Kevin and Lee, We are providing Guest access via a beaconed SSID on our Cisco Aironet 1230s. When a user connects to that SSID, they are placed into a VLAN for one of our DMZs and are assigned IP addressing and DNS information by a Linux Box running a Captive Portal Package (NoCat Auth). We limit the DHCP scope to 126 devices as we don't have many guests connecting to our "guest wireless network". When users connect they are required to click-to-accept an AUP before being provided access to the internet. Their connectivity is valid for a period of 24 hours or 5 minutes of inactivity (these are adjustable); whichever comes first. At the point of expiration, the user is required to re-accept the AUP before continuing. All of their information is logged to include assigned IP address, system name, and MAC-Address. All of the bandwidth is rate-shaped to 256Kbps Up/Down via 2 CBQ configuration files (one for ingress and one for egress). Since this software is iptables based, we are also able to limit the type of traffic that is allowed for these guests. We allow http, https, pop3, imap, telnet, and SSH. Everything else is explicitly denied including SMTP as we don't want to provide the ability to spam from our network. This system has no access to our internal network at all which helps keep our internal systems and traffic secure in relation to the Guest Network.
We provide "authorized wireless access" through a non-beaconed SSID on the same access point and a different VLAN. We also use PEAP on the "authorized wireless network" which helps keep the two methods of access further separated. Yes, I'm aware there are better methods for securing our "authorized wireless network" but due to the dynamic nature of our "authorized clients" and political boundaries, we have opted for a path with minimal resistance. As for the CALEA issue, we have spent a fair amount of time discussing CALEA and its implications internally and with our 2 ISPs and have come to the conclusion that even though we provide anonymous access, we are exempt for the following reasons: 1) Both of our ISPs are CALEA compliant. So, we "piggy-back" off of their compliance. 2) There are no CALEA compliant devices available to our organization at this point in time. As a side note, the Captive Portal box is also configured to provide guest access to the wired network which will be of great use as we convert the campus to support 802.1x for wired connections. Through this method, guests have the option to log in using RADIUS credentials and gain access to the secure certificates and configuration instructions or connect as a guest using the same method listed above with the wireless guest access. We provide a larger DHCP scope for our wired users (1022) since more people connect to the wired network. Since RADIUS is clear text and I haven't found a package that supports TACACS authentication yet we don't provide this option to wireless users. I hope that helps. J. Bart Casey Network Engineer Wofford College -----Original Message----- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 1:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wireless guest access Would like to expand out Kevin's question- what of wireless access for guests, and for the non-affiliated folks (anonymous) that might end up on campus? Anybody rethinking any of their sponsored guest/open access policies because of CALEA concerns? Regards- Lee Badman Network/Wireless Engineer Syracuse University 315 443-3003 >>> Kevin Lanning <[EMAIL PROTECTED]> 2/26/2007 12:46:48 PM >>> Wondering what academic institutions are doing these days regarding wireless access for guests? -- -- Kevin Lanning lanning at unc.edu ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
