RE: guest wireless
Yes, we are painfully aware. Most patient care devices do not support dot1x; by the time vendors get their systems certified by the FDA, the technology is almost obsolete . . . scary isn't it? From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Saturday, September 20, 2014 6:43 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] guest wireless Lane, You realize that WPA2-PSK is designed for the home environment and WEP is so broken that is it not supported in the 802.11n 802.11ac standards, right? Especially with medical, the secure network should be WPA2-Enterprise (802.1X), not WPA2-Personal (PSK). We still need to support 802.11b devices too, but turn off the 1 Mbit basic transmit rates to help a little bit. Bruce Osborne Network Engineer - Wireless Team IT Network Services (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Reams, Lane [mailto:lane.re...@vanderbilt.edu] Sent: Friday, September 19, 2014 3:19 PM Subject: Re: guest wireless Good question regarding non-dot1x devices. We have two SSIDs we use - one is WPA2/PSK and the other is WEP, both use a MAC registration process so we can collect owner information and control access. Game consoles and student AppleTVs use our open SSID; classroom AppleTVs, infusion pumps, health monitors and other devices that need to be secured but don't support dot1x use the WPA2/PSK or WEP SSID to connect. Being a university research medical center has many wireless challenges and we support a very wide range of devices from all BYOD to legacy patient care devices. We are also required to support 11b devices in patient care areas:( Lane Reams | Manager, Network Design Engineering | Information Technology | Vanderbilt University lane.re...@vanderbilt.edumailto:lane.re...@vanderbilt.edu | phone 615.936.2677 | it.vanderbilt.eduhttp://it.vanderbilt.edu/ [Vanderbilt IT logo] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kanan E Simpson Sent: Tuesday, September 16, 2014 11:17 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] guest wireless Interesting discussion and implementations! We are in the process of reviewing our guest network access as well. These ideas are helpful and will give us options to think about. In addition to the guest access, many of you mentioned additional SSIDs and auth methods your institution offers. How do you treat those devices that do not support dot1x and/or no browsers for layer3 auth? For example, a game console or smarttv for students that are living on campus or guest on university business. Kanan Simpson From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M Sent: Tuesday, September 16, 2014 11:59 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] guest wireless We consider not having to deal with CALEA / DMCA on our guest network worth the cost. Note: we provide attwifi free-to-guest which means no one has to pay to use it. -Neil -- Neil Johnson Network Engineer The University of Iowa email: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu Phone: 319 394-0938 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Lee H Badman [lhbad...@syr.edu] Sent: Friday, September 12, 2014 11:33 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] guest wireless Neil- You're saying ATT charges you for this? Do you charge them back for the Wi-Fi offload? -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M Sent: Friday, September 12, 2014 11:13 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] guest wireless We contracted with ATT to handle guests and visitors. We advertise their SSID (attwifi) on our wireless infrastructure and then hand the traffic off to them via boxes called Network Management Devices (NMD) that they provide. They tunnel the traffic to their cloud via our Internet connection. They take care of the CALEA and DMCA issues. They benefit by offloading their cell customer's data traffic on to our Wifi infrastructure, so the monthly cost for us was very reasonable. -Neil -- Neil Johnson Network Engineer The University of Iowa email: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu Phone: 319 394-0938 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
RE: guest wireless
Lane, You realize that WPA2-PSK is designed for the home environment and WEP is so broken that is it not supported in the 802.11n 802.11ac standards, right? Especially with medical, the secure network should be WPA2-Enterprise (802.1X), not WPA2-Personal (PSK). We still need to support 802.11b devices too, but turn off the 1 Mbit basic transmit rates to help a little bit. Bruce Osborne Network Engineer - Wireless Team IT Network Services (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Reams, Lane [mailto:lane.re...@vanderbilt.edu] Sent: Friday, September 19, 2014 3:19 PM Subject: Re: guest wireless Good question regarding non-dot1x devices. We have two SSIDs we use - one is WPA2/PSK and the other is WEP, both use a MAC registration process so we can collect owner information and control access. Game consoles and student AppleTVs use our open SSID; classroom AppleTVs, infusion pumps, health monitors and other devices that need to be secured but don't support dot1x use the WPA2/PSK or WEP SSID to connect. Being a university research medical center has many wireless challenges and we support a very wide range of devices from all BYOD to legacy patient care devices. We are also required to support 11b devices in patient care areas:( Lane Reams | Manager, Network Design Engineering | Information Technology | Vanderbilt University lane.re...