+ Post New Thread
Results 1 to 13 of 13
How do you do....it? Thread, Allowing staff to know the WPA key in Technical; Ok, had wireless put in over the holiday so now have access via a guest or AD account. Now for ...
  1. #1

    Little-Miss's Avatar
    Join Date
    Oct 2007
    Location
    London
    Posts
    5,558
    Thank Post
    2,416
    Thanked 800 Times in 481 Posts
    Blog Entries
    2
    Rep Power
    552

    Allowing staff to know the WPA key

    Ok, had wireless put in over the holiday so now have access via a guest or AD account.

    Now for staff who's laptop isnt currently known to AD do i tell them the code and tell them students arent to know it or do i just go and put it in myself...

    Do your staff know your wireless key?

  2. #2
    mjs_mjs's Avatar
    Join Date
    Jan 2009
    Location
    bexleyheath, london
    Posts
    1,021
    Thank Post
    37
    Thanked 111 Times in 95 Posts
    Rep Power
    38
    no. only it tech and network manager know it here. if you do it yourself it'll stop them giving it to kids and you can control who has or doesn't have access. and on what devices (ie phones?).

  3. Thanks to mjs_mjs from:

    Little-Miss (1st September 2010)

  4. #3

    Join Date
    Oct 2008
    Location
    Lincolnshire
    Posts
    2,348
    Thank Post
    13
    Thanked 241 Times in 229 Posts
    Rep Power
    70
    Don't tell them!!!

  5. Thanks to MatthewL from:

    Little-Miss (1st September 2010)

  6. #4

    Little-Miss's Avatar
    Join Date
    Oct 2007
    Location
    London
    Posts
    5,558
    Thank Post
    2,416
    Thanked 800 Times in 481 Posts
    Blog Entries
    2
    Rep Power
    552
    thought as much!

  7. #5
    gizmo2005's Avatar
    Join Date
    Jun 2010
    Location
    Cornwall
    Posts
    243
    Thank Post
    81
    Thanked 19 Times in 14 Posts
    Rep Power
    18
    letting the teacher know is a bad idea, during lunch or even lesson time they will be using there iphones/other devices, at least if they dont know they cant cause and problems by downloading viruses through there phones/other devices. once set up they will never need to ask for the code anyway, play God with it lol

  8. #6

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    10,074
    Thank Post
    1,384
    Thanked 1,890 Times in 1,170 Posts
    Blog Entries
    19
    Rep Power
    614
    Ok, look at it this way (and this is not an excuse creating exercise) ... if anything 'dodgy' was to be viewed on your network (or sent) and the police were to get involved and they had an IP address to check, could you a) give them the details of which device it is likely to be, b) categorically say that your network was not likely to be breached by someone other than *employed* by the school and c) honestly say that staff were aware of any checks that may be made on the traffic from their systems?

    Don' get me wrong ... there are systems out there which you can use to enable all of the above, where you would not have to give out the WPA key as it can link in with your AD (or other directory service) ... these cost money, or significant time ... or both.

  9. Thanks to GrumbleDook from:

    elsiegee40 (1st September 2010)

  10. #7
    p858snake's Avatar
    Join Date
    Dec 2008
    Location
    Queensland
    Posts
    1,491
    Thank Post
    37
    Thanked 175 Times in 151 Posts
    Blog Entries
    2
    Rep Power
    52
    Could you set it up to use radius, that way they just need to enter their AD details to get onto the network?

    Although if the staff laptops aren't known to AD and are on the guest ssid, what are they missing?

  11. #8
    gizmo2005's Avatar
    Join Date
    Jun 2010
    Location
    Cornwall
    Posts
    243
    Thank Post
    81
    Thanked 19 Times in 14 Posts
    Rep Power
    18
    I mentioned this in a earlier thread, kaspersky have developed a web filtering software device wicg enable you to see who has viewd what and also to lock down any unwanted downloads, i have been trading this to hotels at the moment as there are guests that come to the hotel and download whatever they like, leaving the hotel owner viable for any fines should there network get checked.

  12. #9

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,532
    Thank Post
    1,341
    Thanked 470 Times in 307 Posts
    Blog Entries
    6
    Rep Power
    200
    We use a combination of Radius, WPAPSK and also firewall authentication for our non-domain laptops. Students have a restricted ACL limiting it only to port 80 traffic.

    Its trivial to recover the PSK from a laptop once its been saved, so I would look at an extra level of individually authenticating / registering each device (we register the MAC address for part of the Radius auth, which although is spoofable, they cant get out to the internet untill they enter their login creds into the firewall)

  13. #10


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,033 Times in 813 Posts
    Rep Power
    341
    We set up like this:

    School owned equipment: AD/Radius authentication - no key to give away as we use a certificate server and configure via GPO's
    Staff owned equipment: Radius authentication through MAC address - so we give them the key, but they need MAC registered with us.
    Students wireless: give them the key

    All the wireless networks are on separate VLAN's and we can control who gets what through the firewall.

  14. #11

    Hightower's Avatar
    Join Date
    Jun 2008
    Location
    Cloud 9
    Posts
    4,920
    Thank Post
    494
    Thanked 690 Times in 444 Posts
    Rep Power
    242
    To throw a spanner in the works..... surely giving out the WPA is just the same as a student/teacher bringing a personal laptop in, finding a port, and plugging it in? I'm not saying "do it, it'll be fine" - I'm saying if you're worried about one then surely it's also wise to worry about the other aswell.

  15. #12

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    10,074
    Thank Post
    1,384
    Thanked 1,890 Times in 1,170 Posts
    Blog Entries
    19
    Rep Power
    614
    @hightower
    Yes, that should also be a worry to schools with regards to an audit trail, and yes ... there are solutions for that too, a commonly mentioned one has been packetfence but other solutions are available (802.1x based)

  16. #13
    Ben_Stanton's Avatar
    Join Date
    Jan 2007
    Location
    Hertfordshire
    Posts
    461
    Thank Post
    9
    Thanked 15 Times in 14 Posts
    Rep Power
    19
    Here we have a dirty wireless system, and an clean, AD wireless system. School owned laptops are configured before leaving this office, all necessary files, WPA keys etc on beofre they go out. No need for staff to know the keys etc.

    The dirty wireless, is for anybody to connect to with any device. Blackberry, iphone, laptop etc etc. Both networks are filtered, IPs/MACs logged etc etc through a dedicated barracuda drop in box. All VLAN'd and going out via a 3 way load balanced WAN device (we have verry poor ADSL speeds here).

    Are you really considering allowing (what I imagine to be spyware, virus, illegal software infested) to be attached to the domain....?!?!?



SHARE:
+ Post New Thread

Similar Threads

  1. Recover WPA key held by 3rd party software (RM)
    By timothy in forum Wireless Networks
    Replies: 6
    Last Post: 10th January 2010, 06:39 PM
  2. Allowing a staff member to add users
    By humpda in forum Windows Server 2000/2003
    Replies: 10
    Last Post: 26th February 2009, 11:03 PM
  3. Dump plaintext stored WPA PSK key?
    By OutToLunch in forum Wireless Networks
    Replies: 5
    Last Post: 14th July 2008, 02:07 PM
  4. Replies: 11
    Last Post: 6th May 2008, 03:36 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •