Is there any point securing a "guest" wifi network with WPA?

Question

We have a guest wifi network setup on a separate VLAN, using an open connection (e.g. NO wpa/wep).

A (semi-technical) customer recently complained that he wasn't happy about his traffic not being encrypted, I gave him the usual advice that if security is important should be using a VPN even on a WPA network etc ...

But it got me thinking:

Is there any point to setting up WPA2 on a guest network, where we give out the password to anyone that asks anyway (and write it on the walls!)?

I understand it'd limit snooping between connections that are already established, but if you're listening when someone connects isn't it relatively trivial to capture the authentication information / 4-way handshake and then use that to snoop?

Doesn't that defy the point of having WPA on a guest/"open" network?

Answer 1

Depends on the situation. Someone with the WPA2 PSK and the right tools and knowledge can indeed decrypt traffic of the other users on the network (see here).

On on the one hand, the barriers of having the key, having the tools, and having the knowledge can be a useful deterrent, and prevent some clueless jerk with a copy of firesheep from casually stealing other people's sessions.

On the other hand, needing to get and enter a key can be a pain for your legit users, and as you pointed out, can provide a false sense of security.

Which way you go depends on which option makes the most sense for your organization.

Answer 2

First, you should be using WPA2, not WPA. To my knowledge, there is no known, easily-exploitable way to intercept and decrypt a WPA2-protected wifi stream, even if you're snooping the entire conversation.

Your guest is absolutely right, there is no good reason to have open wireless networks. Doing to is just inviting abuse, not to mention looking incompetent in front of your customers.

Answer 3

I realize this isn't much of an "answer", but we have a WPA2 pre-shared key on our guest WiFi network. (For reference we use Ubiquiti UniFi Access Points and the guest network locked down for Internet access only.)

We printed tent cards with the guest SSID name and the key and put them on all of the conference tables. To get the key you would have to get past reception or the locked doors.

As an additional layer of security, you can change the key periodically and print new cards.

I can't really think of any reason not to have it encrypted, besides laziness. Cuts down on the possibility of someone randomly attaching to the WiFi from the parking lot.