Manage Learn to apply best practices and optimize your operations.

How to manage guest user authentication when building a wireless network

Because wireless Internet access is now considered a common utility, handling guest user access deserves careful consideration. Depending on your organization, there are various options -- some more conservative than others -- for outbound and inbound policies.

Joel Snyder of Opus One reviews your different choices and how to deal with the threat of unauthenticated users.

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact [email protected].  

How to manage guest user authentication when building a wireless network

Joel M. Snyder: Let's talk about unauthenticated users, specifically guests. It
turns out, in the world of the Internet nowadays, people expect to be able
to go into a company, open up the laptop, find some SSID, and get some
Internet access. You have to decide, as part of your deployment, how you're
going to deal with that. Now obviously, there is an option zero, which I've
labeled here as the no deal option. You can say, "No, we are not in the
business of giving away free Internet access; therefore, we're not going to
deal with this." That's fine. Make an explicit decision, and make sure that
you have management support for that decision. Because you may discover
that suddenly at the high end, they say, "Oh, our buddies are coming in for
this conference. We need to have Internet access for them." If you haven't
thought about how you're going to do it, you may have an issue. So, make
sure if you say "No, we don't do that," that people sign off and promise
they're not going to change their minds on you 12 hours before some
conference is about to start in your building.

Let's suppose you say, "No, we would like to provide guest access." Well, in
that case, I've got three common options. One is just wide open Internet
access, or wide open wireless access. Second is to actually make the users
authenticate. Do something like WPA2. The third would be something like a
captive portal, the model that we're familiar with in hotels. If you decide
to do wide open, that's very popular. There's really nothing wrong with
that. I have some little bits of advice to give you. First of all, do your
best to make sure that your wireless signal is confined within the limits
of your building. Now, the nice thing about that is that it's fairly easy
to do. You turn the wireless power down, which actually gives you better
throughput. I'll talk about that in a little bit. It's also not too
difficult to make sure that people can't really associate and send traffic.
Now, remember just walking around your building saying, "Oh yes, I saw the
SSID," doesn't necessarily mean that you can associate, send, and receive
traffic. It just means that you saw a beacon showing up. So, just because
you can see it, doesn't necessarily mean you haven't done your job.

Nevertheless, do your best to keep people off of the network when they are
physically outside of the building. Obviously, you don't want someone
sitting in the parking lot all night long, either trying to break in or
using your network to send spam, or attack, or whatever it is that's going
to happen. When you do wide open, it is critical that you absolutely have
no trust relationship between the wireless LAN that's wide open and the
rest of your network. There should be no possibility for those users to be
treated as anything other than completely anonymous Internet users. Don't
say, "Oh well, we'll let them onto some." No, no, no, no, no. Don't do
that. If the Internet users can't get in, people on your wireless network
should not be able to get in. Now, if you want people to be able to get in,
use a different option. Talk about maybe something like WPA2
authentication. Just because you're giving free access does not mean you
should give total free, wide open access. I suggest you put a firewall
between these wide open users and the Internet. I'll talk about firewall
policies in just a couple of slides. I've seen a lot of companies where
people drop in a separate DSL line or a cable modem line.

They say, "Hey, we're not even going to have these people associated with
our company. They're going to be on a separate connection. If they suddenly
give that connection a bad reputation, it's not going to affect us. People won't be
blacklisting us or causing problems with our networks." Given the cost of
a DSL line or cable line could be $20, $30, $40 in many cities, that
doesn't seem like an unreasonable assumption. Plus, then you're also
assured that they won't affect the quality of service of whatever you have
on your normal circuit. Now, another option that's possible is WPA2
authentication, actually saying users are going to have to authenticate
using this WPA2. Now all modern versions of Windows, all modern versions of
Mac OS 10, have WPA2 authentication built in, which means that people that
are showing up in your company will probably be able to do WPA2
authentication. I don't want to walk through this long scenario of how to
pick the inner-authentication method. I'm just going to tell you that if
you pick an inner-authentication method of MSCHAPv2 inside of a PEAP EAP
method, when you set up WPA2 authentication, that that's going to work in
all of those common cases.

If you want to call for something like TTLS and PAP, that's not going to
work in Windows because Windows world doesn't really support TTLS and PAP
without additional add-on software. You don't want to go there. Now the
advantages of having WPA2 are that you get encrypted traffic, you've
authorized users. The disadvantages, of course, is that you're going to
have confused guests, people that don't know how to get on. Your help desk
is going to have to absorb some calls. And, depending on what's been done to the
laptop by the other companies or the other users' IT department, they might
not be able to get on at all. For example, they might have had PEAP and
MSCHAPv2 disabled because they want them to use TTLS, PAP, or something
like that. So, there is some possibility even people with normal Windows
and Mac laptops won't be able to get on, because their laptop has been
locked down a little bit. I think WPA2 authentication is a good strategy
if your guests need more than just basic commodity Internet. If you're
going to have any trust relationship at all, even into fairly public hosts,
like maybe your mail servers or something like that, you want to have
something like WPA2 where you get that authentication, you get that
encryption that you don't have in the wide open case.

Otherwise, I think it might be overkill. If you're not going to have a
trust relationship, then you probably want to go for something like captive
portal. Captive portal is a very, very familiar scenario. Everyone knows
how to use captive portal. You go anywhere in the world. You open up your
laptop. You look for an SSID, you connect to it. You open up your browser.
You try and go somewhere and the captive portal says, "Hey, give me your
credit card number, and I'll let you have Internet access." Now, you could
see this as a revenue source for your company. Hey, for $10, we'll let you
have Internet access from our company. That's an interesting strategy. I
like it, personally. But let's suppose you don't want to do that. You could
have a password of the day, maybe something that's posted at the reception
desk. It changes every day. I've seen companies do that. Or you could just
make them agree to some acceptable use policy. A lot of firewalls nowadays
have captive portals built into them, or you could get a specific wireless
captive portal kind of technology. Lots of different options for captive portals.

Most people are not going to have a problem if you do captive portal. I
would be careful about using that with a trust relationship, again, because
you probably don't have encryption. Alright, let's talk about the
firewall case. Any guest user, captive portal, WPA authenticated, or wide
open should be strongly fire-walled. Just because you're giving them
Internet access, does not mean you're going to give them full Internet
access. You are not an ISP in this case. So, I would not allow any inbound
connects. Just because they have access shouldn't mean that they would be
able to be a Web server, or a mail server, or let people FTP files off of
their laptop. That's going to be just simple basic security. There's really
very little business case for anyone actually needing to have inbound
connects to their laptop. Outbound connects; different philosophies
depending on different companies. I've got a spectrum here on this slide
ranging from a liberal company to a strict company. A liberal company might
say, "No inbound connects, but outbound no problem." A strict company might
say, "No inbound connects, and in addition, we're only going to let you
connect out on ports 80 and 443. That's it. If you can't do what you want
over those two ports, then you can't use our free Internet service." This
is a huge argument in favor of SSL VPNs, if you've seen people do outside
VPNs. Because that will typically work over 443, and frankly I think
that's not an unreasonable policy. Even if your company is fairly liberal,
you might say, "You know, we're just not in the business of giving away
free Internet access to strangers." That also helps you with some of the
other scenarios, such as people outside of the building with an extended
antenna being able to get in.

View All Videos