duh, that's right, 802.11x and 802.1x I wasn't remembering them.
David Lang
On Sat, 6 Apr 2013, Frank Bulk wrote:
Because the Wi-Fi authentication happens *before* the IP address is handed
out.
Frank
-----Original Message-----
From: David Lang [mailto:da...@lang.hm]
Sent: Saturday, April 06, 2013 7:37 PM
To: Frank Bulk
Cc: LOPSA Tech; Matt Simmons
Subject: RE: [lopsa-tech] Wifi
On Sat, 6 Apr 2013, Frank Bulk wrote:
<snip>
And what hasn't been mentioned is that
in some environments certain classes or groups of people or devices are
kept
on separate L3 boundaries even through they're using the same SSID.
that can be done on the DHCP server can't it? With it issuing different IP
ranges depending on the device type or known MAC addresses (associating MAC
addresses with individuals)
I don't understand how you would group _people_ on different L3 boundries,
by
the time you can get to the point where you can authenticate someone, they
are
already connected with an IP address.
I'd invite you to read the archives of EDUCAUSE's WIRELESS-LAN listserv to
get a flavor of their challenges.
Thanks, I'll look around there.
David Lang
Frank
-----Original Message-----
From: David Lang [mailto:da...@lang.hm]
Sent: Saturday, April 06, 2013 7:07 PM
To: Matt Simmons
Cc: Frank Bulk; LOPSA Tech
Subject: Re: [lopsa-tech] Wifi
You would need to be rather large to need to cross L3 boundries.
I advocate putting the APs on a separate network from your other traffic,
and
having the APs act as bridges. That way users can move from AP to AP and
there's
no need to tunnel traffic anywhere, once it gets on the wired network you
are
good.
Yes, at some scale this won't work, but how big an area do you need to
have
before this breaks?
David Lang
On Sat, 6 Apr 2013, Matt Simmons wrote:
The problem comes when they cross L3 boundaries. Enterprise wireless
infrastructures (or campus-wide installations) do tunneling of the
device's
traffic back to the original AP they authenticated to, all with seamless
handoff.
--Matt
On Sat, Apr 6, 2013 at 7:50 PM, David Lang <da...@lang.hm> wrote:
why does the movement of users matter much? Users can roam between
different APs with the same SSID with a VPN just fine.
Also, why do you say 'low traffic volumes'? if you are encrypting the
data, it's going to cost to encrypt it even if you do it at the wifi
level
instead of the VPN level.
you can configure VPNs so that they are connected all the time as well,
but any plan to push things down or run scheduled tasks from a central
point to portable devices needs to deal with the idea that the devices
may
not have connectivity (they may not even be turned on)
always-connected and authenticated don't work well together, so how do
you
have Radius authenticated Wifi and still have systems connected without
the
user being logged in?
David Lang
On Sat, 6 Apr 2013, Frank Bulk wrote:
In an environment when the Wi-Fi clients don't move around much, the
Wi-Fi
clients are all devices with VPN-capable, and traffic volumes are low,
VPNs
may work, but in most organizations, and especially higher-ed, WPA2
with
AES
based on RADIUS authentication is the BCP. Most organizations want
machine-authentication, so that even while the end-user is not logged
in
policies can be applied and pushed down, scheduled tasks can run, etc.
Frank
-----Original Message-----
From: David Lang [mailto:da...@lang.hm]
Sent: Saturday, April 06, 2013 2:56 PM
To: Frank Bulk
Cc: tech@lists.lopsa.org
Subject: RE: [lopsa-tech] Wifi
On Sat, 6 Apr 2013, Frank Bulk wrote:
Hmm, I want to access my organization's resources over Wi-Fi -- why
treat
it
as untrusted? The security with WPA2 using AES is more than
sufficient.
That same statement was made about WEP and WPA. It may be true, it may
not
be
true (they don't have a good track record here). It may depend on the
attacker
never having been able to extract data from a laptop of someone who has
been
authorized to use the network (is WPA2 really secure if an attacker has
been
able to read keys off of someone's machine?)
Your users need to be using VPN software anyway when working from other
networks, so adding WPA and it's management is additional work that you
don't
have to do.
It's a lot easier to change your VPN software if needed
VPN software gives you additional tools for authentication of your
users
(things
like hardware tokens for example)
In short, I see VPNs as something you are doing anyway, are more
flexible,
and more trustworthy.
David Lang
Frank
-----Original Message-----
From: tech-boun...@lists.lopsa.org [mailto:tech-bounces@lists.**
lopsa.org <tech-boun...@lists.lopsa.org>]
On
Behalf Of David Lang
Sent: Saturday, April 06, 2013 12:34 AM
To: Brian Gold
Cc: tech@lists.lopsa.org
Subject: Re: [lopsa-tech] Wifi
On Fri, 5 Apr 2013, Brian Gold wrote:
We've been using Cisco WCS controllers and APs here at $employer, but
for
a
smaller scale I've been very happy with Ubiquity APs and controllers.
I
would HIGHLY recommend setting up radius authentication if you have
a centralized ldap system (Active Directory, OpenLDAP, etc).
I would actually go the opposite direction.
Your Wifi is an untrusted network that can be sniffed and attacked by
anyone
in
the area. So don't let it connect directly to your internal network.
Consider it a guest network, just like a hotel network, and have all
your
users
connect to your company resources through a VPN, just like they would
from
home
or a hotel.
Then you can consider if you want to have the network locked down so
that
it
can
only be used for VPN traffic, or if you really do want it to be a
guest
network,
able to reach the Intenet (for at least some things)
David Lang
______________________________**_________________
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-**bin/mailman/listinfo/tech<https://lists.lopsa.
org/cgi-bin/mailman/listinfo/tech>
This list provided by the League of Professional System Administrators
http://lopsa.org/
_______________________________________________
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
