Restricting Wireless Access on Campus?

Diety_in_A_Minor asks: "How would one set up a wireless network on a campus such that restrictions can occur by classroom? My back of the napkin solution would be to relate MAC addresses to class schedules, and have the DHCP server allow access to student-registered MAC addresses only during specific times. Although possible, this solution requires tremendous maintenance. What other solutions are there? One class in a building will require restrictions, while both classrooms adjacent to it need open access."

Old Tech

[Muggins the Mad]

Change the student password every hour. Have the teacher easily able to see what the password is.

Write the password on the blackboard at the start of the class. Possibly have several different passwords with different levels of access.

- Muggins the Mad

a better idea

[Anonymous Coward]

1. surround entire campus by 30 foot tall concrete structure with only one point for entry and access.

2. establish three checkpoints that students must pass before entry into campus.

3. at first checkpoint verify that people wishing to enter have a valid student id.

4. at second checkpoint perform checks on biometric data encoded in student id cards

5. at third checkpoint perform full cavity searches to verify that no unauthorized internet access equipment is being carried into the authorized internet acce

Re:Old Tech

[DetrimentalFiend]

Two words: faraday cage

Of course, you'd have to shield all of the rooms and then put an access point in every room that could be shut off. But, as long as we're talking about off the wall solutions, I thought I'd throw it out there.

Re:Old Tech

[Wog]

Also ends the problem of ringing cell phones in class...

If you actually call it a problem. I had a professor who used to get so flustered at a cell ring that he would rant for 5-10 minutes. Effectively giving me room to ignore him and play games on my Palm...

Re:Old Tech

[s.fontinalis]

Is the rebar mesh used in the reinforced concrete construction suffiecently close to function as a Faraday cage?

Weaken signal strength

[SpaFF]

Asside from changing the password (or WEP key) constantly and having the professor tell the students what it is each class, you could shield the classroom so that the signal doesn't travel outside of it. This of course assumes that the access point is in the classroom and that the room is small enough to electromagnetically shield economically. Depending on the size of the room (big lecture halls) you might be able to just turn the signal strength of the AP down low enough so that it can't be reached outside of the room.

MAC addresses?

[Nasarius]

Why not associate usernames with schedules and save yourself the hassle? Require a VPN logon for the wireless network, and deny access to specific users at the right times.

Re:MAC addresses?

[linzeal]

Why not just require a VPN for the class that needs it and run an open network? Is there a bandwidth consideration here, or am I missing something?

Re:MAC addresses?

[josh3736]

A lot of people have been suggesting some kind of MAC-based access control.

Don't waste your time.

The determined student can ever-so-easily skate right past MAC filtering. For example, if I'm in the class where I'm not supposed to connect, I can just sniff a MAC from the adjacent (wide-open) room and use that. Or just make one up, if you are using a blacklist instead of a whitelist.

Go with NoCat or, more preferably, a VPN. Anyone can associate with the AP, but the AP is firewalled from the rest of the

NoCatNet!

[cfoster611]

I've been meaning to setup a system using NoCat [nocat.net]

It creates a splash-screen authentication at first connection. Either that or mandatory VPN.

Two words

[deanpole]

Faraday Cage

... is room with metal walls, and screens (like you see on the front of a microwave) to pass air.

Old fashioned

[aridhol]

Why is it required that this one room not have any network connectivity? Why not do it the old-fashioned way: tell the students that network access is prohibited.

What kind of school is this? Is it a college or university? The students are paying their way, let them waste their money by ignoring the class. Is it a K-12 school? Send a note home to the parents or disable the account of those caught using the 'net when they shouldn't.

Seconded...

[Gordonjcp]

I mean, ffs, presumably these are University students we're talking about here? Are you deliberately treating them like naughty children as part of some kind of weird-ass psychological experiment?

Mind you, what do you expect from a country where you can buy a gun when you're 12 but you can't drink anywhere until you're 21?

Re:Old fashioned

[crazney]

Err,

Perhaps its an exam situation or something, and the exam is online?

