[OPLINTECH] Secure wifi with password in the SSID

Karl Jendretzky via OPLINTECH oplintech at lists.oplin.org
Thu Jul 20 17:04:40 EDT 2017


To the best of my knowledge...

If you use something like WPA2-PSK AES security, communications between the
clients and access point will be encrypted, so at the very least the
sniffer won't be able to see packets in plain text. The pre-shared key in
this method is the weak point. I believe a sniffer that knows the PSK and
is sniffing before the other client's handshake will be able to decrypt the
other client's traffic.

WPA Enterprise replaces the PSK with user credentials against an
authentication server.

Wireless Client Isolation usually means that packets between two MAC
addresses on the same WAP will be dropped. Doesn't protect against sniffing
at all, but it keeps clients on your network from scanning/attacking each
other.

WPA2-PSK AES is probably the best you'll get with uncomplicated setup.

Forgive any fuzziness, it's the end of the day. :)

Karl Jendretzky
IT Manager - Ohio Public Library Information Network
(614) 728-5252karl at oplin.ohio.gov


On Thu, Jul 20, 2017 at 4:35 PM, Phil Shirley via OPLINTECH <
oplintech at lists.oplin.org> wrote:

> Thanks for your answer. Our users' traffic is isolated from each other
> (and from the rest of our network) once it's on the wire; the thing I'm
> concerned about is the wireless (radio) leg of the journey.
>
> Phil
>
> On 7/20/2017 4:25 PM, Joe Knueven via OPLINTECH wrote:
>
>> We are currently using open-mesh APs with client isolation enabled.  To
>> be honest, I’m not sure that setting a password protected SSID would
>> protect users from each other unless you do some manner of work beyond that
>> point to isolate their traffic from one another.  After all, if my patrons
>> know how to connect, can’t the person with a packet sniffer connect as well?
>>
>> That said, I tend to view networking as akin to “the dark arts”.  Do any
>> genuine “defense against the dark arts instructors” have thoughts about
>> this?
>>
>> Have a good day.
>>
>> Joe
>>
>> Joseph Knueven, Director
>>
>> Germantown Public Library
>>
>> 51 North Plum Street
>>
>> Germantown, OH 45327
>>
>> 937-855-4001
>>
>> *From:*OPLINTECH [mailto:oplintech-bounces at lists.oplin.org] *On Behalf
>> Of *Ken Butler via OPLINTECH
>> *Sent:* Thursday, July 20, 2017 4:02 PM
>> *To:* Phil Shirley <pshirley at cuyahogafallslibrary.org>
>> *Cc:* OPLINTECH <OPLINTECH at lists.oplin.org>
>> *Subject:* Re: [OPLINTECH] Secure wifi with password in the SSID
>>
>> We use NAT Mode on our Meraki wireless APs. They're essentially their own
>> networks with their own private DHCP scope. They also provide wireless
>> client isolation - wireless clients can't talk to one another. No password
>> is needed to connect, but connected devices must pass through our captive
>> portal and agree to our wireless terms of use before they are granted
>> access to the internet.
>>
>> On Thu, Jul 20, 2017 at 3:41 PM, Phil Shirley via OPLINTECH <
>> oplintech at lists.oplin.org <mailto:oplintech at lists.oplin.org>> wrote:
>>
>>     Our wireless internet access for the public is not secure (it
>>     doesn't require a password, so it's not encrypted). I would like to
>>     add a more secure option and give people the password by putting it
>>     the SSID name (something like "CFL secure - password is
>>     fallslibrary"), so that the traffic on their radio transmissions
>>     will be encrypted.
>>
>>     I would be interested to know if any other libraries are doing that,
>>     and, if so, if you also offer an option without a password. I'm
>>     inclined to offer both at first and then try taking away the
>>     non-encrypted option, but I worry that a few devices won't work with
>>     the encrypted option. Any thoughts on this?
>>
>>     Phil
>>     --     Phil Shirley
>>     Technology Services Coordinator
>>     Cuyahoga Falls Library
>>     Cuyahoga Falls, Ohio
>>     330-928-2117, ext. 109 <tel:330-928-2117%2C%20ext.%20109>
>>     pshirley at CuyahogaFallsLibrary.org
>>     <mailto:pshirley at CuyahogaFallsLibrary.org>
>>     _______________________________________________
>>     OPLINTECH mailing list
>>     OPLINTECH at lists.oplin.org <mailto:OPLINTECH at lists.oplin.org>
>>     http://lists.oplin.org/mailman/listinfo/oplintech
>>
>>
>>
>> --
>>
>> Ken Butler
>> hcotech at holmeslib.org <mailto:hcotech at holmeslib.org>
>> Head of Information Technology
>>
>> Holmes County District Public Library
>> 3102 Glen Drive
>> Millersburg, OH 44654
>> PH: 330-674-5972 ext 224
>>
>>
>>
>> _______________________________________________
>> OPLINTECH mailing list
>> OPLINTECH at lists.oplin.org
>> http://lists.oplin.org/mailman/listinfo/oplintech
>>
>>
> --
> Phil Shirley
> Technology Services Coordinator
> Cuyahoga Falls Library
> Cuyahoga Falls, Ohio
> 330-928-2117, ext. 109
> pshirley at CuyahogaFallsLibrary.org
> _______________________________________________
> OPLINTECH mailing list
> OPLINTECH at lists.oplin.org
> http://lists.oplin.org/mailman/listinfo/oplintech
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20170720/d9627087/attachment.html>


More information about the OPLINTECH mailing list