Full admin access on wifi?
Posted by smort@reddit | sysadmin | View on Reddit | 15 comments
We are currently implementing 802.1X on wifi and ethernet and we had a discussion if the admin VLAN should be extended to wifi or not.
Right now, there is sort of admin access if you pop on VPN while being connected to wifi, which I find strange but I didn't see that many wifi setups.
So, how do you handle it? Admin access only wired? Or with wifi too?
mixduptransistor@reddit
*probably* ok but you would want to make sure you are absolutely tight on authentication and encryption settings. the safer way would be an admin jumpbox/bastion VM that is reachable from wifi, but itself requires MFA to access, or a VPN or hardened SSH tunnel
depends how paranoid you are. The fact that you have a separate admin VLAN you're already ahead of most places
Funny_Wing3136@reddit
Please, can you guide me? Can I obtain a fully accurate and highly secure WBA OpenRoaming profile? Do you think this method can be trusted without any specific risks? If you believe it is reliable, could you provide me with links to access it and explain how to implement it in practice? Thank you
smort@reddit (OP)
I also suggested the jumphost, yay.
How do you think about this "Raw wifi no, but with VPN-Tunnel, it's fine"? I mean I get it, there's another tunnel inside but my gut is telling me that if you do Wifi well and say only accept WPA3, you will be just as good.
mixduptransistor@reddit
the trick is how much do you trust WPA3, your implementation of it, and your wifi vendor's implementation of it?
I'd be less worried about people sniffing/snooping the traffic and more worried that it's like having an ethernet port on the outside of your building. Would you put an 802.1x authenticated ethernet jack with your admin vlan on it in a publicly accessible area?
You're open to someone setting up shop and trying and trying to break through. Is it likely? Probably not, but, it's also not zero
That's what the VPN or SSH tunnel does. If you go with an SSH tunnel that is only authenticated through some kind of public key or certificate auth, and no passwords, and audit/alert on this connectivity you're probably good unless your threat is state-level actors and in that case I'd treat wifi as if it was compromised anyway
smort@reddit (OP)
Do you trust VPN more? Do you not have to trust the implementation too? And VPN is potentially open to the world, not just our street
I'm not disagreeing with you, just trying to poke some holes.
mixduptransistor@reddit
would depend on your VPN implementation for sure. You probably have the same considerations there that you do with wifi, maybe even more. You definitely want multiple layers getting into your admin network, and that's the point of the VPN on wifi. For VPN from the internet I'd probably do VPN into an untrusted network and SSH tunnel or other layers
The point is multiple layers as secure as possible
smort@reddit (OP)
Yeah, it's the onion image with security.
But if you consider an environment were VPN only gives you admin-access, then I would argue there is hardly any difference in thread level if you also get admin-access with wifi.
And the wifi will be secured with WPA3 + 802.1X
axle2005@reddit
Easiest way i can think of is a Jumpbox. Dojt expose Admin access directly to the wifi network. Have a specific jumpbox with locked down group access and allow that access through the wifi if required.
As an added bonus, dont state its hostname is jumpbox.
Funny_Wing3136@reddit
Please, can you guide me? Can I obtain a fully accurate and highly secure WBA OpenRoaming profile? Do you think this method can be trusted without any specific risks? If you believe it is reliable, could you provide me with links to access it and explain how to implement it in practice? Thank you
PerspectiveUpper7423@reddit
I don't know what kind of firewall you have, Fortigate has the ability to filter by MAC address, I let my wifi MAC address through to everything. It comes in handy if I'm in a meeting and something urgent needs to be resolved.
PerspectiveUpper7423@reddit
I don't know what kind of firewall you have, Fortigate has the ability to filter by MAC address, I let my wifi MAC address through to everything. It comes in handy if I'm in a meeting and something urgent needs to be resolved.
urb5tar@reddit
jumphost and vpn
inaddrarpa@reddit
Different admin vlans and subnets for wireless and wifi for us, but result is the same.
Smith6612@reddit
Wired and Wireless are treated the same. Use Jump Boxes to reach anything administrative. Never extend it out to the Wireless or to user Access ports.
Unless you mean "Admin" in the sense of the Network Management VLANs. That might be required if you are using any sort of Wireless Meshing.
HankMardukasNY@reddit
Admin vlan dot1x wired and wireless goes into same vlan for us