Re:Old fashioned

[kalidasa]

You really don't want students to have WiFi capaibilities in an examination environment. Remember, there are two kinds of WiFi network: infrastructure, and peer-to-peer.

Re:Old fashioned

[Guspaz]

You can't really stop them from using P2P wireless short of jamming them, which is probably illegal.

Re:Old fashioned

[kalidasa]

Sure you can. See sibling post. No personal (as in owned by students) devices with WiFi allowed in the classroom during the exam.

Re:Old fashioned

[bcrowell]

Why not just forbid them to use laptops and PDAs during exams?

The OP really needs to give some information about why the heck he considers this necessary in the first place.

802.1x + RADIUS

[Russ Steffen]

What about using 802.1x with a RADIUS server that has time based access controls (like Radiator) ?

Re:802.1x + RADIUS

[megabeck42]

This has to be the most effective solution suggested yet.

802.1x is more cross-platform than propietary VPN solutions, requires no instructor cooperation changing keys or announcing new keys, requires no hacking up of a DHCP server, etc.

Re:802.1x + RADIUS

[lpret]

I second this. at my university we use 1x and RADIUS and we can allow users during a time period to authenticate successfully. This means we can track who is on when, while allowing them to borrow a laptop or whatever. look at your hardware and see if it's an option. by the way, are you familiar with the International Resnet Symposium? Currently underway at Princeton University, it's a great place to bounce ideas off of others and hear what other poeple (and vendors) have to offer.

Re:802.1x + RADIUS

[rasz]

Agreed. 802.1x is the only way to go.
Mac filtering ? Ar you even serious ?
ifconfig wi0 lladdr 01:02:03:04:05:06

Radius and good acces policy, some centralised CMSlike management console and your set.

Re:802.1x + RADIUS

[presarioD]

ifconfig wi0 lladdr 01:02:03:04:05:06

Have you ever tried it? What it actually does is "masquerade" on the DHCP level but not the physical link level. The DHCP will try to send to 01:02:03:04:05:06 but the physical link doesn't know were that is!
It hasn't worked for me at least...

Re:802.1x + RADIUS

[FuzzieNorn]

Presumably your card driver doesn't support MAC address spoofing, then. Most do.

wired in each room

[TheSHAD0W]

Have a wireless access point in each room connected to a switch that sends wires to each table. The access points' addresses can be configured as static, which will let you control its access via iptables or whatever.

This question doesn't make much sense

[craXORjack]

One class in a building will require restrictions, while both classrooms adjacent to it need open access.

And what keeps students in the middle classroom from connecting the access points on the other side of the wall? You need to explain the situation in more detail.

If only the middle classroom has access to some resource then just control access to that resource using something like NDS which allows limiting connections by MAC,IP,IPX addresses or by time of day, or by username.

Re:This question doesn't make much sense

[gl4ss]

he thinks that he could control the mac addresses the students would be using, or something.

it would be an enormously difficult setup to keep working, wanting to restrict people who are in the room b while permitting access to people in rooms a c. if he could then he should make some vpn thingy and use it based on who should be in the room b, however, since he wants open access in rooms a and c I don't really see this happening.

only reason why I would see this needed to be enforced would be during tests..

Easy.

[Txiasaeia]

Figure how much it would cost to run unlimited wireless access from 8am to 5pm weekdays (times when the classes run, in other words). Restrict by MAC address and allot bandwidth according to classes - one hour per week per hour-long class. This is the net effect you want, right?

Benefits: it's easy to restrict by MAC and time spent, and students get to learn time management - if they use all their bandwidth for the week on Monday, then they're going to be royally screwed for the rest of the week. That,

READ ME FIRST!

[Txiasaeia]

ACK! Sorry, forget the first sentence - I was going to suggest just leaving wireless on during week days and making students pay the difference, but then inspiration REALLY hit :) Mods, be nice!

Re:Easy.

