Wifi security for new suite of laptops - Radius or no?

[cheredenine]

We're looking at setting up a diploma rooms with 30 computers; recent discussions mean i now need to look at setting up laptops with wifi access rather than the hardwired PCs previously discussed.

We dont have a huge amount of wireless onsite - where it exists its used by teaching staff, mainly in mobile classrooms. I'm wondering if its worth the effort to set up a Radius server to authenticate wireless clients given the small number there will be. Would using WPA with a suitably obscure pass phrase be secure enough?

Context: We're a rural school with few immediate neighbours. I'm the network manager and also the sole technical support for the school (~600 pupils) and i don't want to make a rod for my own back by committing to a huge project if its not really necesssary..

[AngryTechnician]

Basically, if you use PSK you must assume that eventually, someone will get hold of the key. It doesn't matter how obscure you make it. With physical access to connected equipment, there is always a way to retrieve the key from the OS. The real threat is not from the neighbours, but from pupils connecting their own equipment that they've smuggled in.

If you are happy that a) you can detect when that happens and b) you are happy to go around and change every client to a new key when it does, then it may well suit your needs.

P.S. Setting up RADIUS is not really a "huge project" if you already have a Windows server.

[cheredenine]

Thanks for the advice - i'll have a ponder. I suspect the chance of someone gaining access using their own equipment is slight at best meaning a PSK approach would do for us, but its about managing the risks, i guess. I admit i was exagerating about the hugeness of the project; i would need to do significant amounts of research and testing before i would feel comfortable rolling this out and, given i don't have anyone to delegate work to, i'd have to fit everything in to what limited time i can find.

One question about the Radius approach, i'm presuming i don't have to apply this network wide from the outset? Specifically, if i have existing wireless access points that i initially don't want managed by Radius, i'm presuming they will continue to work correctly side-by-side with radius enable equipment? I'm likely to be implementing this during termtime and some of our teachers have a wireless connection only and therefore couldn't be knocked off for any length of time.

[Dageezah]

Setting up RADIUS is easy enough, but you may wish to investigate bandwidth first before the investment. 30 wireless clients in one area is going to be slowwww even with the latest 802.1n on 5Ghz.

[CyberNerd]

I'm wondering if its worth the effort to set up a Radius server to authenticate wireless clients given the small number there will be. Would using WPA with a suitably obscure pass phrase be secure enough?
.

If they are going to be on a windows domain then it is worth doing - with group policy management you will be able to deploy a certificate to the clients to allow automatic login

[spc-rocket]

We're looking at setting up a diploma rooms with 30 computers; recent discussions mean i now need to look at setting up laptops with wifi access rather than the hardwired PCs previously discussed.

We dont have a huge amount of wireless onsite - where it exists its used by teaching staff, mainly in mobile classrooms. I'm wondering if its worth the effort to set up a Radius server to authenticate wireless clients given the small number there will be. Would using WPA with a suitably obscure pass phrase be secure enough?

Context: We're a rural school with few immediate neighbours. I'm the network manager and also the sole technical support for the school (~600 pupils) and i don't want to make a rod for my own back by committing to a huge project if its not really necesssary..

Hi,

I would use Radius server to authenticate the devices if possible. its not too difficult once you know the terminology etc.

Check out the guide on the following link.
http://www.edugeek.net/forums/networ...as-server.html

Ash.

[cheredenine]

Setting up RADIUS is easy enough, but you may wish to investigate bandwidth first before the investment. 30 wireless clients in one area is going to be slowwww even with the latest 802.1n on 5Ghz.

I was going to go down the route of multiple access points for this very reason. I'm assuming the access points will be sufficiently clever or configurable enough to deal with this without clashing...

I think i'll do my homework and see if i can get this running...

[CyberNerd]

I was going to go down the route of multiple access points for this very reason. I'm assuming the access points will be sufficiently clever or configurable enough to deal with this without clashing...

I think i'll do my homework and see if i can get this running...

it will be fine if you have a decent managed wireless network, along with 1GB/s uplinks to your core...

[cheredenine]

Hi,

I would use Radius server to authenticate the devices if possible. its not too difficult once you know the terminology etc.

Check out the guide on the following link.
http://www.edugeek.net/forums/networ...as-server.html

Ash.

This looks spot on! Thanks for the link, the document will prove most helpful, i reckon.

Cheers!