Re: Wireless access by users with multiple devices

[Christopher Jones <Christopher.Jones () UFV CA>]

Hi Tim,
 
Thanks for the detailed response.  Our concerns would be security and
capacity.  Out of the two, my bigger concern is capacity as the number
of wireless devices grows.  From a security standpoint, I'm not too
concerned as there is very limited access on our wireless network, and
access requires a currently active account.  We don't have a policy in
place, either, but we may have to take a closer look at the issue as
wireless devices continue to proliferate.  Thanks.
 
Christopher

> > > "Doty, Timothy T." <tdoty () MST EDU> 09/17/2010 7:08 AM >>>

What is the issue? Does it matter if a user has multiple wireless
devices active? Is there a shortage of addresses? Insufficient wireless
resources to cope with the demand? Something else?
In our environment all network devices (other than some infrastructure)
get a public IP address from our /16.  I’d have to check to see the
total allocation for wireless as we have different subnets – some are
PSK and some are WPA. There has been a definite increase over the past
few years in mobile network devices which has caused us to allocate
more/larger subnets for wireless use (approximately a third of our
active IP addresses are now for wireless devices) in addition to bulking
out our wireless network in terms of geographical coverage and number of
clients that can be handled.
We require network devices to be registered to a user and by default
there are number limits to avoid creative user behavior (we have very
creative students) but if a student really had 50 network devices I
don’t see why he wouldn’t be able to register them, it would just
require IT intervention. All devices registered to a user “belong” to
the same subscriber in our traffic shaper so a student with 50 devices
trying to download on each of them is not going to be happy with the
results. This is a deliberate configuration on our part and helps to
reduce abuse.
The main problem we’ve had with wireless devices is that users often
won’t register them. To facilitate the registration process we have a
certain number of IP addresses reserved for unregistered systems –
basically no Internet access but they can get to the online registration
form. The issue is that this is often “good enough” access for the user
and they just don’t bother to register. Or they aren’t aware/don’t care
that the device is proactively acquiring a wireless IP address. Which
means that the unregistered IP address pool gets exhausted. To help with
this issue if a system stays on an unregistered IP address for too long
it is automatically registered in a way to deny any DHCP requests. It
helps, but does not resolve issue.
We don’t have any policy limiting the number of wireless devices a user
can register, from that point of view it is just considered an alternate
way to connect to the network. The main reason there are any limits to
the number of device registrations per user is to prevent abuse. From a
traffic shaping perspective all devices registered to a user share the
same bandwidth allocation. To my knowledge we have enough access points
to give reasonable client coverage so inability to connect to the
wireless network is either a client issue or exhaustion of the IP
address pool (normally the unregistered device pool).
Tim Doty

From:The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Christopher
Jones
Sent: Thursday, September 16, 2010 6:11 PM
To: SECURITY () LISTSERV EDUCAUSE EDU 
Subject: [SECURITY] Wireless access by users with multiple devices

 

We are currently grappling with the issue of concurrent wireless access
by users with multiple devices.  For those of you who may have dealt
with this already, do you have any thoughts, suggestions,
recommendations surrounding policies, strategies?  Thanks.

 

Christopher Jones

IT Security Administrator

University of the Fraser Valley

Christopher.Jones () ufv ca