What is everyone using for enterprise grade wireless authentication for
simple public access (i.e. users that are non-employee that need
internet access (non-PCI) while in your building). Obviously I will hang
this off a DMZ switch outside of my private LAN. Looking for something
vendor driven, don't have time for anything home grown or unsupported /
community based.
Thanks,
Bill Lewis
Hot Topic
"Bill Lewis" <blewis@hottopic.com> writes:
What is everyone using for enterprise grade wireless authentication for
simple public access (i.e. users that are non-employee that need
internet access (non-PCI) while in your building). Obviously I will hang
this off a DMZ switch outside of my private LAN. Looking for something
vendor driven, don't have time for anything home grown or unsupported /
community based.
Assuming that this is for your offices not your retail outlets...
Is there some reason you can't run it wide open without even so much
as a captive-portal-check-the-box thing? All of the commercial boxes
I've seen for doing what you say you want to do have been Deeply
Unsatisfactory in some way (Nomadix is at the top of the list here).
If you lose the authentication altogether and just make sure that
there is a bandwidth lid on per host overall usage plus more
conservative limits for things like the usual torrent ports and of
course blocking certain other ports entirely... you've just
eliminated the administrative overhead of issuing credentials to your
visitors and streamlined your entire process.
Doable?
-r
yea, just buy a dsl line from your local telco, plug in a dlink and
... call it done.
As Robert mentioned, all the current solutions are deeply unsatisfactory and
full of holes. Most of the authentication based solutions simply whitelist
the user based on their MAC address which is altogether easy to spoof
(simply clone the MAC of an authenticated user and you are clear for
takeoff)... Why incur the overhead of managing credentials with something
that can so easily circumvented.
Leave things wide open on a sandboxed subnet with the usual protections
(rate limits, blocked ports), IMO is the easiest approach...
Stefan Fouant
One concern in higher ed that was amplified by CALEA was the notion that
an "open" network precluded you from the private network exemption. So
"free open unauthenticated WiFi" carries some excess baggage with it.
Jeff
We've had some good success with the Cisco wireless LAN controllers in our office. The reception staff are given "Lobby Admin" access that let's them create users with a default expiry of a day (but can go up to 90 days I think). The wireless is technically open, but they can't do anything until they authenticate through the controller's web GUI. They we have access lists to control what they can do while on the wireless.
James,
Just out of curiosity, how does this solution prevent unauthorized users
from gaining access to the system by the aforementioned MAC spoofing
technique?
Stefan Fouant