Guest Wireless Authorization

[raffi at flossyourmind.com (Raffi Jamgotchian)]

There was a company that was doing VPN access using the cellphone to  
deliver one time passwords (phonefactor.com). I'm guessing its some  
sort of Radius back end.

However, having a kiosk or a person deliver the wireless key would be  
a better way to go.  Almost all of the enterprise vendors have some  
sort of guest access solution (Aruba, Cisco, aerohive)



On Mar 16, 2009, at 10:40 AM, Carl Hester wrote:

> We're looking to set up an authentication/authorization system for our
> Guest Wireless network.  My client is a hospital with a very large
> campus that covers many city blocks and the Guest Wireless network
> spans the entire area.  The current network does not have any
> authentication and just let users connect and surf as they please,
> this includes no TOS.  This network is routed through the Websense URL
> filter, but beyond that, is wide open.  The high level decision makers
> are not keen on implementing any sort of "big brother" to this
> wireless network.  This environment is very political, so it's always
> difficult to convince them that they need to implement any new layers
> of security.
>
> However, over the past few weeks there have been complaints of our IP
> range being used for malicious traffic and they can be traced back to
> IP addresses on the guest WLAN.  So, with this recent information,
> we're going to push for some changes.
>
> My idea is to ask a prospective user for their cell phone # before
> allowing them to connect.  At that point, they could be sent a
> text-message with an authorization code that would be tied to their
> session token.  The user then inputs the code and is authorized to use
> the network.  This assumes anyone who has a laptop would also have a
> cell phone.  There are a few hurdles with this approach, such as users
> not having text-messaging plans, or not having cell coverage in
> certain areas of the hospital.  This is not the ideal scenario, but
> just an idea.
>
> Random list of requirement ideas:
> --Ability to revoke session tokens and blacklist hosts
> --Use more than MAC address to identify endpoint
> --Limit session length and allow for reauthorization
> --Physical interaction with user isn't ideal, but could be implemented
> via guest services or kiosk.
>
> I'm looking for any input on experiences or recommendations for
> software packages to manage this sort of wireless access control.
>
> Thanks for any feedback,
>
> Carl
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090316/fa6fd8ae/attachment.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part
Url : http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090316/fa6fd8ae/attachment.pgp