If someone spends $50K on a system that has 12 access points then they're either piloting a small centralized configuration that's ready to scale to large numbers or just foolish.
Yes, you can build a VPN environment for Wi-Fi that scales to hundreds of Mbps, but your approach diverges from 99% of enterprise-grade Wi-Fi networks. You're right, machine authentication doesn't mean anything if the device is powered off, but if it's left on while in the range of enterprise APs, at least all the managed things like policy and software updates, etc. can take place. Frank -----Original Message----- From: David Lang [mailto:da...@lang.hm] Sent: Saturday, April 06, 2013 7:22 PM To: Frank Bulk Cc: tech@lists.lopsa.org Subject: RE: [lopsa-tech] Wifi On Sat, 6 Apr 2013, Frank Bulk wrote: > If you're using consumer APs then you're not going to have smooth handoffs > to APs, so user sessions will be interrupted as the client dis-associates to > the old AP, associates to the new, acquires an IP address, and then > re-establishes the VPN. That's not smooth. Ahh, but if they keep the same SSID, and the APs are bridged with DHCP being handled at some central server (not on the individual APs, then moving from one AP to another is just dis-associating andassociating to the new one. No need to change IP addresses, no need to re-establish the VPN. It may be > In regards to volumes, there are many larger deployments that are moving > several hundred megabits per second -- how much do you really want to pay > for a redundantly-configured VPN with that kind of traffic load? Well, it depends on what VPN you choose to use. With some VPNs you can either use commodity servers as the endpoints, or put in encryption cards that can do this reasonably cheaply on the same basis, how much are you willing to spend on your wireless system to avoid having a high capacity VPN system? :-) Having seen a company spend $50K on a system of about a dozen APs in one building (before it got scrapped to go with an even more expensive system) when I would be comfortable spending around $5K to provide service to the same building, the amount of money here is fairly significant. My expectation is that anyone who is doing things on that scale probably has large pipes to the Internet and needs a high capacity VPN setup to support the users when they are remote outside the campus > Google "Wi-Fi machine authentication" to see some articles that talk about > how devices joined to the domain can be on the wireless network without > having the end-user logged in. Thanks for the pointer. You still have the problem that they machines may be powered off, or otherwise unreachable, so I somewhat question the value of this in practice. by the way, most of the links I'm finding on the first few pages of google seem to be for people who want _only_ machine authentication for network traffic. David Lang > Frank > > -----Original Message----- > From: David Lang [mailto:da...@lang.hm] > Sent: Saturday, April 06, 2013 6:51 PM > To: Frank Bulk > Cc: tech@lists.lopsa.org > Subject: RE: [lopsa-tech] Wifi > > why does the movement of users matter much? Users can roam between different > APs > with the same SSID with a VPN just fine. > > Also, why do you say 'low traffic volumes'? if you are encrypting the data, > it's > going to cost to encrypt it even if you do it at the wifi level instead of > the > VPN level. > > you can configure VPNs so that they are connected all the time as well, but > any > plan to push things down or run scheduled tasks from a central point to > portable > devices needs to deal with the idea that the devices may not have > connectivity > (they may not even be turned on) > > always-connected and authenticated don't work well together, so how do you > have > Radius authenticated Wifi and still have systems connected without the user > being logged in? > > David Lang > > On Sat, 6 Apr 2013, Frank Bulk wrote: > >> >> In an environment when the Wi-Fi clients don't move around much, the Wi-Fi >> clients are all devices with VPN-capable, and traffic volumes are low, > VPNs >> may work, but in most organizations, and especially higher-ed, WPA2 with > AES >> based on RADIUS authentication is the BCP. Most organizations want >> machine-authentication, so that even while the end-user is not logged in >> policies can be applied and pushed down, scheduled tasks can run, etc. >> >> Frank >> >> -----Original Message----- >> From: David Lang [mailto:da...@lang.hm] >> Sent: Saturday, April 06, 2013 2:56 PM >> To: Frank Bulk >> Cc: tech@lists.lopsa.org >> Subject: RE: [lopsa-tech] Wifi >> >> On Sat, 6 Apr 2013, Frank Bulk wrote: >> >>> Hmm, I want to access my organization's resources over Wi-Fi -- why treat >> it >>> as untrusted? The security with WPA2 using AES is more than sufficient. >> >> That same statement was made about WEP and WPA. It may be true, it may not >> be >> true (they don't have a good track record here). It may depend on the >> attacker >> never having been able to extract data from a laptop of someone who has > been >> >> authorized to use the network (is WPA2 really secure if an attacker has > been >> >> able to read keys off of someone's machine?) >> >> Your users need to be using VPN software anyway when working from other >> networks, so adding WPA and it's management is additional work that you >> don't >> have to do. >> >> It's a lot easier to change your VPN software if needed >> >> VPN software gives you additional tools for authentication of your users >> (things >> like hardware tokens for example) >> >> In short, I see VPNs as something you are doing anyway, are more flexible, >> and more trustworthy. >> >> David Lang >> >>> Frank >>> >>> -----Original Message----- >>> From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org] >> On >>> Behalf Of David Lang >>> Sent: Saturday, April 06, 2013 12:34 AM >>> To: Brian Gold >>> Cc: tech@lists.lopsa.org >>> Subject: Re: [lopsa-tech] Wifi >>> >>> On Fri, 5 Apr 2013, Brian Gold wrote: >>> >>>> We've been using Cisco WCS controllers and APs here at $employer, but > for >>> a >>>> smaller scale I've been very happy with Ubiquity APs and controllers. I >>>> would HIGHLY recommend setting up radius authentication if you have >>>> a centralized ldap system (Active Directory, OpenLDAP, etc). >>> >>> I would actually go the opposite direction. >>> >>> Your Wifi is an untrusted network that can be sniffed and attacked by >> anyone >>> in >>> the area. So don't let it connect directly to your internal network. >>> >>> Consider it a guest network, just like a hotel network, and have all your >>> users >>> connect to your company resources through a VPN, just like they would > from >>> home >>> or a hotel. >>> >>> Then you can consider if you want to have the network locked down so that >> it >>> can >>> only be used for VPN traffic, or if you really do want it to be a guest >>> network, >>> able to reach the Intenet (for at least some things) >>> >>> David Lang >>> >>> >> >> >> > > > _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
