I work as a system administrator managing the internet of a dorm.
We are running a wireless network with WPA2 Enterprise authentication.
Some people have been asking how to connect devices such as the chromecast, PS3/4, printers etc. that do no support WPA2 Enterprise and I'm therefore looking for dorm-level solutions, e.g. something I can apply.
I don't want the security to be weakened and I prefer not having an open network, with a captive portal, as mac adresses are easily cloned and data traffic is not encrypted. I also require that every device much be identifiable to which user it belongs, which rules out an WPA2-PSK network (?).
The network equipment we are running are
- Cisco Aironet 2602 Autonomous (no controller) APs
- HP ProCurve 2810-24G switches
I'm aware that the hardware we have is not necessarily the best for the setup, but it is what we've got and we cannot afford a licence for a controller-based setup.
How can i securely and convieniently allow users to connect devices with lesser security?
Best Answer
Provide unauthenticated devices a separate SSID, with instructions that it is for limited personal use, and carries fewer guarantees.
Put the SSID with WPA2-PSK in its own separate VLAN and VRF that does not have access to the segment with authenticated devices or resources of interest (maybe only a single route outward to the public internet, no mechanism to get back to the campus network).
Post the shared key or give it out on request.
Configure the Wifi Access Points to log (via SYSLOG or other mechanism) to a server where you can carve-out the records for station associations / disassociations. Build queries in advance to pull these out, so you can look up the information, if needed (for example, if a device in the unauthenticated SSID does something inappropriate) ; this could be as simple as GREP commands for log entries in a flat text-file.
Still put a captive portal that forces them to agree to terms-of-use (to get rid of the "I didn't know" defense).