unauthenticated network access

[Justin Sipher <jsipher () SKIDMORE EDU>]

Hello all.

I considered where to post this question and decided on the EDUCAUSE
Security list.

(lucky you) :-)

I am curious to know about the lay of the land regarding
unauthenticated access to the institutions network (wired or
wireless) excluding what is traditionally considered "ResNet".  In
the good old days, I think we all-to-often made network access
relatively wide open before the rise of residential networks on
campuses and the subsequent need to have authentication/registration
systems because of what came along with these networks.  We no longer
could afford to not know who was using what device and where they
were.  Around the same time came the rollout of first wired and now
wireless access around campus as our populations began to utilize
laptop computers with greater frequency.

Over this time it seems like institutions have taken different
approaches to granting this network access.  In some cases getting a
connection (wired or wireless) was all that one needed to begin
utilizing the network resources and/or Internet.  In other (and maybe
the majority of) cases there was a need to validate that the
individual was associated with the institution, usually with a
username & password.  I've seen solutions which allow NO access to
anything without credentials (username/password) and other solutions
that allow limited (maybe only http to the Internet) access to those
without credentials and full access with authentication.

With all of the above as background, my question is the following.
Where are people going on the spectrum of allowing "guest access" to
the network/Internet?    Inevitably with the changing use of
technology and the continuing mobility of individuals, we are faced
with growing access demands by those not directly associated with the
institution.  We are trying to facilitate that growth in a way that
doesn't put unnecessary roadblocks yet at the same time not create a
structure that could put the institution in a position of increasing
liability.  (quick note - I am CERTAINLY no lawyer).

So for all of you who have totally restricted unauthenticated access,
do you have procedures in place to create "guest accounts" and have
you found that this can and does work well enough to satisfy all
parties.  If so, can you (roughly) share you procedures/policies?
With the advantage of hindsight, would you do it this way again?

For those of you who do allow some level of unauthenticated therefore
anonymous access (wired/wireless) have you found this to be
manageable and have there been cases of needing to know (after the
fact) who was using what IP address at a specific time?  If you do
this, do you limit what resources they have access to and if so
what?  With the advantage of hindsight, would you do it this way again?

I hope you feel this falls close enough to "security" to warrant the
post on this list.

Thanks all.
...Justin
_______________________________________________________
  Justin Sipher
  Chief Technology Officer
  Skidmore College
  Saratoga Springs, NY
  jsipher () skidmore edu
  518-580-5909
_______________________________________________________