+ Post New Thread
Results 1 to 5 of 5
Wireless Networks Thread, Wireless authentication for non-owned laptops VLAN/network in Technical; Hi gang, Ive a question regarding what type of wireless authentication i should be using for a purple network of ...
  1. #1
    amfony's Avatar
    Join Date
    Jul 2007
    Location
    Sydney
    Posts
    161
    Thank Post
    29
    Thanked 13 Times in 13 Posts
    Rep Power
    17

    Wireless authentication for non-owned laptops VLAN/network

    Hi gang,

    Ive a question regarding what type of wireless authentication i should be using for a purple network of purely non-school owned laptops/devices. These are primarily staff laptops, but not bought by or maintained by the school and therefore we've created a "if you want to use YOUR laptop with OUR internet (for teaching purposes) and access our external services" network so to speak.

    I am trying to decide what is "better" across security and ease of setup.

    We can use for example a radius server for authentication which provides excellent factors of discrimination (IE AD user groups access, TOD), or simply use WPA and a passphrase.

    I know the radius route is more robust and feature rich, however it does involve alot of steps on the client end which i fear/know will confuse and deter staff from using the network. Like i said, they are not school owned or maintained so things like config via GPO are out of the question.

    On the other hand the WPA/Psk is easy(er) to get online. Simple as that.

    Can anyone comment as to which way you suggest i go with this? Or know of another type of rollout configs i am not sure about? Possible scripting?

    Thanks for the 2 cents guys and gals.

    Cheers

  2. #2

    Join Date
    Jan 2008
    Location
    Kingston Upon Thames
    Posts
    102
    Thank Post
    11
    Thanked 22 Times in 20 Posts
    Rep Power
    17
    We use RADIUS for our internal clients, and it works because we can deploy the settings using GPOs. Looking at the ammount of config involved to manually connect clients to the network, I would definately recommend using PSK for rexternal clients.

    If you can, you should have a seperate SSID and VLAN for staff laptops, and restrict them to just the internet.

    I would still recommend that you change the keys, every term or 1/2 term, but you could publish them in the staff room, or someware students cannot get to them.

    Anyway, thats just my oppinion.

    David

  3. #3

    Join Date
    Feb 2008
    Posts
    270
    Thank Post
    14
    Thanked 44 Times in 35 Posts
    Rep Power
    22
    I use a pre shared key for external machines in their own SSID. Using some ACLs they are restricted to access our internal proxy only and thats it. Seems to work well enough. This is for our P16 only though. The number of y7s I get walking in asking if they can get on the wireless on their phones makes me chuckle

  4. #4
    User3204's Avatar
    Join Date
    Aug 2006
    Location
    Wirral
    Posts
    769
    Thank Post
    55
    Thanked 66 Times in 62 Posts
    Rep Power
    34
    I would get a PacketFence: Home
    or similar and setup an extra VLAN, for them to protect your network from their viruses.

    You can (apparently, as I don't use it) setup AD based authentication, although it will ask them to confirm every time.

    Why don't you get laptops for the staff ?


    Currently we allow students access to our student network, but we do this by loading a Radius certificate WPA\TKIP, which we manually install on each machine, this links in with their AD username, so that we can still block access when we want.

  5. #5

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    742
    Thank Post
    17
    Thanked 106 Times in 66 Posts
    Rep Power
    37
    Quote Originally Posted by User3204 View Post
    I would get a PacketFence: Home
    or similar and setup an extra VLAN, for them to protect your network from their viruses.

    You can (apparently, as I don't use it) setup AD based authentication, although it will ask them to confirm every time.

    Why don't you get laptops for the staff ?


    Currently we allow students access to our student network, but we do this by loading a Radius certificate WPA\TKIP, which we manually install on each machine, this links in with their AD username, so that we can still block access when we want.
    This is what we are doing to save them the hassle of remembering yet another logon. The wireless network is completely isolated fromt he rest of the network and has ACL in switches (for that vlan) to only allow certain traffic i.e. www, dns, and https.

    We also configure the laptops by plaing the root certficate of our CA into their laptops and mobile devices and then Radius takes care of authentication and authorisation.

    Ash.

SHARE:
+ Post New Thread

Similar Threads

  1. Teachers laptops on wireless network
    By bishopsgarthstockton in forum Wireless Networks
    Replies: 21
    Last Post: 27th February 2009, 08:53 AM
  2. Licenses & Student Owned Laptops
    By byron67 in forum Educational Software
    Replies: 5
    Last Post: 15th January 2008, 09:29 AM
  3. Wireless 802.1x RADIUS authentication using IAS server
    By spc-rocket in forum Wireless Networks
    Replies: 0
    Last Post: 3rd January 2008, 06:15 PM
  4. Multiple VLAN setup on network
    By Rattler in forum Wireless Networks
    Replies: 9
    Last Post: 30th November 2007, 11:08 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •