[OPLINTECH] Secure wifi with password in the SSID

Ken Butler via OPLINTECH oplintech at lists.oplin.org
Thu Jul 20 17:20:27 EDT 2017 

I did a little more research on this, as it really piqued my interest. I
think what you are looking for is a "private pre-shared key", which offers
the same type of encryption you would get from a regular pre-shared key,
but each device gets it's own unique key.

The only company I've seen that has an option like this that would work in
a public, unattended wifi setting is Aerohive. The videos on their website
located here <http://www.aerohive.com/solutions/technology/ppsk.html> were
very helpful in explaining how it all works. From what I understand, a
patron would need to self-register their device on the wireless network,
creating their own unique pre-shared key. The wireless network would then
associate that device with that unique pre-shared key, and it would
effectively have it's own private encryption.

If I'm understanding it correctly, the usage scenario would go like this:

   1. Patron connects to wifi with their mobile device and is prompted to
   create their own wireless access key during self registration - a password
   basically.
   2. Wireless network then associates that key with that device, and
   grants encrypted access after that device authenticates with the private
   key, now and for as long as key is valid (I believe you can control the
   length of time that a key is valid for, or make it indefinite).

I haven't used this technology myself, but I've heard good things about
Aerohive. It's certainly an interesting problem!

On Thu, Jul 20, 2017 at 4:35 PM, Phil Shirley via OPLINTECH <
oplintech at lists.oplin.org> wrote:

> Thanks for your answer. Our users' traffic is isolated from each other
> (and from the rest of our network) once it's on the wire; the thing I'm
> concerned about is the wireless (radio) leg of the journey.
>
> Phil
>
> On 7/20/2017 4:25 PM, Joe Knueven via OPLINTECH wrote:
>
>> We are currently using open-mesh APs with client isolation enabled.  To
>> be honest, I’m not sure that setting a password protected SSID would
>> protect users from each other unless you do some manner of work beyond that
>> point to isolate their traffic from one another.  After all, if my patrons
>> know how to connect, can’t the person with a packet sniffer connect as well?
>>
>> That said, I tend to view networking as akin to “the dark arts”.  Do any
>> genuine “defense against the dark arts instructors” have thoughts about
>> this?
>>
>> Have a good day.
>>
>> Joe
>>
>> Joseph Knueven, Director
>>
>> Germantown Public Library
>>
>> 51 North Plum Street
>>
>> Germantown, OH 45327
>>
>> 937-855-4001
>>
>> *From:*OPLINTECH [mailto:oplintech-bounces at lists.oplin.org] *On Behalf
>> Of *Ken Butler via OPLINTECH
>> *Sent:* Thursday, July 20, 2017 4:02 PM
>> *To:* Phil Shirley <pshirley at cuyahogafallslibrary.org>
>> *Cc:* OPLINTECH <OPLINTECH at lists.oplin.org>
>> *Subject:* Re: [OPLINTECH] Secure wifi with password in the SSID
>>
>> We use NAT Mode on our Meraki wireless APs. They're essentially their own
>> networks with their own private DHCP scope. They also provide wireless
>> client isolation - wireless clients can't talk to one another. No password
>> is needed to connect, but connected devices must pass through our captive
>> portal and agree to our wireless terms of use before they are granted
>> access to the internet.
>>
>> On Thu, Jul 20, 2017 at 3:41 PM, Phil Shirley via OPLINTECH <
>> oplintech at lists.oplin.org <mailto:oplintech at lists.oplin.org>> wrote:
>>
>>     Our wireless internet access for the public is not secure (it
>>     doesn't require a password, so it's not encrypted). I would like to
>>     add a more secure option and give people the password by putting it
>>     the SSID name (something like "CFL secure - password is
>>     fallslibrary"), so that the traffic on their radio transmissions
>>     will be encrypted.
>>
>>     I would be interested to know if any other libraries are doing that,
>>     and, if so, if you also offer an option without a password. I'm
>>     inclined to offer both at first and then try taking away the
>>     non-encrypted option, but I worry that a few devices won't work with
>>     the encrypted option. Any thoughts on this?
>>
>>     Phil
>>     --     Phil Shirley
>>     Technology Services Coordinator
>>     Cuyahoga Falls Library
>>     Cuyahoga Falls, Ohio
>>     330-928-2117, ext. 109 <tel:330-928-2117%2C%20ext.%20109>
>>     pshirley at CuyahogaFallsLibrary.org
>>     <mailto:pshirley at CuyahogaFallsLibrary.org>
>>     _______________________________________________
>>     OPLINTECH mailing list
>>     OPLINTECH at lists.oplin.org <mailto:OPLINTECH at lists.oplin.org>
>>     http://lists.oplin.org/mailman/listinfo/oplintech
>>
>>
>>
>> --
>>
>> Ken Butler
>> hcotech at holmeslib.org <mailto:hcotech at holmeslib.org>
>> Head of Information Technology
>>
>> Holmes County District Public Library
>> 3102 Glen Drive
>> Millersburg, OH 44654
>> PH: 330-674-5972 ext 224
>>
>>
>>
>> _______________________________________________
>> OPLINTECH mailing list
>> OPLINTECH at lists.oplin.org
>> http://lists.oplin.org/mailman/listinfo/oplintech
>>
>>
> --
> Phil Shirley
> Technology Services Coordinator
> Cuyahoga Falls Library
> Cuyahoga Falls, Ohio
> 330-928-2117, ext. 109
> pshirley at CuyahogaFallsLibrary.org
> _______________________________________________
> OPLINTECH mailing list
> OPLINTECH at lists.oplin.org
> http://lists.oplin.org/mailman/listinfo/oplintech
>
>


-- 
Ken Butler
hcotech at holmeslib.org
Head of Information Technology
Holmes County District Public Library
3102 Glen Drive
Millersburg, OH 44654
PH: 330-674-5972 ext 224
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20170720/b2b0f816/attachment-0001.html>

More information about the OPLINTECH mailing list