How do you do....it? Thread, Allowing staff to know the WPA key in Technical; Ok, had wireless put in over the holiday so now have access via a guest or AD account.
Now for ...
1st September 2010, 11:52 AM #1
Allowing staff to know the WPA key
Ok, had wireless put in over the holiday so now have access via a guest or AD account.
Now for staff who's laptop isnt currently known to AD do i tell them the code and tell them students arent to know it or do i just go and put it in myself...
Do your staff know your wireless key?
IDG Tech News
1st September 2010, 12:11 PM #2
no. only it tech and network manager know it here. if you do it yourself it'll stop them giving it to kids and you can control who has or doesn't have access. and on what devices (ie phones?).
Thanks to mjs_mjs from:
Little-Miss (1st September 2010)
1st September 2010, 12:11 PM #3
Thanks to MatthewL from:
Little-Miss (1st September 2010)
1st September 2010, 12:18 PM #4
thought as much!
1st September 2010, 12:22 PM #5
letting the teacher know is a bad idea, during lunch or even lesson time they will be using there iphones/other devices, at least if they dont know they cant cause and problems by downloading viruses through there phones/other devices. once set up they will never need to ask for the code anyway, play God with it lol
1st September 2010, 12:34 PM #6
Ok, look at it this way (and this is not an excuse creating exercise) ... if anything 'dodgy' was to be viewed on your network (or sent) and the police were to get involved and they had an IP address to check, could you a) give them the details of which device it is likely to be, b) categorically say that your network was not likely to be breached by someone other than *employed* by the school and c) honestly say that staff were aware of any checks that may be made on the traffic from their systems?
Don' get me wrong ... there are systems out there which you can use to enable all of the above, where you would not have to give out the WPA key as it can link in with your AD (or other directory service) ... these cost money, or significant time ... or both.
Thanks to GrumbleDook from:
elsiegee40 (1st September 2010)
1st September 2010, 12:35 PM #7
Could you set it up to use radius, that way they just need to enter their AD details to get onto the network?
Although if the staff laptops aren't known to AD and are on the guest ssid, what are they missing?
1st September 2010, 01:02 PM #8
I mentioned this in a earlier thread, kaspersky have developed a web filtering software device wicg enable you to see who has viewd what and also to lock down any unwanted downloads, i have been trading this to hotels at the moment as there are guests that come to the hotel and download whatever they like, leaving the hotel owner viable for any fines should there network get checked.
1st September 2010, 01:25 PM #9
We use a combination of Radius, WPAPSK and also firewall authentication for our non-domain laptops. Students have a restricted ACL limiting it only to port 80 traffic.
Its trivial to recover the PSK from a laptop once its been saved, so I would look at an extra level of individually authenticating / registering each device (we register the MAC address for part of the Radius auth, which although is spoofable, they cant get out to the internet untill they enter their login creds into the firewall)
1st September 2010, 02:09 PM #10
We set up like this:
School owned equipment: AD/Radius authentication - no key to give away as we use a certificate server and configure via GPO's
Staff owned equipment: Radius authentication through MAC address - so we give them the key, but they need MAC registered with us.
Students wireless: give them the key
All the wireless networks are on separate VLAN's and we can control who gets what through the firewall.
1st September 2010, 02:29 PM #11
To throw a spanner in the works..... surely giving out the WPA is just the same as a student/teacher bringing a personal laptop in, finding a port, and plugging it in? I'm not saying "do it, it'll be fine" - I'm saying if you're worried about one then surely it's also wise to worry about the other aswell.
1st September 2010, 02:35 PM #12
Yes, that should also be a worry to schools with regards to an audit trail, and yes ... there are solutions for that too, a commonly mentioned one has been packetfence but other solutions are available (802.1x based)
2nd September 2010, 01:11 PM #13
Here we have a dirty wireless system, and an clean, AD wireless system. School owned laptops are configured before leaving this office, all necessary files, WPA keys etc on beofre they go out. No need for staff to know the keys etc.
The dirty wireless, is for anybody to connect to with any device. Blackberry, iphone, laptop etc etc. Both networks are filtered, IPs/MACs logged etc etc through a dedicated barracuda drop in box. All VLAN'd and going out via a 3 way load balanced WAN device (we have verry poor ADSL speeds here).
Are you really considering allowing (what I imagine to be spyware, virus, illegal software infested) to be attached to the domain....?!?!?
By timothy in forum Wireless Networks
Last Post: 10th January 2010, 06:39 PM
By humpda in forum Windows Server 2000/2003
Last Post: 26th February 2009, 11:03 PM
By OutToLunch in forum Wireless Networks
Last Post: 14th July 2008, 02:07 PM
Last Post: 6th May 2008, 03:36 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)