I installed a G network at a conference center so that
clients that rent out meeting rooms can have net access.

I have one D-Link router and one D-Link repeater.  I
am not sure what the best way to set up security so that:

1. The visiting clients can connect with minimal hassle,
using their own pc's with wifi radios, and not have to
reconfigure much to get going.

2. The office staff at the conference center can easily
change the passphrase regularly or after each meeting.

I need to know whether to use WEP, WPA or WPA-PCK, and
how to make it so that the router and repeater don't
both have to be reconfigured (or an easy way to do both)
to change the passphrase.

So far in testing, the three devices (router, repeater,
client radio, all D-Link) all have different setup screens
with different options.  This is way too complicated as-is.
Some things have WEP, some WPA, some passphrase only, some
hex only, etc.

Any recommendations?

What about boring old WEP ?
I know it's pants security - but it's just for casual internet access
is it ?
But if you change the WEP key every day, or how ever often a new group
comes in, stick it on the white-board, whatever, for them to see.
Surely most clients will support WEP.
If you stick WPA-PSK on there, half the clients won;t be able to
connect ...
Not sure you can do much to make changing the WEP key quicker on your
devices though ?   Although when you get used to it, you'll end up
doing it in a flash.  Maybe if it was a Cisco Aironet you could do some
scheduled script to upload a different config each day containing the
new key.

1 question - do you need any security?

it doesnt sound like you are charging for access - so why not leave the feed
open?

and then the meeting starts, it gets rubbed off, the users want to set up
their PCs to get mail in a lunch break......

and be prepared to be asked by a %age of all the clients to "assist" with
the configuration if they even have to set up the key.
Stephen Hope - return address needs fewer xxs

"stephen" wrote ...
I considered that.  I am a consultant and this is my first WLAN at
a business.  I want my customer to feel secure (even though I have
their office LAN separated from the WLAN).

And have passersby in cars using up the bandwidth?  That's what the
customer will be concerned about.  Tell me more if I can do this
without much risk.

It won't be me, since I'll be gone.  The customer isn't very
savvy but I guess they can be trained.

Not Cisco, but maybe I could write a script for Windows to
automate most of the steps.  Good sugg.

Yep.  I'll have a handout, and hopefully one or two attendees
will step into the techie role.

Re my other questions on changing passwords:  (a) should I use
WEP 64 or 128? (b) should I use passphrase or hex? (c) is there
any way to change the password on the router and automatcally
have it change on the repeater?  Thanx.

@twister.nyroc.rr.com:

You can avoid this by placing the APs in such a way that the signal
won't radiate too much outside. Or you can change the antenna on the AP.

That's what you think! The client WILL call you. And if you don't
answer, you just racked up an unhappy customer : )

Use WEP 64, not all cards support WEP 128.

You should use a passphrase. Most cards take a passphrase. However, I
think you can convert between Hex and Passphrase, so perhaps have both
versions of the key available?

Show quote Hide quote another poster suggested limit the coverage - you can direct the radio
pattern to some extent, or turn down the power level on the AP.

some APs can run multiple virtual "lans" for lack of a better term - cisco
aironet 1100 or 1200s can support this. you can have different vlans with
different login and encryption setups using the same hardware (a default
type is "guest mode" which may be what you want).

note that if you do this then any "secure" wifi and the guest account are
only separated by VLAN - so you need to take some care about segregation of
traffic and security.

just be aware this isnt consumer cost equipment.
http://www.cisco.com/en/US/netsol/ns340/ns394/ns348/networking_solutions_packages_list.html


bunch of cisco docs about wifi
http://www.cisco.com/en/US/netsol/ns340/ns394/ns348/networking_solutions_packages_list.html

if 1100s are too steep, then i suggest you make this a separate wifi to any
internal system and just air gap it from the internal network - maybe even a
separate internet feed so you dont have to worry about bandwidth hogging.
if it doesnt go anywhere but to the internet then do you care?

the problem is that any sort of security needs administration and
complicates setup, and since you have a constant churn in your users you
need to balance cost of "lost" bandwidth to that sort of risk vs overhead
costs for admin.
Show quoteHide quotebuy 802.11g equipment and run it in B/G mode for the widest compatibility.

if you change it every day then WEP 64 should be enough - you arent worrying
about security here, so much as making the system inconvenient for
unauthorised users to get at.

Show quote Hide quote There are products like firstspot from patronsoft that have a captive
portal.
<this is a windows version>
You can have one password displayed for everyone to use to access the
net.
Granted, it doesnt prevent hackers from sniffing the air but can limit
access.
Or if you are a linux guru there are many free captive portals
available.
If you want to make access easy, forget about wep and wpa. You could
set up a server that supports https and go that route and be sure to
have an access point that support vpn passthrough for those wanting to
access work.

WPA vs WEP problems...
WRT54GS and external antenna...
how do i secure a wireless network
Anyone have experience with handheld "sniffers"
Sveasoft dead?
How to firmware upgrade Proxim 8551 AP without AP Controller?
D-Link G604T problem?
Netgear WGR614 v5 configuration
Signal loss
Browser link oddity