Educause Security Discussion mailing list archives

Re: Guest Wi-Fi Access

From: Kevin Wilcox <wilcoxkm () APPSTATE EDU>
Date: Tue, 12 Apr 2016 18:00:32 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 12/04/16 17:21, Tim Doty wrote:

CALEA is really aimed at service providers and their subscribers. A
 service provider is required to have the ability to tap into their
 subscriber's communications. This is why CALEA was such a big deal
for Skype and isn't so much of an issue for public networks.


The way it was put to me is that we aren't considered a service
provider _specifically_ because we only give access to our population
- -- meaning we have to know our population. I was told if we offer
service outside of that population then we no longer qualified as a
"private network" and would be considered a service provider; that is
exactly what you become as soon as you offer an unregistered,
non-sponsored guest wireless network that lets anyone within range join.

Considering there are multiple solutions to address user access, some
available at very low cost (like PacketFence, which comes with both
low monetary and low personnel training costs), the argument that "we
just can't afford it" isn't acceptable. I'll buy that some devices
don't work with NAC software like PacketFence, ClearPass, Bradford,
etc., but sponsored access _always_ works -- it may just take some
effort to get the MAC of the system getting on. At that point any MAC
spoofing to look like a known system is not your problem (at least,
not in this context), you've done your diligence to try to pair a
device with a responsible account and hopefully that account with an
individual.

Interesting reading from Cornell:

http://www.it.cornell.edu/policies/esurveillance/calea.cfm

... but note they're trying to justify why they shouldn't have to be
compliant, not arguing that they are excused from compliance.

Ultimately, ask your General Counsel. If they tell you that you don't
have to be compliant when you're offering unauthenticated wireless
access to everyone within range then don't worry about it.

kmw


-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlcNb/0ACgkQsKMTOtQ3fKHhHgCfR4UNDYbfBpsMjzdDrWHU3iQ3
m0sAnROU7sxRVF9S7x/9NKnwAnoo25Z5
=GZIY
-----END PGP SIGNATURE-----

Current thread:

Guest Wi-Fi Access Pardonek, Jim (Apr 12)
- Re: Guest Wi-Fi Access Brian Epstein (Apr 12)
- Re: Guest Wi-Fi Access Tim Doty (Apr 12)
  - Re: Guest Wi-Fi Access Kevin Wilcox (Apr 12)