[sethstorm]

MAC Address Restriction wont help, people could just sniff over and masquerade as other clients. Time up on one MAC? Spoof another. Rinse and repeat until wifi wants are satisfied, since nobody is going to be on all of that time or all of that week. Rate limiting wont help if it's done this way, you're just going to get some people who will just hop from one to another MAC, and people wondering what happened to their time.

Re:Easy.

[kaiidth]

ifconfig eth0 hw ether my:mates:mac:address...

Re:Easy.

[markxz]

allot bandwidth according to classes- one hour per week per hour-long class

In most university situations it would be desirable to have accsess outwith the scheduled classes, but less desirable for use during classes (it is distracting and rude towards those taking the classes)

If it is necessary to restrict accsess (for exams etc) The easiest way is to dissalow any equipment not provided by the university. In exams I have had calcualtors provided.

Why?

[SecretFire]

I think we need a lot more information about the circumstances here. Is there some sort of test that requires students to have a laptop but not access the internet?

Or is it some old teacher that thinks that it'll somehow force people listen to their boring, pointless lectures, when the students will likely just find something else to entertain themselves with.

NoCat / VPN

[rawg]

Yeah, I think that the best solution is to have a NoCat login that uses a database to tell what times the login is valid. You can do the same with VPN. Query the DB like "where $current_time > start_time and $current_time end_time". Use that query when validating logins.

Re:NoCat / VPN

[netsharc]

Knowing students, what's preventing a currently "non-privileged" student to borrow the username/password from a priveledged one.. :)

Don't use Wireless

[miyako]

Wireless is good for a lot of things, but it seems to me that this "solution" will require so much more time and effort that you might as well just use a wired solution. It shouldn't be too hard to have a router in each classroom that can be turned on or off as is appropriate. With a wireless solution you are pretty much relegated to turning off each individual students access based on their schedual, which is going to be much more difficult to impliment effectively.

Re:Don't use Wireless

[fm6]

You've got to be kidding. Imagine a classroom with 30 students, each with his/her own ethernet cable. Then imagine the lawsuits....

Lawsuits for what?

[jotaeleemeese]

Is common sense dead in the US?

The students could have a 30cm cable that would connnect to a network port easily reachable on their desktop.

What is difficult with that?

Jeeez.

Re:Lawsuits for what?

[fm6]

What is difficult? How about the cost? And how do you connect the ports to the desks? Most classrooms don't have raised floors.

Re:Lawsuits for what?

[cloudmaster]

Most hardware stores have those rubber things that lay on the floor and hide cables, though. It'd be cheaper to buy a cheap switch, a handful of cables, and some floor runners than it would be to buy an access point capable of handling that many clients *and* paying someone to configure an overcomplicated access control scheme. :)

Re:Don't use Wireless

[jpmkm]

What the hell are you talking about? "oh fuck that dude plugged in his ethernet cable I'm going to sue the school!!!" Imagine a classroom with 30 students, each with his/her own pencil. Then imagine the lawsuits...

Re:Don't use Wireless

[fm6]

OK, never mind the legal nonsense, just ask any teacher if they like the idea of all the cables all over the place

Re:Don't use Wireless

[jpmkm]

All over the place? In all the wired classrooms I've seen, there are jacks and power outlets at the desks(actually a big long table thing). It's no more than a couple feet from the laptop to the jacks. No cables on the floor or anything. If you just throw a hub in a room and say, "hook up" then sure, you might have problems. If it is done correctly, though, then there is nothing to worry about.

Re:Don't use Wireless

[KingOfBLASH]

You make a good point, especially considering that he's going to have to buy wireless access points anyway....

Use a simple solution.

[Harik]

You don't need technology to solve this problem.

All your students should register their MAC address in order to get a working IP. Use whatever your vender provdes for making sure someone isn't getting on without that.

Make a policy stating that you can't do , then audit occasionally. When you find an invalid MAC, send them a warning letter.

Besides, it's impossible to enforce. If someone borrows a laptop, they suddenly get locked-out of the online lecture? What do you want them to do, whip out a cellphone in the back of the hall and call tech support?

2 examples

[neglige]

I know 2 examples of universities that have WLAN on the entire (well, almost) campus.