@vanderbilt.edumailto:lane.re...@vanderbilt.edu | phone 615.936.2677 | it.vanderbilt.eduhttp://it.vanderbilt.edu/ [Vanderbilt IT logo] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kanan E Simpson Sent: Tuesday, September 16, 2014 11:17 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] guest wireless Interesting discussion and implementations! We are in the process of reviewing our guest network access as well. These ideas are helpful and will give us options to think about. In addition to the guest access, many of you mentioned additional SSIDs and auth methods your institution offers. How do you treat those devices that do not support dot1x and/or no browsers for layer3 auth? For example, a game console or smarttv for students that are living on campus or guest on university business. Kanan Simpson From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M Sent: Tuesday, September 16, 2014 11:59 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] guest wireless We consider not having to deal with CALEA / DMCA on our guest network worth the cost. Note: we provide attwifi free-to-guest which means no one has to pay to use it. -Neil -- Neil Johnson Network Engineer The University of Iowa email: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu Phone: 319 394-0938 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Lee H Badman [lhbad...@syr.edu] Sent: Friday, September 12, 2014 11:33 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] guest wireless Neil- You're saying ATT charges you for this? Do you charge them back for the Wi-Fi offload? -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M Sent: Friday, September 12, 2014 11:13 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] guest wireless We contracted with ATT to handle guests and visitors. We advertise their SSID (attwifi) on our wireless infrastructure and then hand the traffic off to them via boxes called Network Management Devices (NMD) that they provide. They tunnel the traffic to their cloud via our Internet connection. They take care of the CALEA and DMCA issues. They benefit by offloading their cell customer's data traffic on to our Wifi infrastructure, so the monthly cost for us was very reasonable. -Neil -- Neil Johnson Network Engineer The University of Iowa email: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu Phone: 319 394-0938 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Coehoorn, Joel [jcoeho...@york.edu] Sent: Friday, September 12, 2014 9:13 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] guest wireless I will admit to having a completely open guest network. We don't even require a terms of service click-through, and it's not encrypted. We do have some strict throttling for file sharing/p2p traffic, and I have some decent auditing capabilities, so I can track
RE: guest wireless
Karan, This is sort of off-topic, but we have an open SSID that is used for 802.1X onboarding and for registered (mac auth) devices that cannot do 802.1X. We block some of our internal sites (www, blackboard) to encourage use of the 802.1X network. Non-802.1X devices do not need that internal access anyway. We use a custom portal using DNS ACLs to restrict access. On our wireless network we destination-NAT all DNS to these servers in case somebody has statically set DNS servers. Bruce Osborne Network Engineer - Wireless Team IT Network Services (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Kanan E Simpson [mailto:kesim...@valdosta.edu] Sent: Tuesday, September 16, 2014 12:17 PM Subject: Re: guest wireless Interesting discussion and implementations! We are in the process of reviewing our guest network access as well. These ideas are helpful and will give us options to think about. In addition to the guest access, many of you mentioned additional SSIDs and auth methods your institution offers. How do you treat those devices that do not support dot1x and/or no browsers for layer3 auth? For example, a game console or smarttv for students that are living on campus or guest on university business. Kanan Simpson From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M Sent: Tuesday, September 16, 2014 11:59 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] guest wireless We consider not having to deal with CALEA / DMCA on our guest network worth the cost. Note: we provide attwifi free-to-guest which means no one has to pay to use it. -Neil -- Neil Johnson Network Engineer The University of Iowa email: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu Phone: 319 394-0938 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Lee H Badman [lhbad...@syr.edu] Sent: Friday, September 12, 2014 11:33 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] guest wireless Neil- You're saying ATT charges you for this? Do you charge them back for the Wi-Fi offload? -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M Sent: Friday, September 12, 2014 11:13 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] guest wireless We contracted with ATT to handle guests and visitors. We advertise their SSID (attwifi) on our wireless infrastructure and then hand the traffic off to them via boxes called Network Management Devices (NMD) that they provide. They tunnel the traffic to their cloud via our Internet connection. They take care of the CALEA and DMCA issues. They benefit by offloading their cell customer's data traffic on to our Wifi infrastructure, so the monthly cost for us was very reasonable. -Neil -- Neil Johnson Network Engineer The University of Iowa email: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu Phone: 319 394-0938 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Coehoorn, Joel [jcoeho...