But for WPA2-PSK to work everybody needs to know shared key. And this is a problem. I do not want

to force people to know any passwords (it's public wifi).

How can i solve this problem ?

Thanx

Public WiFi.... Well, nothing you can do there.  Leave it open and create an ACL to block guest traffic from accessing your other subnets.

That's very bad that i can not enable encryption for public wifi. This way any user can sniff any other user.

There should be a way to set a secure channel thru unsecured media (for example using Diffie-Hellman).

Why the cisco did not create such possibility ?

Thanx

On a WLC orA IOS AP, you can block P2P, you just have to see if your device supports that.

Hmmm, but i do not want to block any traffic.

I just wanted to provide guests some basic level of privacy thru encryption, so they could use for example internet banking.

Thanx

The thing with free public wifi, is that the users has to protect themselves not you.  Look at all the other hotspots... they use a username/password or just an accept to allow the users access to the wireless.  There is usually a Terms and agreement that protects the hotspot from any liabilities.  Most secure websites use SSL certificates to protect the users... so this is secure.

Scott

I don't trust SSL certificates. Many of them are validated only by email. And most browsers have very suspicious CA's in they keyring.

What about cisco layered model of protection ? Shouldn't be it implemented in all layers - no just one ? (which is weak in this case?).

Even professionals are often tricked - we can not leave users on their own. That's why i think cisco should try to provide at least minimum level of security....

I still do not understeand why it's not possible and why cisco can't do that...

Thanx

You are right, the same problem is with wired connections. But i feel uncomfortable giving them some security for usability (they have to remember shared key) while technically it's not necesary.

Anyway thanx!