1) Register your MAC address electronically, print out a form stating you will abide to the terms of usage, sign it, hand it in, and your MAC addess will receive an IP from DHCP the next day. VPN required (with group passwords). Connections are filtered through a firewall.

2) No registration required, but you need to install a VPN client with a certificate which can be generated on a website which is only available from a computer with a campus-IP. Again, a firewall restricts connections, depending on the type of user (students have more restrictive filters than employees).

Of course each solution requires you to have an account at the university (LDAP check).

As we are also using PDAs, VPN is a bit of a burden, but so far the various devices (iPAQ & Palm 5xx) can handle it, more or less. A major annoyance is the fact that you tend to turn off the PDA to save power. This cuts the VPN connection, so you need to log in again and again and..... :/

Re:2 examples

[Garak]

At the local university they use MAC filtering and WPA. You have to use a wifi nic they approve of(all 802.11g) and register your mac address with them(only one mac per student :/). I'm not sure if they are using VPN beyond that, I don't really see the need. You already know who is using the network based on the MAC, and as far as I know its not possible to change the MAC on any wifi nics.

Re:2 examples

[Garak]

Actually I just tried to change the mac address on my wrt54g wireless router with openwrt firmware. No problem, take the wireless interface down and change the mac.(Yes the router supports client mode)

First Class

[Big Sean O]

Everyone shows up to the first class (if only to get the syllabus). Anyone who logs on wirelessly during the first class will have their MAC address recorded for that room.

Access points will only let known MAC addresses log on after the first class. Anyone who misses the first class, or replaces their card has to wait in some administrative-nightmare line. College students need to wait in long lines, it gives them bladder control.

Depends on the Wireless System

[routerwhore]

Any of the next gen wireless platforms [arubanetworks.com] provide this functionality quite handily. They are completely centralized, user aware, include per-user firewalls, heavy duty encryption (2 Gbps IPSEC) and allow policies to be set based on location and time of day. When you are an organization that needs to manage more then 10 APs, you get a big boy system to do it. Let the small guys roll their own.

Disclaimer: I'm guilty of rolling my own as much as anyone, but there is such a thing as using the right tool for the job and I have decided this is the way to go in regards to wireless.

Impossible

[photon317]

Even if you do acces control by MAC address or VPN login as others have stated, students will just swap wireless cards or vpn logins with someone on a different schedule when they need to.

to those suggesting mac address solutions

[nuggetman]

I'd like to remind you that those can be spoofed easily. Someone in room A gets the mac address of someone in room B or room C and suddenly they're wireless again.

1) Set up a simple user/pass combination using osmething like NoCatAuth and tie it to their university name/password, set times they can't access based on when they're in that room.

2) Use wires

Campus Manager

[jhealy1024]

While this is probably overkill for what you need, you may find it helpful in other parts of your network. I run the network at a private boarding school, and we use it to keep kids off the network at certain times (detention, lights out, etc). Several other schools and colleges in the Northeast also use it.

http://www.bradford-sw.com/

This company makes a product called Campus Manager. It's basically an appliance that talks to your switches (and wireless access points, and other network hardware). It l

Re:Campus Manager

[Bishop]

Every feature you list depends on the MAC. It is trivial to spoof a MAC.

A managed VPN would achieve the same results as Campus Manager with the addition of strong authentication and security. A VPN sounds big and scary, but a modern one isn't. Many VPN appliances even have point and drool interfaces.

Don't do it at all.

[Charles Dart]

It's a bad idea, students will either hack it or switch to cellular modems. Just let the tight-assed professors deal with it and tell them to join us in the twenty-first century.

What you are doing shows a lack of respect to the students. If a student wants to waste their opportunity to be educated let em. The good students will voluntaraly go by the rules.

Belive me if you try to implement this system you are in for a world of hurt.

Re:Don't do it at all.

[ameoba]

On top of that, any real solution would require you to have full access to class registration data. Considering the way most schools treat their IT people, you're not going to get this.

