Wireless authentication for non-owned laptops VLAN/network

[amfony]

Hi gang,

Ive a question regarding what type of wireless authentication i should be using for a purple network of purely non-school owned laptops/devices. These are primarily staff laptops, but not bought by or maintained by the school and therefore we've created a "if you want to use YOUR laptop with OUR internet (for teaching purposes) and access our external services" network so to speak.

I am trying to decide what is "better" across security and ease of setup.

We can use for example a radius server for authentication which provides excellent factors of discrimination (IE AD user groups access, TOD), or simply use WPA and a passphrase.

I know the radius route is more robust and feature rich, however it does involve alot of steps on the client end which i fear/know will confuse and deter staff from using the network. Like i said, they are not school owned or maintained so things like config via GPO are out of the question.

On the other hand the WPA/Psk is easy(er) to get online. Simple as that.

Can anyone comment as to which way you suggest i go with this? Or know of another type of rollout configs i am not sure about? Possible scripting?

Thanks for the 2 cents guys and gals.

Cheers

[dyoung5]

We use RADIUS for our internal clients, and it works because we can deploy the settings using GPOs. Looking at the ammount of config involved to manually connect clients to the network, I would definately recommend using PSK for rexternal clients.

If you can, you should have a seperate SSID and VLAN for staff laptops, and restrict them to just the internet.

I would still recommend that you change the keys, every term or 1/2 term, but you could publish them in the staff room, or someware students cannot get to them.

Anyway, thats just my oppinion.

David

[ssiruuk2]

I use a pre shared key for external machines in their own SSID. Using some ACLs they are restricted to access our internal proxy only and thats it. Seems to work well enough. This is for our P16 only though. The number of y7s I get walking in asking if they can get on the wireless on their phones makes me chuckle

[User3204]

I would get a PacketFence: Home
or similar and setup an extra VLAN, for them to protect your network from their viruses.

You can (apparently, as I don't use it) setup AD based authentication, although it will ask them to confirm every time.

Why don't you get laptops for the staff ?


Currently we allow students access to our student network, but we do this by loading a Radius certificate WPA\TKIP, which we manually install on each machine, this links in with their AD username, so that we can still block access when we want.

[spc-rocket]

I would get a PacketFence: Home
or similar and setup an extra VLAN, for them to protect your network from their viruses.

You can (apparently, as I don't use it) setup AD based authentication, although it will ask them to confirm every time.

Why don't you get laptops for the staff ?


Currently we allow students access to our student network, but we do this by loading a Radius certificate WPA\TKIP, which we manually install on each machine, this links in with their AD username, so that we can still block access when we want.

This is what we are doing to save them the hassle of remembering yet another logon. The wireless network is completely isolated fromt he rest of the network and has ACL in switches (for that vlan) to only allow certain traffic i.e. www, dns, and https.

We also configure the laptops by plaing the root certficate of our CA into their laptops and mobile devices and then Radius takes care of authentication and authorisation.

Ash.