Re: Guest WiFi Access

[Roger A Safian <r-safian () NORTHWESTERN EDU>]

Thanks for the information Mark.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark 
Monroe
Sent: Friday, September 09, 2011 11:15 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Guest WiFi Access

No, it is home grown code that creates the account into a special OU in active dirctory... It puts logon locally 
restrictions on the accounts so they can only auth on the domain controllers and it puts them in groups that are not 
allowed to log into applications or things like the vpn.. essentially all they can do is auth.. and that lets them auth 
into bradford.. The only rights they have are deny rights to things..

Mark

On 9/9/2011 9:57 AM, Roger A Safian wrote:
Mark - is the app that you have built in to Bradford?  Can you share more information on the name, etc.?  Thanks.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark 
Monroe
Sent: Thursday, September 08, 2011 12:04 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Guest WiFi Access

We have port locking enabled on all wired ports on campus including labs/classes and offices.. This prevents the unplug 
option..

As for guests, I have an app, that faculty and staff can use to "vouch" for a guest and create an account for them that 
lasts 1, 3 or 7 days, the account is tied back to the creator, which is who I send the FBI to when they come calling.. 
the account only has permission to register their system on the guest wireless network (own firewall segment away from 
campus) and cannot auth on any campus computers or systems..

We use Bradford as our nac for wireless and all wired ports to do the registration.. if that matters..



Mark Monroe
Information Security Officer
University Of Missouri St. Louis
(314)516-4859



On 9/8/2011 11:41 AM, David Gillett wrote:

Dave Koontz wrote:



Students, guests, and others can just plug themselves into any wired jack

without IT knowledge (in most

organizations)... and they often do.  We find people unplugging lab

computers, printers, etc. and patching

into the jack.



This is a recurring issue for us, too.  We do have a couple of small areas

where wired jacks are deliberately provided for visitors to plug into, but

I'm talking about students who walk into a lab, unplug a computer provided

by the college, and plug their own device in instead.  Oh, and if they have

to cut a plastic tie-strap to do that, it barely slows them down.





I don't believe CALEA has separate rules as to how someone accesses a

campus network or the internet, be it

wired or wireless.  Someone please correct me if I am wrong.



  I don't believe the questioner was asking about provisions of CALEA per

se, but about the FCC's ruling (early 2009 if I recall correctly) that

providers of *public* Internet access are bound by CALEA -- i.e., must have

resources in place to allow easy/prompt intercept and recording of voice

(VOIP) traffic.  My impression is that most higher-ed institutions have

chosen to shield themselves from this requirement by ensuring that their

networks are *private*, with the possible exception of areas where they

qualify for exemptions to the FCC ruling -- in libraries, for instance.



(We had an incident on one campus where an instructional assistant decided

to "fix" the limited coverage of our guest wireless by putting up his own

router, using our guest SSID, in an area that did not qualify....  If he had

simply reported the disappointing coverage, we would have explained to him

the legal constraint under which we operate.)



David Gillett, CISSP CCNP

Sr, Security Engineer

Foothill-De Anza College District