@york.edu] Sent: Friday, September 12, 2014 9:13 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] guest wireless I will admit to having a completely open guest network. We don't even require a terms of service click-through, and it's not encrypted. We do have some strict throttling for file sharing/p2p traffic, and I have some decent auditing capabilities, so I can track down violations and restrict them later if needed, but that's about it. We do the same throttling and auditing on the regular network Our Admissions and Advancement offices *love* this: a candidate or guest comes on campus, and their device just works: never any 802.1x issues, never a problem with sponsorships or authentication. We're in a residential neighborhood, but I've learned not to worry about neighbors using our wifi: it's really a drop in the bucket. No one uses bandwidth like a college student uses bandwidth, and as I'm one of those who live just across the street, I can testify that leeching wifi from the college is a horrible personal wifi experience (also: before I came here and I had an hour long commute, and I can say that walking across the street to get to your office is *awesome*). We do strongly encourage students/staff/faculty to use the encrypted option, and the vast majority do on their laptops now, and some on their phones, but students love the open network for things like smart TVs, blu-ray players, etc. They feel this makes our network *better
RE: guest wireless
Thanks for the feedback. Sorry for taking the conversation off topic. I may start a new topic. Thanks again! Kanan From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Wednesday, September 17, 2014 7:23 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] guest wireless Karan, This is sort of off-topic, but we have an open SSID that is used for 802.1X onboarding and for registered (mac auth) devices that cannot do 802.1X. We block some of our internal sites (www, blackboard) to encourage use of the 802.1X network. Non-802.1X devices do not need that internal access anyway. We use a custom portal using DNS ACLs to restrict access. On our wireless network we destination-NAT all DNS to these servers in case somebody has statically set DNS servers. Bruce Osborne Network Engineer - Wireless Team IT Network Services (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Kanan E Simpson [mailto:kesim...@valdosta.edu] Sent: Tuesday, September 16, 2014 12:17 PM Subject: Re: guest wireless Interesting discussion and implementations! We are in the process of reviewing our guest network access as well. These ideas are helpful and will give us options to think about. In addition to the guest access, many of you mentioned additional SSIDs and auth methods your institution offers. How do you treat those devices that do not support dot1x and/or no browsers for layer3 auth? For example, a game console or smarttv for students that are living on campus or guest on university business. Kanan Simpson From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M Sent: Tuesday, September 16, 2014 11:59 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] guest wireless We consider not having to deal with CALEA / DMCA on our guest network worth the cost. Note: we provide attwifi free-to-guest which means no one has to pay to use it. -Neil -- Neil Johnson Network Engineer The University of Iowa email: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu Phone: 319 394-0938 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Lee H Badman [lhbad...@syr.edu] Sent: Friday, September 12, 2014 11:33 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] guest wireless Neil- You're saying ATT charges you for this? Do you charge them back for the Wi-Fi offload? -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M Sent: Friday, September 12, 2014 11:13 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] guest wireless We contracted with ATT to handle guests and visitors. We advertise their SSID (attwifi) on our wireless infrastructure and then hand the traffic off to them via boxes called Network Management Devices (NMD) that they provide. They tunnel the traffic to their cloud via our Internet connection. They take care of the CALEA and DMCA issues. They benefit by offloading their cell customer's data traffic on to our Wifi infrastructure, so the monthly cost for us was very reasonable. -Neil -- Neil Johnson Network Engineer The University of Iowa email: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu Phone: 319 394-0938 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Coehoorn, Joel [jcoeho...@york.edu] Sent: Friday, September 12, 2014 9:13 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] guest wireless I will admit to having a completely open guest network. We don't even require a terms of service click-through, and it's not encrypted. We do have some strict throttling for file sharing/p2p traffic, and I have some decent auditing capabilities, so I can track down violations and restrict them later if needed, but that's about it. We do the same throttling and auditing on the regular network Our Admissions and Advancement offices *love* this: a candidate or guest comes on campus, and their device just works: never any 802.1x issues, never a problem with sponsorships or authentication. We're in a residential neighborhood, but I've learned not to worry about neighbors using our wifi: it's really a drop in the bucket. No one uses bandwidth like a college student uses bandwidth, and as I'm one of those who live just across the street, I can testify that leeching wifi from the college is a horrible personal wifi experience (also: before
