Jacob,
I echo many of the concerns already expressed. For security, you really need to move to WPA2-Enterprise (802.1X) Many schools either have an OPen SSID or a WPA2-Personal (PSK) SSID for devices that cannot handle WPA2-Enterprise. Here at Liberty University we use an open SSID for devices that cannot do 802.1X and to configure devices so they can be moved to the 802.1X network. I know you wanted this to be vendor-neutral, but Cloudpath XpressConnet is an excellent product for configuring 802.1X on devices. Here is some 802.11 Wi-Fi history as I remember from a particular vendor's Wi-Fi class with additions for 802.11n. 1. Wi-Fi 802.11b was originally released with WEP encryption that was soon exposed as inadequate & broken. 2. IEEE started work on a more secure standard that would be called WPA. 3. As people waited for the new standard, Wi-Fi sales plummeted due to security concerns. It also became evident that this new standard would use AES encryption and would not work on the current Wi-Fi hardware because they did not have the AES encryption/decryption engine needed. 4. The Wi-Fi Alliance released WPA/TKIP an interim standard that was more secure than WEP and would work on the existing hardware. This was designed to imorive the Wi-Fi sales figures. 5. When IEEE released their standard, it was renamed WPA2 and included TKIP only to provide a smooth migration path from the older WPA.TKIP SSIDs. 6. When the 802.11n standard was first released, the Wi-Fi Alliance specifiied only WPA2-AES and not TKIP. They said they would refuse to certify equipment that allowed the less secure TKIP. 7. The Wi-Fi Alliance later added TKIP due to customer demand, but they have been clear that it is deprecated. I do not know about spaces in SSIDs because none of ours ave used spaces. You really need to move toward AES encryption, at a minimum. Perhaps supporting both AES and TKIP is loading the wireless infrastructure and causing client confusion. I know from my own testing that an older PS3, for example, insists on using TKIP if both TKIP and AES are enabled. We made the move to 802.1X this past summer and the increased insight into who is connecting and the authorization capabilities to limit access where appropriate is very valuable. In a sense, the added security is just an addtional bonus. Bruce Osborne Wireless Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY 40 Years of Training Champions for Christ: 1971-2011 ________________________________ From: Barros, Jacob [jkbar...@grace.edu] Sent: Thursday, January 24, 2013 12:43 PM Subject: need help to substantiate an SSID recommendation I feel silly asking this question but value your opinions. We recently had some authentication errors that caused me to open a support case. The engineer I was working with eluded to the fact that having a space in my SSID name could be contributing to the problem though not the root. He also inferred that using TKIP instead of AES would cut processing requirements on the controller and therefore grant better performance. I have not been able to confirm his opinions from those I have asked (including other engineers from the same company) nor in print. We are using a single SSID for most of our campus, 'Grace WiFi' WPA2-PSK AES. Theoretically, should I get better performance (or less overhead) from 'Grace-WiFi' WPA2-PSK TKIP? Leaving the vendor/company out of this conversation, will you please comment on whether or not these changes will make a difference? I would love to either substantiate or debunk this theory. Jake Barros | Network Administrator | Office of Information Technology Grace College and Seminary | Winona Lake, IN | 574.372.5100 x6178 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
