Security

What is everyone doing to keep Employees and their laptops off the Guest wireless network?
I spoke with an admin that has Websense to filter employee traffic on employee laptops, but his guest network is completely open. Because employees are restricted from going to websites, they more often than not end up on the guest wireless network to do chatting, check their emails, and go to sites they normally cannot go to.
The customer came up with the idea that he could look for ports and hosts that his company laptops would use to connect to his antivirus servers, and his firewall policies for his guest network would automatically block them and blacklist the user when he sees that traffic. The customer knew that Symantec Antivirus on the desktop used UDP 2967 and would contact the antivirus server at 10.12.13.246, so he created the ACL below to blacklist a user that accessed the host on that port:

ip access-list session "Guest"
any any "svc-dhcp" permit queue low
alias "user" any "svc-dns" permit queue low
alias "user" any "svc-http" permit queue low
alias "user" any "svc-https" permit queue low
alias "user" host 10.12.13.246 udp 2967 2967 deny blacklist queue low

What is everybody else using?

We just don't allow employees access to the guest network. Each guest gets a username and password that expires in a given time frame. We have our Security Guards assign usernames and passwords. Everything is tracked.

I have set up a client like this recently. We are limiting the guest role by user name and password, If a staff member wants to get on the guest network then they are able (if they go get a username/password) to but we don’t allow much out on the guest role making it painful enough that most staff members will not want to be on this SSID.

In addition to having the guest ssid we have 2 other ssid’s one for staff/faculty and one for students. We authenticate both students and staff off IAS that hands back roles. If a staff member is accessing the staff/faculty ssid they get a role back to allow them to be connect. If a student accesses the staff/faculty ssid they get a role returned which puts the student in a captive portal role which tells them they are on the wrong ssid and need to disconnect and re-associate with the student ssid. If a staff member connects to the student ssid then they will get a role/captive portal that tells the staff member they are on the student ssid and o connect to the staff/faculty ssid.

Hi all,
We currently have one SSID for both students and faculty but they are put in roles upon authentication according to their login credentials. We don't have a guest account or SSID for control purposes. If anybody is on our network, we want to know about it. All vendors and guest will have to call for a guest account. Yes, it can be a bit of a pain but it gives us more control. As for keeping the faculty/student of the "guest" SSID, I would make a very obvious of some benefits that they would have if they get on the right network. :D . We have a web filtering at the perimeter, so we have trained our users to know that some "research websites" ;) are not going to be available.

Hi, if you are using windows vista or windows 7, you can add a wlan filter in GPO or manally using netsh.

jason

This seems like an issue that should be policy enforced more than technology enforced. You inform people that they should not be logging into this network and then periodically check the logs for their usernames and passwords. If they are found on the guest network then they are written up.

The guest network should require some sort of authentication: username and pass handed out, email confirmation, etc.

One thing we do is restrict all campus services to the network we want people to use. When they ask how do they print wirelessly, I direct them to the correct login. When they ask if they can access their fileshare, I direct them to the correct wireless.

An employee that wants around the web filter bad enough will find a way. Blocking each potential site they could use to get around the tech is a cat & mouse game in my opinion. However, sometimes you have to play that way ^^

Now I'll step off of my soapbox and ask this - what about a mac-address blacklist? Put all employee machine MAC addresses into the local db and specify the role they get. That way they connect to the guest network and get nothing ^^

---

This seems like an issue that should be policy enforced more than technology enforced. You inform people that they should not be logging into this network and then periodically check the logs for their usernames and passwords. If they are found on the guest network then they are written up.

---

My company just started thinking like this. I'm not sure I agree with it. I have a coworker with Cisco wireless experience who is adamantly against it.

Originally we were going to require a username/pwd for each user, and guests could self register for access using the Amigopod self-registration page. The registration page would only be available on kiosks in the lobby of each corporate building where guests register for physical access, and the security guards would keep employees from registering.

Our CEO was given guest wireless for his ipod and thought entering a username/pwd was too cubersome. Our CIO also wants employees to be able to get on with their mobile devices so I have to redo everything now. Either we'll just have a T&C you have to accept or a T&C with a PSK that is given out to everyone.

Have you tried EAP-TLS for domain computers, then EAP-PEAP for handhelds and others 3rd party devices?

Colin,

i setup the same acl as yours. it works out like a charm!

Here's the problem or may be a suggestion. Is there anyway to put up a white list so that it will be "free" from the blacklist acl?

I set up a GPO with the guest SSID on it and purposly set the wrong security and the users are not allowed to change the settings for that SSID.  This has worked great with very little complaints.

My company is using the GPO as well.  Access to the Guest SSID is disabled on Win 7 and it's configured wrong on Win XP and users can't change it.

We denied access for users to change settings for the network. We even do not show the network icon in the sys tray.

I set up one customer so that the sponsor was the IT Support email address so only support can activate guest accounts. Also, you could force sponsors to login to clearpass to activate accounts and then restrict who could login using the AD memberOf attribute.