RE: guest wireless
Dennis, Do you use uog-wifi to provision client devices? If not, how do they get configured for uog-wifi-secure? We use CloudPath XpressConnect Wizard on an open SSID to provision clients for WPA2-Enterprise. Bruce Osborne Network Engineer – Wireless Team IT Network Services (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 -Original Message- From: Dennis Xu [mailto:d...@uoguelph.ca] Sent: Tuesday, September 9, 2014 3:46 PM Subject: Re: guest wireless We have three SSIDs: uog-wifi-secure: WPA2/Enterprise. No restrictions after authenticated. uog-wifi: web auth. A single portal for both uog users and guests. We use Cisco NAC guest servers to manage sponsors and guest accounts. No restrictions for uog users and http/https only for guests. eduroam: WPA2/Enterprise. Only certain ports are opened(such as http/https, VPN, secure email ports, etc). Our goal is to make uog-wifi guest only by end of this year. --- Dennis Xu Analyst 3, Network Infrastructure Computing and Communications Services(CCS) University of Guelph 519-824-4120 Ext 56217 d...@uoguelph.ca www.uoguelph.ca/ccs - Original Message - From: Bradley Williams bwil...@clemson.edu To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Tuesday, September 9, 2014 12:05:27 PM Subject: Re: [WIRELESS-LAN] guest wireless We have an webauth ssid that redirects to a server that can do self-provisioning and authentication of guest accounts(as long as they provide a phone number or email account to have it sent to). That provides them with internet access(no internal network access) and keeps us CALEA compliant. Bradley Williams Network Services Clemson Computing and Information Technology From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mark Reboli Sent: Tuesday, September 09, 2014 11:41 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] guest wireless I am looking for information on what people do with guest wireless. Do you have open wireless on your campus? Do you have a password that everyone knows? Do you create special passwords for groups? Any assistance would be helpful. Thank you m Description: MU Arches Mark Reboli Network/Telcom Manager Misericordia University (570) 674-6753 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: guest wireless
We have an webauth ssid that redirects to a server that can do self-provisioning and authentication of guest accounts(as long as they provide a phone number or email account to have it sent to). That provides them with internet access(no internal network access) and keeps us CALEA compliant. Bradley Williams Network Services Clemson Computing and Information Technology From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mark Reboli Sent: Tuesday, September 09, 2014 11:41 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] guest wireless I am looking for information on what people do with guest wireless. Do you have open wireless on your campus? Do you have a password that everyone knows? Do you create special passwords for groups? Any assistance would be helpful. Thank you m [Description: MU Arches] Mark Reboli Network/Telcom Manager Misericordia University (570) 674-6753 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: Guest Wireless Questions
http://www.zcorum.com/caleafaq.php http://www.askcalea.com/calea/103.html Here's a couple of helpful links on CALEA. Devin Devin K. Akin Chief Wi-Fi Architect Aerohive Networks E: de...@aerohive.com C: +1.404.483.2681 O: +1.770.854.8554 W: www.Aerohive.com Sorry it is the Communications Assistance for Law Enforcement Act. tn From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Peter P Morrissey Sent: Friday, July 02, 2010 12:08 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Guest Wireless Questions The CA in CALEA stands for “Computer Access.” We interpret that to mean providing a way for them to tap into our network to access any network traffic. Our understanding is that if you do your best to provide that and cooperate, it isn’t a big deal. We also track IP to user mappings for lots of reasons, that we could certainly make available under the correct legal proceedings. Peter Morrissey From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Trent Fierro Sent: Friday, July 02, 2010 9:23 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Guest Wireless Questions Out of curiosity regarding CALEA, do you need to provide law enforcement with a way to view where a user goes on your network while using wireless? Or do you just need to provide login details? I know that for telephony that you need to provide a way to tap a line, etc. but haven’t paid much attention to CALEA requirements recently. Trent Trent Fierro Dir of Marketing 408.748.0902 x116 www.avendasys.com http://twitter.com/Avenda_Systems Security without Boundaries From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Daniel Eklund Sent: Friday, July 02, 2010 6:10 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Guest Wireless Questions We provide free guest access, but not open access. Guests must be vouched for by a faculty or staff member and that person takes responsibility for the actions of the guest while they use the network. We have a simple online process that the faculty or staff member uses to create a temporary ID and password for their guest. They can create as many IDs as they need and the ID can be requested to have a lifetime up to 1 week. After that time the ID is deleted. -- Daniel Eklund Director, Networking Wayne State University 313-577-5558 - Tom Neiss tne...