The problem comes when they cross L3 boundaries. Enterprise wireless infrastructures (or campus-wide installations) do tunneling of the device's traffic back to the original AP they authenticated to, all with seamless handoff.
--Matt On Sat, Apr 6, 2013 at 7:50 PM, David Lang <[email protected]> wrote: > why does the movement of users matter much? Users can roam between > different APs with the same SSID with a VPN just fine. > > Also, why do you say 'low traffic volumes'? if you are encrypting the > data, it's going to cost to encrypt it even if you do it at the wifi level > instead of the VPN level. > > you can configure VPNs so that they are connected all the time as well, > but any plan to push things down or run scheduled tasks from a central > point to portable devices needs to deal with the idea that the devices may > not have connectivity (they may not even be turned on) > > always-connected and authenticated don't work well together, so how do you > have Radius authenticated Wifi and still have systems connected without the > user being logged in? > > David Lang > > > On Sat, 6 Apr 2013, Frank Bulk wrote: > > >> In an environment when the Wi-Fi clients don't move around much, the Wi-Fi >> clients are all devices with VPN-capable, and traffic volumes are low, >> VPNs >> may work, but in most organizations, and especially higher-ed, WPA2 with >> AES >> based on RADIUS authentication is the BCP. Most organizations want >> machine-authentication, so that even while the end-user is not logged in >> policies can be applied and pushed down, scheduled tasks can run, etc. >> >> Frank >> >> -----Original Message----- >> From: David Lang [mailto:[email protected]] >> Sent: Saturday, April 06, 2013 2:56 PM >> To: Frank Bulk >> Cc: [email protected] >> Subject: RE: [lopsa-tech] Wifi >> >> On Sat, 6 Apr 2013, Frank Bulk wrote: >> >> Hmm, I want to access my organization's resources over Wi-Fi -- why treat >>> >> it >> >>> as untrusted? The security with WPA2 using AES is more than sufficient. >>> >> >> That same statement was made about WEP and WPA. It may be true, it may not >> be >> true (they don't have a good track record here). It may depend on the >> attacker >> never having been able to extract data from a laptop of someone who has >> been >> >> authorized to use the network (is WPA2 really secure if an attacker has >> been >> >> able to read keys off of someone's machine?) >> >> Your users need to be using VPN software anyway when working from other >> networks, so adding WPA and it's management is additional work that you >> don't >> have to do. >> >> It's a lot easier to change your VPN software if needed >> >> VPN software gives you additional tools for authentication of your users >> (things >> like hardware tokens for example) >> >> In short, I see VPNs as something you are doing anyway, are more flexible, >> and more trustworthy. >> >> David Lang >> >> Frank >>> >>> -----Original Message----- >>> From: [email protected] [mailto:tech-bounces@lists.** >>> lopsa.org <[email protected]>] >>> >> On >> >>> Behalf Of David Lang >>> Sent: Saturday, April 06, 2013 12:34 AM >>> To: Brian Gold >>> Cc: [email protected] >>> Subject: Re: [lopsa-tech] Wifi >>> >>> On Fri, 5 Apr 2013, Brian Gold wrote: >>> >>> We've been using Cisco WCS controllers and APs here at $employer, but >>>> for >>>> >>> a >>> >>>> smaller scale I've been very happy with Ubiquity APs and controllers. I >>>> would HIGHLY recommend setting up radius authentication if you have >>>> a centralized ldap system (Active Directory, OpenLDAP, etc). >>>> >>> >>> I would actually go the opposite direction. >>> >>> Your Wifi is an untrusted network that can be sniffed and attacked by >>> >> anyone >> >>> in >>> the area. So don't let it connect directly to your internal network. >>> >>> Consider it a guest network, just like a hotel network, and have all your >>> users >>> connect to your company resources through a VPN, just like they would >>> from >>> home >>> or a hotel. >>> >>> Then you can consider if you want to have the network locked down so that >>> >> it >> >>> can >>> only be used for VPN traffic, or if you really do want it to be a guest >>> network, >>> able to reach the Intenet (for at least some things) >>> >>> David Lang >>> >>> >>> >> >> >> ______________________________**_________________ > Tech mailing list > [email protected] > https://lists.lopsa.org/cgi-**bin/mailman/listinfo/tech<https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech> > This list provided by the League of Professional System Administrators > http://lopsa.org/ > -- LITTLE GIRL: But which cookie will you eat FIRST? COOKIE MONSTER: Me think you have misconception of cookie-eating process.
_______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
