a freeradious/wireless solution for a school

[gkalinec]

Hello,
I work for a mid-size private school (about 700-800 people on campus), and
I'm trying to set up a way to limit the use of our wireless to our
students/staff.  The main problem that I'm encountering is finding a
solution that will fit our needs.  A little background first...
When I first started (about a year ago, and I'm still the only IT person
managing the whole school network) we had crappy wireless at different
places on campus for students and staff to access our network.  The person
who set these up (my current boss) simply did a MAC access control list on
each AP and made the students and staff come to him to register their
computers.  This was a major pain since each of our APs (7 of them) had to
have the new MAC address manually added to each AP every time we had a new
laptop.  The problem with this solution (aside from having to enter the MACs
7 times) was that we eventually run out of room in the MAC table.  After
some negotiating we got new wireless, but still not top of the line (I
wanted CISCOs, we got Netgear WPN802s instead), and I found that we still
run out space in the table (it now help 50, we now have about 100+ laptops
being used by students).  I know that the solution is to implement a radius
authentication with the APs that we have.  The APs support radius servers
using either WAP or legacy 802.1X (with WEP keys).  I did tons of research
on WAP (being the preferred method), but I could not get around the fact
that certificates MUST be installed in the client computer in order for the
protocol to work.  This is simply impossible since most of our students (and
staff for that matter) are unable to install certificates (or unwilling) and
having to install certificates manualy myself is just too time consuming.
So my first questions is what methods would you suggest for this kind of set
up?
My original idea was to implement the legacy 802.1x option.  i managed to
set up the AP correctly and the radius server to authenticate based on MAC
addresses, but I could not find a way to get the WEP key back to the client
laptop.  I'm not even sure it is possible, really, and I'm hesitant to try
to have our students and staff enter a WEP key into their laptops themselves
(since when they fail they will come for me to set it up, and if I wanted to
change the WEP key, I would have to re-change it on every laptop).  Is tehre
any way for the radius server to send back the WEP key to the client?  I
know it must seem horribly insecure (and it is), but I have to show my boss
a solution that is better than simply leaving our network open.
Can some one help or suggest a better way of resolving this?
-- 
View this message in context: http://www.nabble.com/a-freeradious-wireless-solution-for-a-school-tf3036221.html#a8437548
Sent from the FreeRadius - User mailing list archive at Nabble.com.