Sounds like we are on at least adjacent pages here.
I might tell my management that the last three years of using WEP with hidden SSIDs was a tactical lie to get them to allow the convenience of WLANs in the office before they were ready, and that ethically I can't continue to work there without a management commitment to fix the situation.
I hope this helps. Thanks. /criss
It's always good to see people who value principle over capital.
The key is that by using enterprise capable APs and wireless solutions that support VLANs, you can have the best of both worlds. For those devices that support WEP only, implement a VLAN and SSID for them. Setup a VLAN and SSID for devices that support WPA-PSK and another for WPA-Ent (TKIP or AES). Setup a VLAN/SSID for Guest access.
This sounds like a management nightmare but if you use a wireless network management solution (like Cisco WLSE or Airespace controller/WCS), it's easily implementable and manageable.
Once you've got your system in place, keep the VLANs separate from each other and only allow access to those parts of the network where the devices belong. For example, allow phones with WEP/LEAP capability to only get to the voice side of the network; allow guest access only to the Internet. Implement a guest authentication system so you know who is using your WLAN so you have the ability to track them down if they do something stupid like send SPAM or viruses. Prevent devices on the barcode scanner/RFID reader network from accessing the internal network (i.e. keep their servers on a separate subnet). For devices that are 802.11i compliant, perform network authentication back to LDAP or Windows Active Directory so you don't have to maintain multiple user databases.
With today's WLAN capabilities, you don't have to go with the "lowest common denominator". You can allow all types of wireless devices on your network while maintaining an acceptable level of security.
Thanks Joelb, as always your advice is the kind we FEs need out here in this jungle. It is much appreciated as well as others on this forum. Keep us straight and don't disable your SSID. tsunami :)
Novocaine Cowboy Escribi?3:
I work for a wireless internet service provider. I have never seen a subscriber with anything but an 802.11b or 802.11g AP, so other security methods (included in 802.11i) are not available. During a standard installation we only disable SSID Broadcast. Any further security approaches are at the discretion of the subscriber, and we do not support the setup.
Just to expand on what I previously wrote, let me add that disabling SSID is somewhat self-serving for our WISP. Sometimes during an attempted installation a neighbour's broadcast SSID can overpower our wireless signal level, causing the potential subscriber's computer to automatically lock onto the wrong SSID. Instead of connecting to our tower AP they always connect to the neighbour's AP. Seems to me this may be a Windows XP thing...
If anybody could comment on this I would be very interrested to hear what they have to say.
That behavior sounds like Windows XP, but it is a different scenario from the problems I've seen. Usually if the SSID is *not* broadcast, I'll have problems with Windows XP clients associating to a different SSID than the one I want. Sounds like you are having the reverse problem.
I think the problem with XP is that the list of Preferred Networks has more than one items with "Automatic" property and/or the option "Automatically connect to non-preferred networks" is checked.
If I have preferred wireless networks not at the same site, then I turn on the "Automatic" property for each of these networks. Otherwise I set only one preferred network to have the property on. Also do I always uncheck the option ""Automatically connect to non-preferred networks".