I'm trying to figure out why this needs to be done in the first place... If it's to prevent students from surfing during class but still allow them to type notes, you're fighting a losing battle. If it's to allow a professor to have laptops used (something like matlab) during a test but prevent cheating, you're fighting a

Re:Don't do it at all.

[Technician]

It's a bad idea, students will either hack it or switch to cellular modems.

I wonder why nobody mentioned peer to peer over IRDA. It is short range and hard to detect and block. It would work fine for a couple facing each other cross a table in an exam.

Workaround

[sakusha]

There must be an idiot-simple workaround. Wireless routers are dirt cheap, maybe the simplest solution would be just to give a preconfigured wireless router to each teacher, have them take it with them to class, and remove it when their class is done. Then they can physically remove the access point when it's not being used for their class. Each class could have a different preconfigged router, just plug and go for the duration of the class.
But I suspect there must be some reason why this wouldn't work.

Re:Workaround

[Bombcar]

But I suspect there must be some reason why this wouldn't work.

Wireless access works through walls.

Re:Workaround

[sakusha]

You're missing the point. In my idea, the routers would be preconfigured to that class of students' computers only, only those students would have access via a fixed password. Then disconnect the router to shut it down at the end of the class. This only deals with time limits on access, not on who can access, that has to be dealt with through regular router configuration. The time restriction seems to be the toughest problem. Of course I'm presuming the router has some sort of NVRAM to keep configuration da

Spend $$$

[drix]

At my school (Berkeley [berkeley.edu]) they're using something by Vernier, most likely this [verniernetworks.com], to require login and password for WLAN access. It's pretty cool--anyone can get a DHCP lease but apparently the Vernier access manager maintains a dynamic routing table that drops all your traffic until you've authenticated. Since they've managed to link the access manager in with the strange Kerberos-ish auth mechanism our school uses ("CalNet [berkeley.edu]") I've a feeling the system is quite flexible and could be easily integrated with class schedules to provide the solution you're looking for. (The literature says it supports all the usual suspects--Kerberos, LDAP, Radius, NT, etc. and those are flexible enough on their own to do it.)

Re:Spend $$$

[IrateEmperor]

Go (Air)bears...The Calnet authentification is linked directly to the Student ID numbers and specific passwords of the students. Interestingly enough, for some strange reason, in most of my boring late afternoon classes, I can't seem to get on the network...

It should be easy as pie.

[rice_burners_suck]

I don't think it will take a tremendous effort to relate MAC addresses to schedules. You could do it by having individual students set up one or more MAC addresses under their account, through an automated process that's required to make their wireless work on each of their computers. Once each student has a list of MAC addresses associated with them, you create, at the beginning of each term, a database that relates these MAC addresses to times of the day. All this occurs through a script. When students ad

mac address

[jbolden]

The problem with most of these mac address based solutions is they assume:

1) You don't have large numbers of people openly subverting the system

2) People don't have administrative access to their own boxes

Neither of which is true in a college environment. You can tell an ethernet card to change its effective mac address to anything and students will share with information with each other.

Security requires that:
a) the people with access want to protect the information from the people without access
b) The people with access cannot communicate to the people without access

You don't have either situation. Rather what you have is a 3rd party creating a security policy (which classrooms have access) which does not enjoy student support. I agree with the poster who commented on a wired solution, this seems 100x easier.

Location tracking - it can be done!

[berteag00]

...but not with off-the-shelf solutions. See the research of Dan Wallach, Rice University (my alma mater). He's been doing some research on baysian methods of determining a wireless node's location based on its signal strength at multiple APs. Surprisingly robust, even in the face of people maliciously modulating their signal strength, et al. See his work here. [rice.edu] Remeber, it's still in the research stage: but if you could implement it on a large scale, you'd make a pretty penny doing so!

Re:Location tracking - it can be done!

[Technician]

determining a wireless node's location based on its signal strength at multiple APs

That would work well unless someone is using a high gain directional antenna.

Yeah, go off MAC addresses,

[La Camiseta]

and see how long before that I use something like Knoppix STD [knoppix-std.org] to change my MAC address and get my ass into the network.

