () comresource com>]

You could always put up a quick captive portal using m0n0wall/pfsense. I use this for our guest wireless at work. Users 
need to know the current password to be gain internet access. Of course this is authentication only and does not 
provide any encryption.

________________________________

From: listbounce () securityfocus com on behalf of Nick Duda
Sent: Thu 12/11/2008 5:10 PM
To: 'Mercurio, Michael D (Dante)'; 'security-basics () securityfocus com'
Subject: RE: Wireless solutions with multiple keys



Thanks for the info. I actually run a Wireless network using wpa2 and ad authentication for local lan users, it works 
great. The issue here is that I want to make a new wifi lan that anyone can use only if they are authenticated...but 
this authentication needs to be automated somehow. When I say "anyone can use it" I mean that anyone that has access to 
something that can tell them the key to get on. I guess what I am saying is that I want a wifi network in the workplace 
that a wardriver cannot just "jump on", but any employee can because they can pull up on an intranet site "This weeks 
key". If the employee is working on a weekend and brings their spouse in with a laptop, that employee just look at what 
"This weeks key" is and configures it on the spouse laptop.

I'm starting to think it's very easy if I just manually update this "intranet" page weekly/monthly with the WEP/WPA key 
once I change it on the AP.



-----Original Message-----
From: Mercurio, Michael D (Dante) [mailto:michael.mercurio () verizonbusiness com]
Sent: Thursday, December 11, 2008 4:57 PM
To: Nick Duda; security-basics () securityfocus com
Subject: RE: Wireless solutions with multiple keys

The best method for what your stated goals are, is to use a central RADIUS server and authenticate using AD or other 
directory information. This solution would involve using WPA and 802.1x with an EAP Type. In this scenario, the AD 
credentials would dictate the user access and if an AD account expires or is deleted, access to the wireless is gone. 
Assuming you have AD, you can install and configure IAS and this solution costs you nothing more than time and maybe a 
certificate if you don't want to setup an internal certificate authority.

Many systems that hotels use typically authenticates a user after the system is associated with an access point. There 
is typically no encryption when you do this. The user hits the gateway which forces an authentication before allowing 
traffic to pass.

Also some hotels use a solution where an account is created manually during check in and the pass code is given to the 
user. If that interests you, here is one solution:
http://www.colubris.com/content.asp?catref=Colubris_Visitor+Management+Software&name=Colubris_Products

Hope this helps,
--Dante

M. Dante Mercurio, CISSP, CCNA


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Nick Duda
Sent: Thursday, December 11, 2008 4:12 PM
To: 'security-basics () securityfocus com'
Subject: Wireless solutions with multiple keys

Does anyone know any good products that allow multiple keys (wep/wpa/wpa2) for a single SSID that can be generated 
dynamically? I think I've seen hotels and such that offer something like this.

Example: A local corporate network that serves 500 people. This network has servers and all kinds of stuff. I want to 
add a wireless network using WEP (I know I know, WEP.just using as example). This wifi network has no connectivity to 
the local corporate network, rather it connects to a dedicated DSL line. If you are on this wifi network, you are only 
on the internet. These 500 people have laptops that can only be used on this wifi network.  I don't want to share 1 WEP 
key with 500 people. I want a way, a solution that these 500 people can hit up a webpage or something that will 
dynamically generate a WEP key for them. This WEP key should be able to expire. This solution can live on the local lan 
if needed.

- Nick