Best Way To Secure Wireless?

  • 1
  • Question
  • Updated 4 years ago
  • Answered

We are having trouble with students hacking into our wireless. We currently have 3 SSIDs. ABC-Student, ABC-Staff and ABC-Guest.

ABC-Student is a bit misleading, but it is for all of our district owned devices. We've had a few students get the hash for the password or the password itself. We can see most of these devices on our network, they usually show up as iPhone or Android devices so we've created a blacklist that blocks the MAC address from connecting (need to manually add them.) Some of the devices still get through this block (not sure how?) The ABC-Guest is open with no password and ABC-Staff is for staff devices such as their phones. We are looking to change but aren't sure of the best way to go about it. We are thinking...4 SSIDs.

1. ABC (District owned devices)
2. ABC-Staff (Staff owned devices)
3. ABC-Student (Student owned devices, with prior approval)
4. ABC-Guest (Anything else)

We were thinking of doing a Pre-Shared Key for the ABC-Staff, but feel it might be a lot of work on our part managing all the accounts, which will be about 150-200. 

We aren't sure of the best way to secure the ABC network. We would do a pre-shared key for the ABC-Student SSID as well and grab their MAC addresses. We just don't want to have to keep black listing MAC addresses every time a student hack the password. 

What are the best ways to go about this?
Photo of Michael Peloquin

Michael Peloquin

  • 18 Posts
  • 1 Reply Like

Posted 4 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
You should consider offering an 802.1X-based WPA2/Enterprise SSID, a PPSK-based WPA2/Personal SSID and, potentially, an open CWP-based SSID for guest access, moving all the devices you can to use 802.1X with an EAP type like PEAP, using device certificates where this is feasible, else with a username and password.

Using direct user credentials that are managed via a directory with 802.1X, be it username-and-password or certificate, means that you don't have to worry about credential duplication in an external, loosely coupled system and the associated management overheads.

There is never a need to offer District, Staff, Student or Guest specific SSIDs.
This is because of user profiles that are decoupled from the authentication method, you only need to offer one SSID per the type of authentication you offer.

Doing so only ever decreases the performance of your wireless network. This is due to things like advertising the availability of SSIDs taking up bandwidth. (A surprising amount when legacy 802.11b data rates are is enabled.)

User profiles decouple the SSID from the firewall rules (ACLs) and VLAN that you apply to a client's connection.

For any pre-shared keys (PSKs), you need to ensure that they have sufficient complexity to not be vulnerable to offline attacks. You may find that you have been making poor PSK choices making this surprisingly practical to pull off.

Use PSKs giving as much granularity as possible via Aerohive's excellent PPSK feature that allows you to give individual devices their own PSK. (The larger the set of devices that you have that share a PSK, the bigger the issue if you need to revoke it.)

Attempting to secure anything by a MAC address is, of course, always a 'fool's errand'. Don't bother.

You will always be vulnerable to credentials being lifted from devices. But... you can minimize this risk by ensuring that central administrative control and lock down is enforced where the device supports it, and, where not, limiting the scope of access that the device gets to not make it worthwhile.

Although conceptually there is no difference from a risk perspective, practical experience has shown that PSKs tend to get lifted far more often than 802.1X credentials.

Hope this helps,

Photo of Hans Matthé

Hans Matthé

  • 42 Posts
  • 2 Reply Likes
Nice explanation from Nick. MAC address filtering is indeed a useless 'security' layer because MAC-spoofing is not that complicated. If it is possible, use wpa2-enterprise or at least PPSK.
Photo of Terence Fleming ThinkWireless

Terence Fleming ThinkWireless, Champ

  • 79 Posts
  • 27 Reply Likes

A couple to further points on this, while you are transitioning to something more secure.   Nick's combination of an 802.1x based  SSID backed up with a PPSK SSID for non-domain computers and a guest SSID is the right way to go in my mind.

Straight away you can add a Client re-classification rule to your Legacy SSIDs (the ones you have today) so that any user that guesses the password and connects with an iPhone or Android receives a different profile.  My personal preference is to give them an IP address so that they remain connected but put them in a "rate limited Internet only" profile.  That way they are more likely to remain connected whilst you hunt them down than they would if you block them entirely or null route them.  (Depends on whether you care who they are)

Don't be scared about the admin effort of managing the Staff PPSK accounts as you can import a list of Staff users into the Hive Manager from a spreadsheet to create all the accounts. Then notify Staff member of their PSKs from the Hive Manager by email, so users never have to retype them.

You could consider 802.1x with captive portal for the Student devices but only if you don't mind ALL your students connecting (they will share their credentials).  You need PPSK if only a subset of students are allowed to connect - and use a PSK server or limit the number of devices that can use each key.

Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
As an ex-evil student I suspect they are doing the following:

  1. Looking for a wireless client associated to the appropriate wireless network.
  2. Deauthenticating the wireless client.
  3. Capturing the wireless client's four way handshake as they associate again.
  4. Completing an offline dictionary attack on the four way handshake.
  5. Once they have the key they use it to associate to the wireless network.
  6. Each time they associate they use a random MAC address to get around the MAC address filtering.
Otherwise they could have just got the passphrase from somebody :-)

One school I have worked with did the following for student devices:
  • Got the students to bring their device to the IS department.
  • The IS department makes a Private PSK for the device.   The student SSID is configured so only a single Private PSK can be utilised and a Private PSK server has been configured.
  • The IS department associates the device to the student SSID.  Now only that device can use that student's Private PSK.
Not a perfect solution by any stretch of the imagination but it works OK.  If a student wants to change their wireless device the IS department just revokes the student's existing Private PSK and creates a new one.