Whats the actual spec? # of client per router/wifi

[mammador]

I know we're getting way off topic here, but if you think you'll be able to keep smart phones, tablets, non IS equipment off your wireless the business is going to over ride it. Bring your own device (BYOD) is coming, whether you want it or not.

Better to embrace it or get ready for it now instead of having to slam something in without planning.

Hiding the SSID? That will be found out and employees will all share it so they can get their phones on the wireless.

Using enterprise WPA2 with radius authentication? Employees will just use their credentials on their smart phone/tablet.

Using a pre-shared key? That WILL get found out and distributed no matter how much you try to keep it secret.

This also gets back to wireless capacity and performance planning, you're going to have to get used to the fact that you're going to have all these piss poor radios on wireless and design for the worst case device (a phone or tablet).

But the issue here is finding enough APs to accommodate all the wifi hosts. If it's all for business operations, fine, but for personal use it's not needed. Most firms generally complement wired with wireless, or even use wired as primary with wireless as a back-up. The OP hasn't said if it's policy/the norm in his firm to use wifi nodes primarily.

A company's ICT resources should really be used chiefly for business operations, not for employees who want to surf the Web to check out sport results/Facebook or to e-mail his gf. If he wants to do that, use the wired work connection.

 

[imagoon]

The only surefire way is MAC white lists.

And that can still be gamed, but it's usually beyond the skills of most users.

No the only sure fire way is certificate based connectivity. MAC address white listing adds nothing but an administrative nightmare.

Push out a workstation certificate and let RADIUS with WPA2-Enterprise handle it. End user devices wont have the certs and won't be able to connect even with user domain credentials.

All it takes is one semi savvy user to figure out how to change his/her mac address and it spreads like wildfire (just like the passwords.) The savvy use often will "just do it" for people. Nearly every IT guy has had to deal with "that guy" that seems hellbent on getting around all IT policy.

 

[TerryMathews]

No the only sure fire way is certificate based connectivity. MAC address white listing adds nothing but an administrative nightmare.

Push out a workstation certificate and let RADIUS with WPA2-Enterprise handle it. End user devices wont have the certs and won't be able to connect even with user domain credentials.

All it takes is one semi savvy user to figure out how to change his/her mac address and it spreads like wildfire (just like the passwords.) The savvy use often will "just do it" for people. Nearly every IT guy has had to deal with "that guy" that seems hellbent on getting around all IT policy.

True but to prevent collision they will have to turn off their official device.

 

[Paperlantern]

No the only sure fire way is certificate based connectivity. MAC address white listing adds nothing but an administrative nightmare.

Push out a workstation certificate and let RADIUS with WPA2-Enterprise handle it. End user devices wont have the certs and won't be able to connect even with user domain credentials.

All it takes is one semi savvy user to figure out how to change his/her mac address and it spreads like wildfire (just like the passwords.) The savvy use often will "just do it" for people. Nearly every IT guy has had to deal with "that guy" that seems hellbent on getting around all IT policy.

If IT is dealing with the guy hellbent on getting around policies then there is confusion in who's job is what. If I deal with a user that keeps breaking the rules I report him to HR, he gets a warning to comply. If he continues, he's fired for violating the usage policy he signed when he was hired, it's not my job to slap hands. It's HR's. Or upper management if the company is small enough to not have an actual HR department of sorts.

I'm not saying it doesn't happen, I'm sure there are plenty of situations hat arise everyday in workplaces where IT fights with a user, I'm just saying the IT dept has better things to do and discipline is best left to upper mgmt or HR.

 

[spidey07]

From experience. One its out there, folks will be joining your wireless with BYOD and the business will over rule is and hr. Both departments will be viewed as an obstacle and will be told to get in line. Along with security. The business will tell you to make it happen, you cannot resist it.

It's coming. Best be ready.

 

[imagoon]

If IT is dealing with the guy hellbent on getting around policies then there is confusion in who's job is what. If I deal with a user that keeps breaking the rules I report him to HR, he gets a warning to comply. If he continues, he's fired for violating the usage policy he signed when he was hired, it's not my job to slap hands. It's HR's. Or upper management if the company is small enough to not have an actual HR department of sorts.

I'm not saying it doesn't happen, I'm sure there are plenty of situations hat arise everyday in workplaces where IT fights with a user, I'm just saying the IT dept has better things to do and discipline is best left to upper mgmt or HR.

Realize you have to convince someone it is important enough to deal with. So yes what you say is the "correct" way to deal with it. If HR / Management deals with it is another. Try working for a company full of project managers for example. They make the company millions, quite a few things get a "look the otherway" policy. Or as Spidey said just gets the "just do it" policy.

 

[Ghiedo27]

How common is it to set up a separate BYOD subnet?

It seems like you could do it at just about any budget level from soho routers used as APs on it's own limited access vlan to authentication servers with enterprise APs with different permissions levels (you can mix authentications, right?).

That way you'd have a security and QoS win and you don't have users trying to open holes in the network.

 

[imagoon]

How common is it to set up a separate BYOD subnet?

It seems like you could do it at just about any budget level from soho routers used as APs on it's own limited access vlan to authentication servers with enterprise APs with different permissions levels (you can mix authentications, right?).

That way you'd have a security and QoS win and you don't have users trying to open holes in the network.

We had a second "guest" vlan that the front desk could issue access to. This was available anywhere in the building (same AP's doing multiple SSID and vlans.) Internally we gave these people extended guest passes. IE rather than the normal 8 hour pass it was generated for 30 days.

The next step was likely to be a BYOD type with AD creds but no internal access but I never got that far.

 

[spidey07]

How common is it to set up a separate BYOD subnet?

It seems like you could do it at just about any budget level from soho routers used as APs on it's own limited access vlan to authentication servers with enterprise APs with different permissions levels (you can mix authentications, right?).

That way you'd have a security and QoS win and you don't have users trying to open holes in the network.

Very common. What you're describing is a "guest+" implementation where they have internet access and possibly restricted access to some internal hosts for applications. It's typically the first step until you start putting them on your internal secure net.

 

[Paperlantern]

Realize you have to convince someone it is important enough to deal with. So yes what you say is the "correct" way to deal with it. If HR / Management deals with it is another. Try working for a company full of project managers for example. They make the company millions, quite a few things get a "look the otherway" policy. Or as Spidey said just gets the "just do it" policy.

Shouldn't be too hard when people are constantly losing connectivity and wireless isn't able to be utilized when it's needed. However I feel you, there are a few exceptions in our company of course. The partners of course, a few of the other higher-ups yeah, that always happens. I'm referring to the other 95 percent here, that is what is going to help maintain the integrity of the network and ensure it is available when it is needed.

 

[spidey07]

Shouldn't be too hard when people are constantly losing connectivity and wireless isn't able to be utilized when it's needed. However I feel you, there are a few exceptions in our company of course. The partners of course, a few of the other higher-ups yeah, that always happens. I'm referring to the other 95 percent here, that is what is going to help maintain the integrity of the network and ensure it is available when it is needed.

Access points are cheap. And if you're having connectivity problems, it is a design problem that can be easily remedied.

Wireless is actually pretty easy...IF you do it right. But make no mistake, BYOD is coming whether you want it or not. In fact it's pretty much already here.

 

[Paperlantern]

I agree, it def is, as terrible and nighmarish as it sounds. LOL. Ironically enough, stumbled accross this in my surfings this evening.

http://consumerization.trendmicro.com/video-mobile-security-experts-tell-how-to-get-control-of-byod/