Wireless Password

Question

I have a security policy question:

I want to know how other admins handle the WIFI password in the office.

Does everyone know it?
Do you enter it in for the user or guest every time and keep it a secret.

I am in camp 2.

Just want to know what others do and their reasoning behind it.

It is hard to recommend something without knowing what level of security you are trying to establish. We have a requirement to implement federal security standards so two factor auth is a requirement. You shouldn't base this on your personal paranoia or control tendencies but on an evaluation of risk levels. — uSlackr, Apr 24 '10 at 03:34
Just wanting to get some ideas from the community about their offices and how things are done so I can come up with the best method for us. — Campo, Apr 24 '10 at 19:57

Kyle Brandt · Answer 1 · 2010-04-23T18:52:13.997

3

I recommend you use two-factor authentication for this. So there is the shared-key (the WIFI password as you called it), but then they also have to authentication with something like Active Directory for the second password via Radius. The Active Directory would be a per user login that would be the same as their Windows login.

So in this case, I think you would be talking about the shared key. I just post it on our intranet page. My wireless doesn't have access to our network and is only Internet. People have to vpn in if they want access just like they would from home. So in a way this is two-factor, shared-key, and then vpn access (Maybe I am using the term a little bit loosely, not sure).

I recommend you do something like this, having your company's network protected by only a single key on wireless is pretty scary to me.

edited Apr 23 '10 at 18:52

answered Apr 23 '10 at 18:17

Kyle Brandt

83,619
74
305
448

Thanks for the information. I like this approach. I could put the wireless on a separate network. Then if wireless users need access to the network they can VPN. SMART! – Campo Apr 23 '10 at 18:25
You could swing it with only one internet connection. Basically, on your router you have two different LANs with a firewall between them so they can't access each other. A linux machine could do this with iptables and ip forwarding enabled. There is pfsense which I haven't used (bsd based I believe) but it quite popular. – Kyle Brandt Apr 23 '10 at 18:25
Question is "How do you pre-share your pre-shared key?" :-) – Kyle Brandt Apr 23 '10 at 19:25
Sorry been away... Its a password we give I type it in. We are a very small company. Have visitors who need access rarely. – Campo Nov 16 '10 at 21:12

score 2 · Answer 2 · answered Apr 23 '10 at 18:19

It depends on the security requirements. At a previous job, every user had a unique username/password to access the privileged wireless network. Guests were allowed into a highly restricted network by clicking through a "You're using our network, be good!" warning.

At my current job, we were careful to design our network so that being on the office wireless granted no privileges higher than would be granted to someone out on the internet. So there we use a single shared WPA2-PSK password that everyone knows.

I would find it hard to justify trying to keep a shared password secret. If network access needs to be protected (due to privileged server access, for example) then the only auditable and manageable system is unique credentials for each user, with good logging. If network access does not require that degree of protection, then trying to keep a shared password secret is just an annoying exercise in futility...

Great response thanks. What type of networking equipment were you using to achieve per user login as you described? — Campo, Apr 23 '10 at 18:22
We were using Foundry APs, but any decent AP that supports EAP will work. Even my cheap Netgear at home claims to support it. We used FreeRADIUS as the intermediary to authenticate clients against their campus LDAP accounts. Worked like a charm. — Insyte, Apr 24 '10 at 19:39

score 1 · Answer 3 · edited Apr 13 '17 at 12:14

1

If you have a server that can do RADIUS and an AP that supports it you can use that to authenticate regular users See this question. Wireless This means if you are not an authenticated user, no access. That also means staff can't use wireless after they leave the company. AD manages it all.

Some APs will allow several SSIDs and authentication to each can be different like the WAP200 mentioned.

This allows one SSID and authentication for staff and one or more for guests. depnding on the number of users, you may be able to manage with just multiple SSIDs and authentication.

If you want the guests only to have Internet, it is a bit more complex.

edited Apr 13 '17 at 12:14

Community

1

answered Apr 23 '10 at 18:22

Dave M

4,514
22
31
30

+1 for "enterprise" authentication - just say no to separate wifi passwords ^^ – Oskar Duveborn Apr 23 '10 at 18:24
Yah, we sometimes have guests. Don't want to leave them out. – Campo Apr 23 '10 at 18:26
Guests are fine if they can have LAN acceess through the AP. If you want then to ONLY access the Interent (for example) you have more complexity like a VLAN or other routing. If they can access your LAN, then you give them a password and all staff have a different one (or RADIUS) Once guest leave, make a new one for that SSID – Dave M Apr 23 '10 at 18:51

score 1 · Answer 4 · answered Apr 23 '10 at 18:24

1

At my old job we had 2-factor. Everyone knew the wireless password, it was even posted on the main Wiki page and saved as an email message in outlook shared folders, so everyone had access to it, but getting on the wireless network alone did not get you anywhere. The only thing you were albe to reach was out VPN server, so you had to VPN in to get anywhere.

But at the job before that, help desk had to register each MAC address and we still had to use SecureID (2-factor auth) to log in .

What i am trying to say is that 2-factor is the best, but I can totally see the situation where it's a small company and management would start crying foul because they have to type in one extra password

answered Apr 23 '10 at 18:24

solefald

2,301
15
14

Yep for sure! and we have guests. I don't want to have to deal with this. I want the users to know the pass be able to access the internet and then if they need network access from their wireless device they can VPN. Makes the most sense I feel. – Campo Apr 23 '10 at 18:28
MAC addresses can be spoofed – Fahad Sadah Apr 27 '10 at 21:37
@fahadsadah: yes, if you know exactly what MAC you need to spoof. And seems like you missed the part where i said that in addition to MAC address registration we had to use SecureID, which is a 2 factor authentication method. – solefald Apr 28 '10 at 20:35
I didn't miss the SecureID bit, but I was just saying that MAC validation is little more than security by obscurity. You can find out what MAC address to spoof by sniffing one from an authenticated user – Fahad Sadah Apr 29 '10 at 19:09

score 1 · Answer 5 · answered Apr 23 '10 at 19:17

On our network we allow guess access since we host many conferences and meetings. We have open wifi with a captive portal on a network separate from the wired network. When staff need to access a protected resource they establish a VPN the same way they would access resources from any other open wireless network.

score 0 · Accepted Answer · answered Apr 27 '10 at 20:23

Thanks for everyone's input! Been a great looking glass into your configurations at your companies and your thoughts about wifi and its security.

Ended up just leaving it.

We just don't have enough visitors to justify publishing the password.

Additionally some users bring in laptops and I would like them to be able to access the domain without a VPN.

If this becomes an issue I will buy another wireless router and set it up on its own network and publish the connection information.

Wireless Password

6 Answers6