I just did the CWNA practice test #2 and came across a question about an Art gallery wanting to offer free wireless access to its patrons waiting for their tour to start. The question was about which option would be best suited to them.
I selected the answer that said to configure a seperate wireless VLAN on the wireless switch and use captive portal which would only allow access to the internet.
However the correct answer was to deploy a dedicated AP running WPA-PSK and connect it to the corporate firewalls DMZ.
I understand that this physical seperation would be a better security solution but surely the intention of the centralised switch infrastructure witha captive portal is precisely for this sort of requirement? Also, why would you want to deploy WPA-PSK on a public offered network? This would cause unnecccesary administration for the gallery to distribute the key and assist in configuration when clients have problems?
This question is designed to see if the test taker can take a set of requirements and choose a solution that meets that set of requirements. Everyone wants to choose the answer that is common in the industry - disregarding the requirements listed in the question.
As a consultant, if a customer gives you a set of requirements and you come up with a solution that is commonly implemented but that doesn't meet the requirements, you're not likely to have a happy customer.
Thanks for your response Devin. However, in the given scenario as a consultant, I would relay my concerns about the unneccesary admistrative overhead which would be added to the deployment in issueing a PSK to each patron and providing instructions to enable them to configure their laptops. We all know how end users can be!
I do appreciate the answer though and you guys are the experts so ill use this as a learning point for the real test!
I completely agree with sdandeker. Is this test intended to test what is pratcial in the real world or what the test setter has in his mind ?
Why would you want to assign pre-shared keys to all patrons ?. Solution should be as less painful for the patrons as possible and also less admin overhead for the gallery people.
If you do a cost vs ROI for what the answer is, I guess it doesn't make sense.
There is hardware for just such a setting. D-Link makes an AP/VLAN/ticket printer for hotspot use. Given the criteria in the question, the above answer, pre shared keys, is the best of the given choices. As for the content of the real exam, book knowledge alone will not get you by. Questions such as the one above address a very important real world issue. I call it the "Layer 8" issue, which has two sub layers Human and Politics. Customers come up with crazy situations and demands. When we are able, we can educate them. When we are not, we must implement the structure as they request.
When I first read this question I emailed Devin about it because I don't think that answer is correct either. I don't have the question in front of me, but if I remember correctly it is kind of tricky. In a public environment there is really no layer 2 security. If you give out a WPA-PSK to everyone, then that compromises the encryption key.
In the end, it is a tough question because you just can't get too complicated with user configuration in a public access environment. Now, I have some ideas on how to do this, but I don't think there is any publicly available product that does this.
I guess this is a tricky question, for some reason I am still not convinced with the WPA setup. I feel when patrons are waiting for a tour to start I would not imagine they would spare couple of minutes to get a userid and password and couple of minutes to setup their laptop, pda or tablet PC to get on to internet. They might be willing to do this to get on the net if this was a universal method at all hotspots(as they will be used to the exercise)
Also to add to this, majority of the people who attend Art musuems are not computer savvy and old people who have less expertise at setting up wireless.
The pt I am trying to make is given this problem in real world both of the solutions discussed could be valid based on
1) Exisiting wireless infrastructure
2) length of waiting period and
3) how much of an area should be covered by wireless.
I call it the "Layer 8" issue, which has two sub layers Human and Politics.
I love that. I think I'm going to steal it! (Or maybe just borrow it from time to time!)
I cannot agree that your captive portal on a vlan internal to the organization is befitting. And, I don't feel captive portals were designed as a gateway to the Internet. Captive portals are designed to capture everyone's intention until <hopefully> some point or concept has been transferred to the captured audience.
To keep visitors outside the organization in the DMZ or beyond is exactly what should be desired.
I also cannot agree with the concept that the naiive public is incapable of understanding a connection's configuration. Nor that it's overkill to desire a wpa-psk permission/encryption on a public channel. It seems to me that you are getting sidetracked with "how" this could be accomplished. Perhaps all people coming in receive a ticket - and, on the back could be the day/week - even hour's passphrase. Or, perhaps there could be an led display in the lobby. I prefer the ticket concept, where the small print could illustrate configuration for the uninformed.
The public needs to be informed. Rather than put the responsibility on the local IT for containing the actions of the public (legal ramifications are going to just keep growing for ICT disobedience) - shunt allowed users as quickly out into the cloud as possible. You can still use a captive portal. But prevent free give-away use and abuse of your connection.
Would alternatives work - sure - but - the questions focus on "which is the best SOLUTION."
...just my take... :-)
The command decision has been made to delete this question from the practice test pool.