wireless LAN design question

I am designing a wireless LAN for a for possible use at a local university.
the LAN would be limited to one three story building. the problem i have is
that the network will be designed for non-permanent hardware i.e., laptops
and wireless pda's. does anyone have any suggestions as to how to keep such
a network secure? i have been told to use MAC filtering, but with
constantly changing hardware, how would such a thing be accomplished?
thanks for any help anyone can give me,
blake

"Darrel Toepfer" <(E-Mail Removed)> wrote in message
news:eZtKa.19199$(E-Mail Removed) ...
> "> Our local college skool uses SSID, MAC, WEP and server access
> authentication. They previously had the SSID broadcast off, but
> lately its been on... When you want access, you bring the device to
> them, they configure it and give it back. ie. you never know what
> the WEP settings are, only them... If you hose your settings, you
> have to make a trip back to the admins...
>
thanks...that is kind of what i thought i would do...i was just hoping
i could take some of the work load off of the sys. admins.

1 Questions and two thoughts --

Q) Is the intention to provide wireless connectivity to all students/faculty
of the University, but not outsiders? Or, is it to allow wireless to
specific users and not the entire campus population at large?

Depending on the approach above:

1) What does the University currently use to authenticate remote access
users (such as VPN)? Some organizations treat wandering wireless users the
same as VPN users, forcing the establishment of an L2TP tunnel via password
or SecureID, etc. Increases the hassle to the wireless users, but provides
manageable secure access.

2) One of the issues that Darrel raised was about turning off the SSID
broadcast. This has an advantage and disadvantage -- the advantage is that,
without the users receiving the broadcast, only those who know the SSID join
the net. However, the administrator(s) will then need to provide the SSID to
the user community, and on a campus things like this are not quite a secret,
even to those who don't attend. It can also increase the hassle to the
users, if they rebuild/reconfigure their machine (as some students are apt
to do). You could also "hide in plain site".....a couple of guys I used to
work with created an application (running on Linux) that essentially sends
out thousands of fake SSID broadcasts...as they say in their marketing "if
one access point is good, 53,000 must be better". The app is called,
naturally, FakeAP (http://www.blackalchemy.to/project/fakeap/). Users still
have to know the correct SSID to join, but the advantage is that users wont
be frustrated with trying to figure out whether they have the incorrect
(forgotten?) SSID or are just out or range, etc.


"blah" <(E-Mail Removed)> wrote in message
news:bddjf9$d18$(E-Mail Removed)...
> I am designing a wireless LAN for a for possible use at a local
university.
> the LAN would be limited to one three story building. the problem i have
is
> that the network will be designed for non-permanent hardware i.e., laptops
> and wireless pda's. does anyone have any suggestions as to how to keep
such
> a network secure? i have been told to use MAC filtering, but with
> constantly changing hardware, how would such a thing be accomplished?
> thanks for any help anyone can give me,
> blake
>
>

"Dave Hockenberry" <(E-Mail Removed)> wrote in message
news:uCGKa.40$(E-Mail Removed)...
> 1 Questions and two thoughts --
>
> Q) Is the intention to provide wireless connectivity to all
students/faculty
> of the University, but not outsiders? Or, is it to allow wireless to
> specific users and not the entire campus population at large?

the network will be designed for a single building-the engineering
building-and its intended users will be engineering stdents and faculty.
there is already a secure permanent network in the building running NT. my
attempt is to just add the wireless capability to this network.


> > 1) What does the University currently use to authenticate remote access
> users (such as VPN)? Some organizations treat wandering wireless users the
> same as VPN users, forcing the establishment of an L2TP tunnel via
password
> or SecureID, etc. Increases the hassle to the wireless users, but provides
> manageable secure access.



> 2) One of the issues that Darrel raised was about turning off the SSID
> broadcast. This has an advantage and disadvantage -- the advantage is
that,
> without the users receiving the broadcast, only those who know the SSID
join
> the net. However, the administrator(s) will then need to provide the SSID
to
> the user community, and on a campus things like this are not quite a
secret,
> even to those who don't attend. It can also increase the hassle to the
> users, if they rebuild/reconfigure their machine (as some students are apt
> to do). You could also "hide in plain site".....a couple of guys I used to
> work with created an application (running on Linux) that essentially sends
> out thousands of fake SSID broadcasts...as they say in their marketing "if
> one access point is good, 53,000 must be better". The app is called,
> naturally, FakeAP (http://www.blackalchemy.to/project/fakeap/). Users
still
> have to know the correct SSID to join, but the advantage is that users
wont
> be frustrated with trying to figure out whether they have the incorrect
> (forgotten?) SSID or are just out or range, etc.
>
one of the suggestions i've been given involves placing the network behind a
proxy server with a web form that authenticates users against the already
existing database, but obviously i am new to to wireless networking and
don't understand how or if that is supposed to secure the network. won't
people still be able to sniff out the network?