We have a guest wifi network setup on a separate VLAN, using an open connection (e.g. NO wpa/wep).
A (semi-technical) customer recently complained that he wasn't happy about his traffic not being encrypted, I gave him the usual advice that if security is important should be using a VPN even on a WPA network etc …
But it got me thinking:
Is there any point to setting up WPA2 on a guest network, where we
give out the password to anyone that asks anyway (and write it on the
walls!)?
I understand it'd limit snooping between connections that are already established, but if you're listening when someone connects isn't it relatively trivial to capture the authentication information / 4-way handshake and then use that to snoop?
Doesn't that defy the point of having WPA on a guest/"open" network?
Best Answer
Depends on the situation. Someone with the WPA2 PSK and the right tools and knowledge can indeed decrypt traffic of the other users on the network (see here).
On on the one hand, the barriers of having the key, having the tools, and having the knowledge can be a useful deterrent, and prevent some clueless jerk with a copy of firesheep from casually stealing other people's sessions.
On the other hand, needing to get and enter a key can be a pain for your legit users, and as you pointed out, can provide a false sense of security.
Which way you go depends on which option makes the most sense for your organization.