Re: Wireless SSIDs (was Re: WEP)

[Dean De Beer <ddb () PLAZACOLLEGE EDU>]

We do use separate SSIDs for faculty, staff, students and different
departments but they are really to direct the user to the correct VLAN.

Using the SSID to specify the VLAN is fine but as Chris stated it is easy to
find a SSID that is not broadcast. When the AP is inactive no beacon frames
are broadcast so any wireless NIC or active scanner won't find the SSID but
if a notebook has associated with the AP on the "hidden" SSID any passive
scanner/sniffer (kismet) will see the traffic and detect that SSID whether
it's broadcast or not. 

Personally I think having all clients login through a Wireless
Gateway/Portal using LDAP, Transparent NTLM or Radius for authentication is
the easiest solution. You then don't have to worry about the user having a
WPA or LEAP compliant NIC card. Cisco's BBSM or Bluesocket's offerings are
good solutions for this.

Cheers,

Dean

-----Original Message-----
From: Christopher E. Cramer [mailto:chris.cramer () DUKE EDU] 
Sent: Wednesday, July 13, 2005 12:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Wireless SSIDs (was Re: WEP)


my understanding is that there is one single SSID for the campus which is
broadcasted.  there may be some other SSIDs that I am unaware of, but for
the most part, we don't rely on the SSID for anything other than
identifying/specifying which wireless network you have attached to.  
since we aren't relying on ssids for access control, this isn't a problem.

on a related note, i was in a space that had wireless, but the ssid wasn't 
being broadcast.  someone came in with a mac and it "helpfully" detected 
the non-broadcast ssid and attached itself to the wireless network.  just 
something to consider :)

-c

On Wed, 13 Jul 2005, Jeff Kell wrote:

> Christopher E. Cramer wrote:
>
> > Regarding access control, it seemed to us that a "shared secret" 
> > between the 30,000+ people at the institution, wasn't much of a 
> > secret and so the access control capability wasn't too useful.
>
> On a more fundamental level, how do you have SSIDs setup?
>
> *  Do you have separate SSIDs for "public", "student", "fac/staff", 
> etc?
> *  Do you broadcast all of them, or just certain ones.
> *  How do you disseminate information about non-broadcast SSIDs to users?
> *  Do you periodically change SSIDs of non-broadcast domains?
>
> We are currently debating this issue, haven't gotten around to 
> encryption yet, but it is obviously on the table.  Granted that a 
> "shared secret" or a "private SSID" between numerous users is hardly a 
> secret, but if you broadcast, isn't that somewhat akin to an open 
> door?
>
> Jeff