Command of the Day

Reply
New Contributor
Posts: 4
Registered: ‎12-10-2009

WEP Paraphrase change without giving Customer admin password

Aruba 200 . I've got a request from Sales to allow the customer to change their WPA paraphrase password. Without giving them access to admin on the unit.
Aruba Employee
Posts: 455
Registered: ‎04-02-2007

Re: WEP Paraphrase change without giving Customer admin password

I know there is software out there for this, but I can't off the top of my head remember what it is. It was geared toward retail applications where a service provider is delivering the network but the retailer wanted control of their WEP key. I'll see if I can dig it up.

You could pretty easily craft this as a script yourself though. You would simply need to have a page where your user could enter the new key, then have the script log into the controller to make the changes on the back end.

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
MVP
Posts: 485
Registered: ‎04-03-2007

Airwave

With AOS configuration in Airwave, you can put the applicable ssid-profile in a folder to which the customer has management/write access. This would allow them to change the WEP key (among other ssid parameters) themselves. No scripting necessary.
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Aruba Employee
Posts: 455
Registered: ‎04-02-2007

Re: WEP Paraphrase change without giving Customer admin password

I would agree with Ryan, AirWave is an ideal solution for this. If you only have the one 200 to manage AirWave on Demand would probably be the best bet.

If that doesn't work for you, the company that I had mentioned is called Cyber Ark, but it appears that our customer ended up not going with them for WEP management, though I'm not sure why.

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
New Contributor
Posts: 4
Registered: ‎12-10-2009

Re: WEP Paraphrase change without giving Customer admin password

Thanks Guys. I'm also thinking of using Captive Portal instead of WEP....
What do you think?
MVP
Posts: 485
Registered: ‎04-03-2007

Depends

I would say that entirely depends on what type of traffic you expect on that SSID. If it's not all that sensitive, CP could arguably be acceptable. If you want it encrypted, however, you should definitely use at least WEP, but preferably something else that cannot be broken in 3 minutes (i.e., WPA or WPA2).

Keep in mind that WEP is encryption and CP is authentication. They are not mutually exclusive and could be used in tandem.
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Aruba Employee
Posts: 455
Registered: ‎04-02-2007

Re: WEP Paraphrase change without giving Customer admin password

In the same way you could also use WPA/WPA2 PSK followed by CP. We did this at Black Hat to display the acceptable use/warning page, but you could easily use it to auth the user. Obviously you'd still want to change the PSK on some regular basis.

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Contributor II
Posts: 54
Registered: ‎01-05-2010

Re: WEP Paraphrase change without giving Customer admin password


I would say that entirely depends on what type of traffic you expect on that SSID. If it's not all that sensitive, CP could arguably be acceptable. If you want it encrypted, however, you should definitely use at least WEP, but preferably something else that cannot be broken in 3 minutes (i.e., WPA or WPA2).

Keep in mind that WEP is encryption and CP is authentication. They are not mutually exclusive and could be used in tandem.




Since the CP is SSL encrypted still it can be used in the case of sensitive data on SSID , I am wrong ?
Aruba Employee
Posts: 455
Registered: ‎04-02-2007

Re: WEP Paraphrase change without giving Customer admin password

The captive portal uses SSL to protect the client credentials for authentciation, but not any other data. If you haven't configured encryption on the VAP there will be no protection for the data over the air, which is the pattern for almost all hotspots and guest networks. If you need encryption plus CP your best bet is to setup a WPA/WPA2 pre-shared key VAP that uses CP to authenticate the user after they've authenticated with the PSK.

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
MVP
Posts: 485
Registered: ‎04-03-2007

Re: WEP Paraphrase change without giving Customer admin password




Like Andy said, the CP would just secure the initial authentication. However, in line with what you are stating, if users will be using only other SSL pages for their sensitive data, that would provide some protection. However, most companies (I would think) would want security on more than layers 5-7.

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Search Airheads
Showing results for 
Search instead for 
Did you mean: