Wireless Network Manager

[Wyndru]

I have a strange request from my boss about our wireless network, that I'm not sure is possible.

We need to allow 3 separate SSID's on our wireless network that allow different internet access. This we already have. The part that has me stumped is that he wants to have laptops available that can access each of the SSID's, without having to enter the ACTUAL network's SSID password on the laptop, but rather a "fake" password that only software on the laptop recognizes.

In other words, we need to allow people to enter a password that only the laptop would recognize, then allow it to access it to the SSID (using the actual wireless network password). I was hoping there is a wireless network password software out there that would do this.

The reason we are doing this is because we don't want people to access the network from anywhere but the laptops, but still be able to access 3 different SSID's from these laptop, depending on what "fake" password we provide to them.

I'm not sure I'm explaining this clearly, but if anyone understands what I'm trying to do, and has any suggestions, it would be greatly appreciated.

Thanks!

[EDIT] I should also mention that hiding the SSID's isn't an option (we need them to be seen, just password protected).

We also already tried setting up separate local account on the PC's in the hopes that we could assign a separate SSID to each local account, and have it auto connect depending on which account you log into, but it didn't allow that (Win XP pro). It always auto connected to the last SSID that you logged into, regardless of the local account.

 

[jlazzaro]

i don't believe what you described exists. you should be able to push SSID configurations using GPO (very limited in 2003), or (preferably) deploy something like Intel PROSet wireless software along with configuration profiles.

 

[JackMDS]

I do not understand what you are tying to prevent?

 

[Wyndru]

I do not understand what you are tying to prevent?

It's a teacher/student scenario, where we want neither to know the actual passwords to the SSID's (so they can't use their phones, or their own laptops, etc. to get access), yet they will both be sharing the same hardware (laptops that we provide).

We want 2 SSID's accessible on the same laptop, both need to be password protected, yet not auto configured, since they have different internet access.

i don't believe what you described exists. you should be able to push SSID configurations using GPO (very limited in 2003), or (preferably) deploy something like Intel PROSet wireless software along with configuration profiles.

The proset software might work, I'll have to look into what they allow you to do with those profiles, and if there is a way to pw protect them. Thanks.

 

[jlazzaro]

you could also look into deploying more advanced authentication mechanisms than simple preshared keys. something like EAP-PEAP or TLS were a client-side certificate is required, and in your case only installed on computers you want to be able to connect.

 

[spidey07]

you could also look into deploying more advanced authentication mechanisms than simple preshared keys. something like EAP-PEAP or TLS were a client-side certificate is required, and in your case only installed on computers you want to be able to connect.

That's what I was thinking. Seems like OP is making it much more complicated than it needs to be. Could even do EAP-FAST, or use username/password for authentication.

OP - you're looking at features of WPA2-Enterprise. It can do just about anything you'd want as far as authentication.

 

[JackMDS]

It's a teacher/student scenario, where we want neither to know the actual passwords to the SSID's (so they can't use their phones, or their own laptops, etc. to get access), yet they will both be sharing the same hardware (laptops that we provide).

This is an issue that comes up every few months.
there is No way to configure such a system with the Regular End-user OS' and its Wireless capacity.

The solustion is as indicated by Spidey and jlazzaro.

 

[Wyndru]

you could also look into deploying more advanced authentication mechanisms than simple preshared keys. something like EAP-PEAP or TLS were a client-side certificate is required, and in your case only installed on computers you want to be able to connect.

We would have just limited it to allowed mac addresses if this was an option, but unfortunately it isn't, unless I'm not understanding you.

We have district admins who still need to be able to bring their devices in (they will be the only people with passwords to the SSID's) and just be able to connect. If they need a certificate on their devices too, it won't work, since they are always bringing in new equipment, and rarely have IT touch their property.

 

[Wyndru]

That's what I was thinking. Seems like OP is making it much more complicated than it needs to be. Could even do EAP-FAST, or use username/password for authentication.

OP - you're looking at features of WPA2-Enterprise. It can do just about anything you'd want as far as authentication.

I'll check some of these options out, hopefully our network consultants can make some of these options work on our access points. I don't remember specifically what they are, just that they are Cisco and mounted in the ceiling tiles all over the school. I'm not even sure what they are using to dole out the IP's, I just know it's not our core, it's a separate system.

 

[spidey07]

I'll check some of these options out, hopefully our network consultants can make some of these options work on our access points. I don't remember specifically what they are, just that they are Cisco and mounted in the ceiling tiles all over the school. I'm not even sure what they are using to dole out the IP's, I just know it's not our core, it's a separate system.

If they're cisco they'll do anything you'd want. If you don't want to do certs, which is what I'd recommend because that's your requirement that only certain laptops can connect, then username/password with EAP-PEAP would be fine as well.

You can have all kinds of different authentication on different SSIDs. So for the trusted foreign devices you could use pre-shared key, then the other use EAP-PEAP.

I'll warn you though, to do all of this right takes a good amount of experience with wireless and all the different authentication/encryption options. I can't give it to you over a forum. You'll need a radius server as well which truly is a requirement for wireless deployment of anything bigger than a few APs.

 

[Wyndru]

If they're cisco they'll do anything you'd want. If you don't want to do certs, which is what I'd recommend because that's your requirement that only certain laptops can connect, then username/password with EAP-PEAP would be fine as well.

You can have all kinds of different authentication on different SSIDs. So for the trusted foreign devices you could use pre-shared key, then the other use EAP-PEAP.

I'll warn you though, to do all of this right takes a good amount of experience with wireless and all the different authentication/encryption options. I can't give it to you over a forum. You'll need a radius server as well which truly is a requirement for wireless deployment of anything bigger than a few APs.

Anything on the encryption side is going to be handled by our network consultants, which we pay like $250/hour, so I'm sure they will make sure they get it right.

I think my boss was just looking for an end-all sw solution on the laptops based on our already configured wpa2 pre-shared keys so that we didn't need to pay thousands of dollars to have the wireless configured differently.

I do like the idea of certificates on the laptops, and a separate SSID with preshared for guest devices.

Thanks for your suggestions.

 

[spidey07]

Anything on the encryption side is going to be handled by our network consultants, which we pay like $250/hour, so I'm sure they will make sure they get it right.

I think my boss was just looking for an end-all sw solution on the laptops based on our already configured wpa2 pre-shared keys so that we didn't need to pay thousands of dollars to have the wireless configured differently.

I do like the idea of certificates on the laptops, and a separate SSID with preshared for guest devices.

Thanks for your suggestions.

If they're any good, they can provide a solution. IF they are any good.

Outline what your requirements, along with concerns are, like you've been funneled into in this thread and let them provide a solution. That's what you pay us for.

The worst thing is what you described in your OP - "I want this solution". A good consultant will dig deeper and try to figure out "what do you really want to do here? Take the technology out of it, we can make the technology meet your goals/requirements, but have to understand what they are".

 

[Wyndru]

The worst thing is what you described in your OP - "I want this solution". A good consultant will dig deeper and try to figure out "what do you really want to do here? Take the technology out of it, we can make the technology meet your goals/requirements, but have to understand what they are".

Yeah, I just figured that since we don't have access to change the wireless security without the consultants coming in, (which is what the boss is trying to avoid) the only other option was some sw solution on the new laptops. Come to think of it, this probably belonged in the software for windows forum, since it is really more of a client side sw solution I was wondering about.

In the past, when the consultants come in, we usually just say what we want for the end result, and we sit there and hash it out until it's correct. Budget cuts has unfortunately limited the amount of time we can have them out here, so we will need to make sure we have it well documented what we want so we can minimize the amount of time they need to come up with a solution.

 

[spidey07]

Many times you have to realize you spend more money and time trying to pound a square peg into a round hole than it would be to pay somebody to turn that square peg into a round peg.

Just sayin'

 

[Wyndru]

It looks like the Intel ProSet wireless sw does allow you to password protect a profile, and these laptops use a compatible intel chipset, so that will be a free option for us.

We will just allow the lowest access (student SSID) to be autoconnect with the psk saved, and if the teachers use the laptop they will need to enter the password for the proset profile in order to connect.

 

[RadiclDreamer]

We would have just limited it to allowed mac addresses if this was an option, but unfortunately it isn't, unless I'm not understanding you.

We have district admins who still need to be able to bring their devices in (they will be the only people with passwords to the SSID's) and just be able to connect. If they need a certificate on their devices too, it won't work, since they are always bringing in new equipment, and rarely have IT touch their property.

No certs are not the same as MAC addresses. Certs are a small file used for authentication (to put it very simply) and MAC address filtering is pretty much worthless since MAC are sent in the clear and can be spoofed

 

[RadiclDreamer]

It looks like the Intel ProSet wireless sw does allow you to password protect a profile, and these laptops use a compatible intel chipset, so that will be a free option for us.

We will just allow the lowest access (student SSID) to be autoconnect with the psk saved, and if the teachers use the laptop they will need to enter the password for the proset profile in order to connect.

I had thought of this but figured it to be kinda kludgy

 

[Wyndru]

I had thought of this but figured it to be kinda kludgy

Yeah, it's going to have to work though. I spoke with my boss about bringing in the consultants to provide solutions, and got a very negative response to this. Money is too tight this year, and we just paid them over 500k to redo our whole wired network.