In an environment when the Wi-Fi clients don't move around much, the Wi-Fi clients are all devices with VPN-capable, and traffic volumes are low, VPNs may work, but in most organizations, and especially higher-ed, WPA2 with AES based on RADIUS authentication is the BCP. Most organizations want machine-authentication, so that even while the end-user is not logged in policies can be applied and pushed down, scheduled tasks can run, etc.
Frank -----Original Message----- From: David Lang [mailto:da...@lang.hm] Sent: Saturday, April 06, 2013 2:56 PM To: Frank Bulk Cc: tech@lists.lopsa.org Subject: RE: [lopsa-tech] Wifi On Sat, 6 Apr 2013, Frank Bulk wrote: > Hmm, I want to access my organization's resources over Wi-Fi -- why treat it > as untrusted? The security with WPA2 using AES is more than sufficient. That same statement was made about WEP and WPA. It may be true, it may not be true (they don't have a good track record here). It may depend on the attacker never having been able to extract data from a laptop of someone who has been authorized to use the network (is WPA2 really secure if an attacker has been able to read keys off of someone's machine?) Your users need to be using VPN software anyway when working from other networks, so adding WPA and it's management is additional work that you don't have to do. It's a lot easier to change your VPN software if needed VPN software gives you additional tools for authentication of your users (things like hardware tokens for example) In short, I see VPNs as something you are doing anyway, are more flexible, and more trustworthy. David Lang > Frank > > -----Original Message----- > From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org] On > Behalf Of David Lang > Sent: Saturday, April 06, 2013 12:34 AM > To: Brian Gold > Cc: tech@lists.lopsa.org > Subject: Re: [lopsa-tech] Wifi > > On Fri, 5 Apr 2013, Brian Gold wrote: > >> We've been using Cisco WCS controllers and APs here at $employer, but for > a >> smaller scale I've been very happy with Ubiquity APs and controllers. I >> would HIGHLY recommend setting up radius authentication if you have >> a centralized ldap system (Active Directory, OpenLDAP, etc). > > I would actually go the opposite direction. > > Your Wifi is an untrusted network that can be sniffed and attacked by anyone > in > the area. So don't let it connect directly to your internal network. > > Consider it a guest network, just like a hotel network, and have all your > users > connect to your company resources through a VPN, just like they would from > home > or a hotel. > > Then you can consider if you want to have the network locked down so that it > can > only be used for VPN traffic, or if you really do want it to be a guest > network, > able to reach the Intenet (for at least some things) > > David Lang > > _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
