Departments with Wi-Fi policy exemption approval from UW-IT to deploy and operate a locally-managed Wi-Fi network must adhere to the following security and coexistence guidelines:
1.1. Departments MUST get UW-IT approval BEFORE installing any Wi-Fi equipment.
1.2. Departmentally-managed access points must be configured in a way that prevents interference with campus Wi-Fi infrastructure via the methods described below. In particular, a unique Service Set Identifier (SSID) must be used for departmental installations in order to avoid conflicts with campus Wi-Fi infrastructure. Unfortunately, this means that users may need to reconfigure their laptop computers or smart devices when moving between departmental and campus Wi-Fi infrastructure.
1.3. Departments with UW Information Technology approval to deploy or maintain their own Wi-Fi infrastructure are responsible for all security risks and liabilities associated with such installations. Consequently, it is essential that departmentally managed access points implement some form of access control.
1.4. One of the best practices for data security is that no one should rely on link-level network protection (link encryption or other forms of isolation) for either wired or Wi-Fi networks. It is essential that sensitive or critical information be protected at the transport and/or session levels using encrypted protocols such as IPSec, TLS/SSL, SSH or Kerberos.
1.5. When individual network-connected computers endanger the network or other hosts, it is necessary to temporarily disconnect them from the campus network. Similarly, whenever a departmental Wi-Fi access point is configured in such a way that it either interferes with the campus network infrastructure or represents an untenable business risk to the university, it will need to be disconnected until the problem is resolved. This is normally done by having the UW Information Technology Network Operations Center disable the Ethernet port to which the offending device is attached.
1.6. If an attack originates from a client using the departmental access point, that access point (and thus everyone using it) will be disconnected.
2.1. Due to the potential for misuse by unknown individuals, with little risk of discovery, it is imprudent to deploy Wi-Fi infrastructure without some form of access control. Therefore, departments should deploy at *least* one of the following access control methods in their Wi-Fi access points:
2.2. Be aware that the centrally-managed campus Wi-Fi access control policy requires authentication via UW NetID in order to access resources outside the UW network. This policy is implemented via a "captive portal" approach, wherein first access to websites outside UW forces redirection to a UW NetID Weblogin page. The policy is intended to prevent liability and embarrassment to the University in case a malicious user attempts to launch attacks against other sites using the UW network.
3.1. Departments must configure their Wi-Fi access points to:
3.2. Departments may also be required to configure their Wi-Fi access points to:
3.3. Finally, additional best practices include: