Security

All of our campuses currently use 2 WLAN's; one for staff and one for guest - each location has their own passphrase with WPA2-psk with AES encryption.

 

I'm testing out a config right now whereby a staff or faculty member would login to our staff network via CP then use their LDAP credentials and be placed in the 802.1x authenticated role - the same would apply for our students but they would most likely fall in to the guest role or a similar.

 

I really like the idea of LDAP authentication; it allows us as an IT dept to track and log who's on our network and it gives users the abiltiy to move from campus to campus w/out having to remember the passphrases. I'm just no sure if this is secure and I'm also wondering if anyone on here might have some thoughts on this.

 

Aruba3600

6.2.1.5

Novell OES LDAP server 

If your using a PSK than anyone with the PSK can decrypt anyone else traffic. Difficult to change the PSK due to every user will now need to make the change.

What you will find with the captive portal is users will start to gripe. After 10 minutes of inactivity they will need to sign in to the captive portal again.

Why not use 802.1x with LDAP authentication? Which would give you the security most admins want and the identity of every user logging on to the system.

Thanks for your suggestion however, I stumbled on this following thread:

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/RADIUS-vs-LDAP/td-p/23344

 

I like the suggestion of using LDAP and Captive Portal for our students and 802.1x with RADIUS for our staff network.