We are redoing our wireless from scratch here at the college and I'll
share a few of the options that we've considered. Our wireless system
encompasses our entire campus and we want to seperate the students from
the faculty. The faculty for the most part use laptops owned by the
college so we can make some assumptions based on our setup of what kind
of security levels we can use. First off we have a Windows 2003 Active
Directory setup on our campus, all the computer's times are synced to an
ntp server and we have a local CA.
Before this we had one SSID for both students and staff with 802.1x
authentication using their active directory credentials. This worked
great as long as we didn't want to get any Vista machines on the
wireless or people that don't have an account (think conferences). The
Vista issue was the biggest reason we're redoing our wireless. The
problem (I'm guessing, we never actually figured it out) was something
to do with the root certificates and our self-signed server certificate
(even though we had "Validate server certificate" unchecked on the clients).
What we are currently planning is to use 802.1x authentication on a
faculty/staff SSID as we haven't moved to Vista for them officially and
don't have plans too anytime soon. Students on the other hand we can't
control what operating system they have and it's a sad fact of life for
us that most of them will be coming back to campus with Vista. In light
of this we are going to be using a WPA key for the students and a
captive portal to identify them. We haven't decided how long the timeout
for the captive portal authentication will be. We considered WPA2 but we
also run into the compatibility problem again, but have decided that WPA
provides a reasonable amount of security.
Our student and staff/faculty SSID both route to different VLANs. We use
a packeteer to limit the bandwidth on the student portion of the network
and let the staff/faculty have unrestricted access to the pipe.
I hope I have given you some ideas and would love to hear some
criticism/concerns about this setup. If there are gaping flaws that I
have missed it sure would be good to know before rolling it out.
Entwistle, Bruce wrote:
I will apologize in advance, as I believe this has been discussed in
the past. During the upcoming summer we will be installing a wireless
network in our residence halls. We are looking at different options
of how we are going to authenticate and secure the network
connections. If you could please share what methods have or have not
worked in addressing the authentication and security issues I would
appreciate it.
Thank you
Bruce Entwistle
Associate Director of Enterprise Services
University of Redlands
********** Participation and subscription information for this
EDUCAUSE Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.