topic Re: Just enough WLAN guest security or too little ? in ZoneDirector

Just enough WLAN guest security or too little ?

dtsblake_588878 — Thu, 05 Sep 2013 18:05:09 GMT

The following works for our guests but is it secure enough?

1. Configure / Guest / Authentication >> No onboarding, No authentication, Yes >>> Show terms of use
2. Configure / WLAN /
>>> WLAN Usages / Type = Guest Access
>>> Authentication Options / Method = Open
>>> Encryption Options / Method = WPA2
>>> Encryption Options / Algorithm = AES
>>> Encryption Options / Passphrase = "123fake456"
>>> Options / Wireless Client Isolation = Full

From their computing device my guests and employees find the appropriate WLAN (mentioned above) in the wireless network choices, attempt to connect, they enter the passphrase, they accept the TOU and then they connect.

This WLAN setup works for most of my users...should I be afraid?

Re: Just enough WLAN guest security or too little ?

keith_redfield — Thu, 05 Sep 2013 20:00:06 GMT

“Three may keep a secret, if two of them are dead.”
― Benjamin Franklin, Poor Richard's Almanack

See - http://theruckusroom.typepad.com/file...

Re: Just enough WLAN guest security or too little ?

dtsblake_588878 — Fri, 06 Sep 2013 11:21:47 GMT

Keith Redfield:

Thanks for the document reference. Can we add DPSK for guests?

P.S. I am a ruckus noob!!!

Re: Just enough WLAN guest security or too little ?

keith_redfield — Fri, 06 Sep 2013 15:34:48 GMT

Ah, I missed the guest requirement. For that you probably want to use Guest Passes - these are often set up in reception for example and handed to guests after they sign in.

https://support.ruckuswireless.com/an...

Re: Just enough WLAN guest security or too little ?

dtsblake_588878 — Fri, 06 Sep 2013 16:27:37 GMT

Can more than one client log in a WLAN using the identical ZD local credentials?

If so, are there limits as to how many clients can use the same credentials?

Re: Just enough WLAN guest security or too little ?

keith_redfield — Fri, 06 Sep 2013 18:28:36 GMT

You can do that, but for that case it's even easier to just keep using a shared secret. The problem with using persistent credentials of any kind that are shared among multiple users is that over time they are bound to leak to people you hadn't intended.

Re: Just enough WLAN guest security or too little ?

dtsblake_588878 — Fri, 06 Sep 2013 19:42:12 GMT

Keith:

Sorry to wear you down on this topic but you are the first RuckusWireless techie that I could understand most of the time. < Insert rant here... I have opened over ten online cases so I do have ruck-tech-less case experience.**end rant>

"...shared secret..." I know what that means in the "Radius and VPN vernacular" but are you referring to the ">>> Encryption Options / Passphrase = "123fake456" statement from my original question? Does "shared secret" equal "Passphrase" in the context of your previous response?

Yes, I understand about your warning me about "unintended "leak" consequences" but generating temporary "guest passes" for impatient adult students with BYOD me-mentality at a graduate school is something I must weigh against maximum security. I can isolate their encrypted access to controlled vlans which should meet all requirements on all our sides of this issue.

Thanks much.

Re: Just enough WLAN guest security or too little ?

keith_redfield — Fri, 06 Sep 2013 21:17:14 GMT

lol - I am mostly going back to those same techs to get your answers - I had the managerial lobotomy many years ago.

Yes - shared secret==passphrase. If you are not concerned about un-approved access to the network then these are fine.

Re: Just enough WLAN guest security or too little ?

dtsblake_588878 — Sat, 07 Sep 2013 12:51:24 GMT

Please define "un-approved access ."

A "user" would need to know the passphrase to access the WLAN, would they not?

I am running WPA2/AES so it is not like the "bad buy" can easily un-encrypt the passphrase and user transmissions, or am I missing something big?

Thanks

Re: Just enough WLAN guest security or too little ?

keith_redfield — Sat, 07 Sep 2013 16:26:45 GMT

Right - I'm not talking about hacking - just let's say Joe Student shares the passphrase...on Facebook.