I've just replaced our ageing wifi with a Ruckus system of 1100 controller and 7636 APs.
We've 100+ school-owned devices out there but never before had access control and need to implement this. With that number of devices to get through is there an easy way of collecting data on everything that attaches to the network over the next month say, and use this as the basis for the access control list?
The ZD is running 9.4 at the moment to be updated shortly.
MAC based ACLs are pointless as you can get around it in seconds, you want to use the WPA2 BYOD solution that they have where they sign up with their credentials and get a per user WPA key or another auth solution for school owned devices.
This is for 100 plus school-owned devices rather than BYOD.
Various problems exist not least of which is my lack of knowledge, and IT Techs lack of capacity to locate all the devices in the building and set them up individually.
My way of thinking was that any device that hadn't got onto the WLAN in four weeks wasn't worth worrying about (for example we have two members of staff off on maternity leave at the moment). I was hoping that any device that had gained access might be recorded somewhere, maybe exported as .csv and re-imported as an ACL.
Incidentally if MAC based ACLs are pointless, what is the solution bearing in mind we have a wide variety of equipment,some of which does not even have WPA2?
Wind up the security as high as it will go on the devices, if needs be have separate SSIDs with different authentication methods so that you can use decent encryption on devices which can.Originally Posted by catch21
WEP is cracked and will give you comparably little protection, WPA with TKIP is compromisable and anything that supports WPS is compromised. WPA with AES or better WPA2 are alright at this stage.
You should probably look at ditching or upgrading stuff that can't support WPA at the least if you want a somewhat decent level of security.
If you don't have such skills in house and there is not a suitable person that can get up to speed it may be best to get the people who installed or supplied the wireless gear to come in and help you set it up.
catch21 (17th February 2013)
So essentially all I can do is what I am doing at the moment, i.e. WPA and WPA2?
I feel that once the passphrase is out in the open which is only a matter of time, any child can come along with their own device and get onto the network?
I'm not trying to build Fort Knox, just a garden shed with hinges bolted through, a decent padlock and maybe a battery operated alarm. Just enough to deter the opportunist and maybe slow someone down.
I'm guessing MAC addresses can be spoofed and possily intercepted to make finding a valid one easier but if someone is that determined they're going to get in somehow.
Use Radius for your authentication and WPA2 for your encryption.
The Ruckus kit supports an external Radius server to handle authentication and any old Windows server can provide said Radius function.
In fact, if there isn't a plethora of How-Tos on doing exactly that available from Ruckus, I'll be very disappointed in them.
Combined with Network Access Control (works with NPS on Windows - Radius functionality is in NPS from Server 2008 onwards) or PacketFence, you're pretty much done.
Using passphrases is asking for a resume-generating-event.
catch21 (17th February 2013)
Are the clients all windows machines?
Not all devices will be windows. I do want to (safely) open up a staff BYOD SSID for internet-only access plus a guest pass system for bona-fide visitors on a guest SSID. It will predominantly be windows but also Android and Apple devices.
Why would you setup an access control list for BYOD?
Because I want to limit it to staff only, rather than have a free-for-all with 500 kids and potentially a couple of hundred parents at any one time.
This basically shows my lack of knowledge I appreciate, but how else do we retain some sort of control over who is getting onto our network and using our internet access?
Sorry, just edited to add: not everybody knows everything about everything. Y'all seem to be getting cross with me for being a bit clueless.
Last edited by catch21; 15th February 2013 at 10:38 PM.
If thats the case you would be better off setting up some kind of captive portal.
catch21 (17th February 2013)
Whilst the advice about security is good, you have to approach it from a risk assessment point of view. Sure, MAC based auth is easy to get around, but would your kids know about it? Would they have the skills or knowledge to get around it?
You also want to keep things simple from a management and deployment POV.
A captive portal is ideal for BYOD, but you also want to make sure you're using some form of encryption too - you don't want your packets being sniffable.
For internal devices, a captive portal would be a hinderance from a 'accessing server resources' point of view, as they'd have to log in a couple of times before they could get to what they want on network shares etc... Instead, I'd be looking at some form of device authentication for this - either MAC based, or something like 802.1X via radius etc...
Its all about risk management - what is most likely, what is manageable, what is affordable and what is it you want who to access and be prevented from accessing.
catch21 (17th February 2013)
Thanks for the help. I should have explained myself better. I intend to have 3 types of access:
1) School-owned devices (internet, printers, file servers etc) MAC acl, WPA/WPA2
2) Staff-owned personal devices (internet only) MAC acl, WPA2
3) Guest devices (internet only) via Captive Portal, no encryption
I was trying to build the MAC lists easily for 1).
But now I see, should I care about guest packets being sniffed?
To collect mac addresses shouldn't be too hard - you could probably knock up a script for startup which posts the contents of ipconfig /all to a text file on the file server. I can't remember how in batch you get it to append the same text file though. You should then be able to do a bit of magic in excel to get a list of only the mac addresses.
For the Guest SSID I would expect the Ruckus system (I'm sure it has) has a feature in which only guests can see the default gateway for internet and nothing else (not any other clients) for added security.
For the Staff System I would setup for that it uses AD based Auth requesting a username and password.
catch21 (17th February 2013)
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks