<div dir="ltr"><div>To the best of my knowledge...</div><div><br></div>If you use something like WPA2-PSK AES security, communications between the clients and access point will be encrypted, so at the very least the sniffer won't be able to see packets in plain text. The pre-shared key in this method is the weak point. I believe a sniffer that knows the PSK and is sniffing before the other client's handshake will be able to decrypt the other client's traffic.<div><div><br></div><div>WPA Enterprise replaces the PSK with user credentials against an authentication server.<br><div><br></div><div>Wireless Client Isolation usually means that packets between two MAC addresses on the same WAP will be dropped. Doesn't protect against sniffing at all, but it keeps clients on your network from scanning/attacking each other.</div></div><div><br></div><div>WPA2-PSK AES is probably the best you'll get with uncomplicated setup.<br></div></div><div><br></div><div>Forgive any fuzziness, it's the end of the day. :)</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><pre cols="72"><font face="arial, helvetica, sans-serif"><span style="font-size:12.8000011444092px">Karl Jendretzky
IT Manager - Ohio Public Library Information Network
(614) 728-5252
<a href="mailto:karl@oplin.ohio.gov" target="_blank">karl@oplin.ohio.gov</a></span></font><br></pre></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Thu, Jul 20, 2017 at 4:35 PM, Phil Shirley via OPLINTECH <span dir="ltr"><<a href="mailto:oplintech@lists.oplin.org" target="_blank">oplintech@lists.oplin.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Thanks for your answer. Our users' traffic is isolated from each other (and from the rest of our network) once it's on the wire; the thing I'm concerned about is the wireless (radio) leg of the journey.<br>
<br>
Phil<span class=""><br>
<br>
On 7/20/2017 4:25 PM, Joe Knueven via OPLINTECH wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
We are currently using open-mesh APs with client isolation enabled. To be honest, I’m not sure that setting a password protected SSID would protect users from each other unless you do some manner of work beyond that point to isolate their traffic from one another. After all, if my patrons know how to connect, can’t the person with a packet sniffer connect as well?<br>
<br>
That said, I tend to view networking as akin to “the dark arts”. Do any genuine “defense against the dark arts instructors” have thoughts about this?<br>
<br>
Have a good day.<br>
<br>
Joe<br>
<br>
Joseph Knueven, Director<br>
<br>
Germantown Public Library<br>
<br>
51 North Plum Street<br>
<br>
Germantown, OH 45327<br>
<br>
<a href="tel:937-855-4001" value="+19378554001" target="_blank">937-855-4001</a><br>
<br></span>
*From:*OPLINTECH [mailto:<a href="mailto:oplintech-bounces@lists.oplin.org" target="_blank">oplintech-bounces@list<wbr>s.oplin.org</a>] *On Behalf Of *Ken Butler via OPLINTECH<br>
*Sent:* Thursday, July 20, 2017 4:02 PM<br>
*To:* Phil Shirley <<a href="mailto:pshirley@cuyahogafallslibrary.org" target="_blank">pshirley@cuyahogafallslibrary<wbr>.org</a>><br>
*Cc:* OPLINTECH <<a href="mailto:OPLINTECH@lists.oplin.org" target="_blank">OPLINTECH@lists.oplin.org</a>><br>
*Subject:* Re: [OPLINTECH] Secure wifi with password in the SSID<span class=""><br>
<br>
We use NAT Mode on our Meraki wireless APs. They're essentially their own networks with their own private DHCP scope. They also provide wireless client isolation - wireless clients can't talk to one another. No password is needed to connect, but connected devices must pass through our captive portal and agree to our wireless terms of use before they are granted access to the internet.<br>
<br></span><span class="">
On Thu, Jul 20, 2017 at 3:41 PM, Phil Shirley via OPLINTECH <<a href="mailto:oplintech@lists.oplin.org" target="_blank">oplintech@lists.oplin.org</a> <mailto:<a href="mailto:oplintech@lists.oplin.org" target="_blank">oplintech@lists.oplin.<wbr>org</a>>> wrote:<br>
<br>
Our wireless internet access for the public is not secure (it<br>
doesn't require a password, so it's not encrypted). I would like to<br>
add a more secure option and give people the password by putting it<br>
the SSID name (something like "CFL secure - password is<br>
fallslibrary"), so that the traffic on their radio transmissions<br>
will be encrypted.<br>
<br>
I would be interested to know if any other libraries are doing that,<br>
and, if so, if you also offer an option without a password. I'm<br>
inclined to offer both at first and then try taking away the<br>
non-encrypted option, but I worry that a few devices won't work with<br>
the encrypted option. Any thoughts on this?<br>
<br>
Phil<br>
-- Phil Shirley<br>
Technology Services Coordinator<br>
Cuyahoga Falls Library<br>
Cuyahoga Falls, Ohio<br></span>
<a href="tel:330-928-2117%2C%20ext.%20109" value="+13309282117" target="_blank">330-928-2117, ext. 109</a> <tel:330-928-2117%2C%20ext.%20<wbr>109><br>
pshirley@CuyahogaFallsLibrary.<wbr>org<br>
<mailto:<a href="mailto:pshirley@CuyahogaFallsLibrary.org" target="_blank">pshirley@CuyahogaFalls<wbr>Library.org</a>><br>
______________________________<wbr>_________________<br>
OPLINTECH mailing list<br>
<a href="mailto:OPLINTECH@lists.oplin.org" target="_blank">OPLINTECH@lists.oplin.org</a> <mailto:<a href="mailto:OPLINTECH@lists.oplin.org" target="_blank">OPLINTECH@lists.oplin.<wbr>org</a>><span class=""><br>
<a href="http://lists.oplin.org/mailman/listinfo/oplintech" rel="noreferrer" target="_blank">http://lists.oplin.org/mailman<wbr>/listinfo/oplintech</a><br>
<br>
<br>
<br>
-- <br>
<br>
Ken Butler<br>
</span><a href="mailto:hcotech@holmeslib.org" target="_blank">hcotech@holmeslib.org</a> <mailto:<a href="mailto:hcotech@holmeslib.org" target="_blank">hcotech@holmeslib.org</a>><span class=""><br>
Head of Information Technology<br>
<br>
Holmes County District Public Library<br>
3102 Glen Drive<br>
Millersburg, OH 44654<br>
PH: <a href="tel:330-674-5972%20ext%20224" value="+13306745972" target="_blank">330-674-5972 ext 224</a><br>
<br>
<br>
<br></span><span class="">
______________________________<wbr>_________________<br>
OPLINTECH mailing list<br>
<a href="mailto:OPLINTECH@lists.oplin.org" target="_blank">OPLINTECH@lists.oplin.org</a><br>
<a href="http://lists.oplin.org/mailman/listinfo/oplintech" rel="noreferrer" target="_blank">http://lists.oplin.org/mailman<wbr>/listinfo/oplintech</a><br>
<br>
</span></blockquote><div class="HOEnZb"><div class="h5">
<br>
-- <br>
Phil Shirley<br>
Technology Services Coordinator<br>
Cuyahoga Falls Library<br>
Cuyahoga Falls, Ohio<br>
<a href="tel:330-928-2117%2C%20ext.%20109" value="+13309282117" target="_blank">330-928-2117, ext. 109</a><br>
pshirley@CuyahogaFallsLibrary.<wbr>org<br>
______________________________<wbr>_________________<br>
OPLINTECH mailing list<br>
<a href="mailto:OPLINTECH@lists.oplin.org" target="_blank">OPLINTECH@lists.oplin.org</a><br>
<a href="http://lists.oplin.org/mailman/listinfo/oplintech" rel="noreferrer" target="_blank">http://lists.oplin.org/mailman<wbr>/listinfo/oplintech</a><br>
<br>
</div></div></blockquote></div><br></div>