How should I implement security

What about boring old WEP ? I know it's pants security - but it's just for casual internet access is it ? But if you change the WEP key every day, or how ever often a new group comes in, stick it on the white-board, whatever, for them to see. Surely most clients will support WEP. If you stick WPA-PSK on there, half the clients won;t be able to connect ... Not sure you can do much to make changing the WEP key quicker on your devices though ? Although when you get used to it, you'll end up doing it in a flash. Maybe if it was a Cisco Aironet you could do some scheduled script to upload a different config each day containing the new key.

Reply to
Loading thread data ...

I installed a G network at a conference center so that clients that rent out meeting rooms can have net access.

I have one D-Link router and one D-Link repeater. I am not sure what the best way to set up security so that:

  1. The visiting clients can connect with minimal hassle, using their own pc's with wifi radios, and not have to reconfigure much to get going.

  1. The office staff at the conference center can easily change the passphrase regularly or after each meeting.

I need to know whether to use WEP, WPA or WPA-PCK, and how to make it so that the router and repeater don't both have to be reconfigured (or an easy way to do both) to change the passphrase.

So far in testing, the three devices (router, repeater, client radio, all D-Link) all have different setup screens with different options. This is way too complicated as-is. Some things have WEP, some WPA, some passphrase only, some hex only, etc.

Any recommendations?

Reply to

1 question - do you need any security?

it doesnt sound like you are charging for access - so why not leave the feed open?

and then the meeting starts, it gets rubbed off, the users want to set up their PCs to get mail in a lunch break......

and be prepared to be asked by a %age of all the clients to "assist" with the configuration if they even have to set up the key.

Reply to

I considered that. I am a consultant and this is my first WLAN at a business. I want my customer to feel secure (even though I have their office LAN separated from the WLAN).

And have passersby in cars using up the bandwidth? That's what the customer will be concerned about. Tell me more if I can do this without much risk.

It won't be me, since I'll be gone. The customer isn't very savvy but I guess they can be trained.

Not Cisco, but maybe I could write a script for Windows to automate most of the steps. Good sugg.

Yep. I'll have a handout, and hopefully one or two attendees will step into the techie role.

Re my other questions on changing passwords: (a) should I use WEP 64 or 128? (b) should I use passphrase or hex? (c) is there any way to change the password on the router and automatcally have it change on the repeater? Thanx.

Reply to

"Jorabi" wrote in news:%h2Vd.34541$vK5.32265

You can avoid this by placing the APs in such a way that the signal won't radiate too much outside. Or you can change the antenna on the AP.

That's what you think! The client WILL call you. And if you don't answer, you just racked up an unhappy customer : )

Use WEP 64, not all cards support WEP 128.

You should use a passphrase. Most cards take a passphrase. However, I think you can convert between Hex and Passphrase, so perhaps have both versions of the key available?

Reply to
Lucas Tam

There are products like firstspot from patronsoft that have a captive portal.

You can have one password displayed for everyone to use to access the net. Granted, it doesnt prevent hackers from sniffing the air but can limit access. Or if you are a linux guru there are many free captive portals available. If you want to make access easy, forget about wep and wpa. You could set up a server that supports https and go that route and be sure to have an access point that support vpn passthrough for those wanting to access work.

Reply to

another poster suggested limit the coverage - you can direct the radio pattern to some extent, or turn down the power level on the AP.

some APs can run multiple virtual "lans" for lack of a better term - cisco aironet 1100 or 1200s can support this. you can have different vlans with different login and encryption setups using the same hardware (a default type is "guest mode" which may be what you want).

note that if you do this then any "secure" wifi and the guest account are only separated by VLAN - so you need to take some care about segregation of traffic and security.

just be aware this isnt consumer cost equipment.

formatting link

bunch of cisco docs about wifi

formatting link
if 1100s are too steep, then i suggest you make this a separate wifi to any internal system and just air gap it from the internal network - maybe even a separate internet feed so you dont have to worry about bandwidth hogging.

if it doesnt go anywhere but to the internet then do you care?

the problem is that any sort of security needs administration and complicates setup, and since you have a constant churn in your users you need to balance cost of "lost" bandwidth to that sort of risk vs overhead costs for admin.

buy 802.11g equipment and run it in B/G mode for the widest compatibility.

if you change it every day then WEP 64 should be enough - you arent worrying about security here, so much as making the system inconvenient for unauthorised users to get at.

Reply to
stephen Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.