@uamail.albany.edu wrote: Are you providing free guest wireless access on your campus? How are you dealing with CALEA if you are? Do you use your edu address? Thanks, Thomas R. Neiss Director of ITS Telecommunications University at Albany 1400 Washington Ave Albany, NY 1 (518) 437-3803 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Guest Wireless Questions
Hi Tom, We just installed a Bluesocket portal appliance and we are very happy with it. We worked with them to develop a feature that texts a password to a cell phone number. What this does is give us a way to be hospitable to guests who show up for short periods of time, and yet provides us with something fairly reliable for tracking purposes should we ever need it. We limit the access to five days per month which covers a one week conference. Anyone with a NetID can also set up a sponsored account. We can also assign a temporary NetID to guests which would allow them to use our 1x network. The five day limit also provides some disincentive for University staff/students/faculty to be on that service. There is also a way to login to the portal via a NetID, mostly for mobile devices that don't support 1x. We are working with them to limit that to only mobile devices so we can restrict it further. We have gotten a lot of good feedback about the service since we started phasing it in earlier this summer. Pete Morrissey Director of Networking Syracuse University From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Neiss, Tom Sent: Friday, July 02, 2010 8:02 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Guest Wireless Questions Are you providing free guest wireless access on your campus? How are you dealing with CALEA if you are? Do you use your edu address? Thanks, Thomas R. Neiss Director of ITS Telecommunications University at Albany 1400 Washington Ave Albany, NY 1 (518) 437-3803 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Guest Wireless Questions
Hi Tom, We have an open unauthenticated SSID called ubcvisitor. Upon connecting, the guest is presented with a captive portal which displays our AUP and services they can access. The user must then enter an email address at the bottom of the disclaimer and hit accept in order to start their session. Outbound from the network we block all ports except for those used by these services; http, https, pops, imaps, smtps, pptp, l2tp, IPsec, ssh and ntp. On the wireless controllers this SSID is set to the lowest traffic priority setting (Bronze in Cisco WLC land). We use publicly routable, commercial IP space. This makes it easier on us when it comes to logging and tracing. This also prohibits access to many services only available from our academic IP space which makes its use a deterrent to students, staff and faculty. We initially only intended to keep this network on for the 2010 Winter Olympics but due to popular demand we have turned it into a permanent fixture here at UBC. Geoff Armstrong Network Support Analyst Network Management Centre University of British Columbia - Information Technology (604) 822-1305 UBC Wireless From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Neiss, Tom Sent: Friday, July 02, 2010 5:02 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Guest Wireless Questions Are you providing free guest wireless access on your campus? How are you dealing with CALEA if you are? Do you use your edu address? Thanks, Thomas R. Neiss Director of ITS Telecommunications University at Albany 1400 Washington Ave Albany, NY 1 (518) 437-3803 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Guest Wireless Questions
Gordon College Answers We are in the middle (POC) of using Captive Portal. It's the same idea used in hotels. Credentials will be available via our excellent Support Staff and Aux. Services. In other words, you must come to us if you need to use our guest network. The SSID only allows forward facing traffic and never touches our internal net. We have a CALEA identifier/logger on our NetEQ box. Russ Leathe Gordon College From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Neiss, Tom Sent: Friday, July 02, 2010 8:02 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Guest Wireless Questions Are you providing free guest wireless access on your campus? How are you dealing with CALEA if you are? Do you use your edu address? Thanks, Thomas R. Neiss Director of ITS Telecommunications University at Albany 1400 Washington Ave Albany, NY 1 (518) 437-3803 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: Guest Wireless Access
I am out of the office until July 20. If you have a question or a technology issue please send a message to t...@newhampton.org or dial x3454. Thanks! Eric LaCroix, Director of Technology ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.