Just enough WLAN guest security or too little ?

  • 1
  • Question
  • Updated 4 years ago
The following works for our guests but is it secure enough?

1. Configure / Guest / Authentication >> No onboarding, No authentication, Yes >>> Show terms of use
2. Configure / WLAN /
>>> WLAN Usages / Type = Guest Access
>>> Authentication Options / Method = Open
>>> Encryption Options / Method = WPA2
>>> Encryption Options / Algorithm = AES
>>> Encryption Options / Passphrase = "123fake456"
>>> Options / Wireless Client Isolation = Full

From their computing device my guests and employees find the appropriate WLAN (mentioned above) in the wireless network choices, attempt to connect, they enter the passphrase, they accept the TOU and then they connect.

This WLAN setup works for most of my users...should I be afraid?
Photo of ThX

ThX

  • 128 Posts
  • 2 Reply Likes

Posted 4 years ago

  • 1
Photo of Keith - Pack Leader

Keith - Pack Leader

  • 860 Posts
  • 51 Reply Likes
“Three may keep a secret, if two of them are dead.”
― Benjamin Franklin, Poor Richard's Almanack

See - http://theruckusroom.typepad.com/file...
Photo of ThX

ThX

  • 128 Posts
  • 2 Reply Likes
Keith Redfield:

Thanks for the document reference. Can we add DPSK for guests?

P.S. I am a ruckus noob!!!
Photo of Keith - Pack Leader

Keith - Pack Leader

  • 860 Posts
  • 51 Reply Likes
Ah, I missed the guest requirement. For that you probably want to use Guest Passes - these are often set up in reception for example and handed to guests after they sign in.

https://support.ruckuswireless.com/an...
Photo of ThX

ThX

  • 128 Posts
  • 2 Reply Likes
Can more than one client log in a WLAN using the identical ZD local credentials?

If so, are there limits as to how many clients can use the same credentials?
Photo of Keith - Pack Leader

Keith - Pack Leader

  • 860 Posts
  • 51 Reply Likes
You can do that, but for that case it's even easier to just keep using a shared secret. The problem with using persistent credentials of any kind that are shared among multiple users is that over time they are bound to leak to people you hadn't intended.
Photo of ThX

ThX

  • 128 Posts
  • 2 Reply Likes
Keith:

Sorry to wear you down on this topic but you are the first RuckusWireless techie that I could understand most of the time. < Insert rant here... I have opened over ten online cases so I do have ruck-tech-less case experience.**end rant>

"...shared secret..." I know what that means in the "Radius and VPN vernacular" but are you referring to the ">>> Encryption Options / Passphrase = "123fake456" statement from my original question? Does "shared secret" equal "Passphrase" in the context of your previous response?

Yes, I understand about your warning me about "unintended "leak" consequences" but generating temporary "guest passes" for impatient adult students with BYOD me-mentality at a graduate school is something I must weigh against maximum security. I can isolate their encrypted access to controlled vlans which should meet all requirements on all our sides of this issue.

Thanks much.
Photo of Keith - Pack Leader

Keith - Pack Leader

  • 860 Posts
  • 51 Reply Likes
lol - I am mostly going back to those same techs to get your answers - I had the managerial lobotomy many years ago.

Yes - shared secret==passphrase. If you are not concerned about un-approved access to the network then these are fine.
Photo of ThX

ThX

  • 128 Posts
  • 2 Reply Likes
Please define "un-approved access ."

A "user" would need to know the passphrase to access the WLAN, would they not?

I am running WPA2/AES so it is not like the "bad buy" can easily un-encrypt the passphrase and user transmissions, or am I missing something big?

Thanks
Photo of Keith - Pack Leader

Keith - Pack Leader

  • 860 Posts
  • 51 Reply Likes
Right - I'm not talking about hacking - just let's say Joe Student shares the passphrase...on Facebook.