Re: Wireless Guest Access

["Koerber, Jeff" <jkoerber () TOWSON EDU>]

We broadcast our guest network and it only allows Web and IM traffic through and is separate from the rest of our 
campus network.  We don't broadcast our secure network SSID and we require LEAP authentication against AD.  On our 
university owned laptops (Dell Latitude D series with internal Dell Wireless cards), we configure them to use the 
windows login information; therefore, they only have to log into their laptop with their AD account and it 
automatically logs them into the wireless network.  Since the login script runs, they even get their network drives 
mapped.  The down side to this is that it significantly slows down login because the wireless utility has to load 
before they can log in (I teach them to use hibernate instead of shutting down).  For non university owned laptops, 
they either use the guest network or they are prompted to authenticate to our secure network.
 
We haven't had any legal or political battles and everyone seems happy with the network (we don't receive many 
complaints and we see lots of people using it).
 
We occasionally get a guest who wants to VPN to another network and we have to explain that we don't allow that on our 
guest network.
 
Hope this helps,
Jeff Koerber 
Technical Services Coordinator 
Office of Technology Services 
Towson University 
Towson, MD 


________________________________

From: Matt Arthur [mailto:arthur () WUSTL EDU] 
Sent: Thursday, September 28, 2006 11:49 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Wireless Guest Access



Greetings,

 

We are in the process of adding a couple hundred of the new generation centrally controlled wireless access points.  
Our current system requires a login and pw.  The new system requires the same.  We have had a discussion locally about 
adding a 'Guest' SSID that would not require a login and would ONLY provide access to web traffic.  Our main goal is to 
allow visiting faculty, staff, prospective students, and parents to have a way to use their mobile device to check 
email via their yahoo account, web portal, etc...  From a technical security point of view, we feel okay that folks 
won't be able to 'cross over' into our secure SSID area and if they download a virus/bot, it can't jump onto our 
network.  My questions and concerns are more towards the political and legal side of things.  Does anyone offer this 
type of wireless access?  If so, are there legal/political battles that you have either fought or stepped around?  Or 
does everyone still require some form of authentication?

 

Thanks ahead of time!

 

Matt

 

Matthew K Arthur, CISSP

Director, NTS-Enterprise Networks

Washington University in St. Louis

W: 314.935.7388, F:314.935.7142