Come on, if you're a University, then you've already got fat pipes, and probably let the kids in dorms and the library have unlimited access, so why treat your other students like crap just because they're in the wrong location.

And if you limit their internet access, what kind of education do you think that you're providing them with by limiting the information that they can access?

Hell,

Re:Yeah, go off MAC addresses,

[Narkov]

FFS...think outside the square. What about examination situations? You generally don't want students downloading the answer from google instead of creating it themselves.

Re:Yeah, go off MAC addresses,

[La Camiseta]

If they're stupid enough to let the kids bring in a computer or PDA, then they deserve it. Anyways, who in their right mind would let a kid bust out a laptop or PDA in an exam situation.

(And if they do, what's to stop the kids from creating an ad-hoc network and sharing answers? There's no real way to stop that. Or maybe downloading the info earlier and just going off of it during the exam?)

If they must have computers for a final exams, then that's what computer labs are for.

Re:Yeah, go off MAC addresses,

[Narkov]

I use a computer all the time in examination situations. Coding and network administration are two such examples.

> And if they do, what's to stop the kids from creating an ad-hoc network and sharing answers?

A packet monitor

> Or maybe downloading the info earlier and just going off of it during the exam?

A freshly imaged computer

> If they must have computers for a final exams, then that's what computer labs are for.

Great point sherlock. Do you suggest they leave these labs totally detached from

Re:Yeah, go off MAC addresses,

[gcaseye6677]

In addition to the issues listed here, it is just too much trouble to try to restrict wireless communication. There's no foolproof way to do it without spending a lot of time and money, and even then someone will hack it. For instance, how would you control student access to wireless internet through a cellular provider? Unless there's some really compelling reason to restrict access that the original submitter left out, it seems like much more trouble than its worth.

RADIUS

[dg41]

I agree w/ some of the posts above. At my school (Wright State), we use a wireless network, with RADIUS authentication that expires every two hours. Give instructors the choice of allowing equipment or not; I had a prof who strictly forbid the use of Palms in class.

quit counting beans

[Game Genie]

If a student decides to sit and screw around on the internet during class rather than listen that is their own problem, they have the right to fail. At worst this may be a minor disruption to the class, in which it is always within the prof's disgression to give them the boot. This is college, not high school.

That being said, no mac filtering or proxy solutions are going too be fool proof (or, more accuratly, geek proof). It is easy enough to setup NAT on a laptop to give access to the next room, or

Re:quit counting beans

[emorphien]

Agreed, it's not worth the effort. If the student is being disruptive that's one thing, but if they're not paying attention let them fail. There are plenty of classes I've been in where you might want to look something up online to back up or refute what the prof says. This is too much baby sitting for college. If a professor doesn't want things being used that's all they have to say.

You want to spend money

[Famanoran]

and get a BlueSocket device. Truely, they are the best.

PPPoE

[bungeejumper]

User-level authentication...all you need is a Radius server.

Keep it open!

[beej_55]

We'll never get anywhere by building fences. You've heard the Linux quote, "In a world without windows and gates, who needs walls and fences." My sipmle solution is to just let the people on the network, use a public/private hotspot, D-Link makes some nice ones. Simple, but effective.

Wire AP to switch

[mfarver]

Assuming that there is one AP per classroom, and connections to adjacent classrooms do not work well:

Just have the campus electrician wire the AP to a lightswitch next to the blackboard. Then the professor can make their own decision on wireless access. The user interface requires little maintainance, is easy to use and difficult to hack without getting caught or electrocuted.

Mark

OSU setup

[Alphasniper]

The Ohio State University has many wireless access points all over the campus. Since they already have pre-existing online student logins, those are used to gain online access. When you "hook up" to the router and open an internet browser is just pulls up a username verification page. That way any traffic from your address during the login period is associated with your username. Please excuse my simplistic explanation, i'm not at the ubergeek level yet :-p 4lpha-$

The english solution

[Monkeyfobia]

Theres a big difference between universtiys/high schools(or english colleges) pupils(normally) want to be there, so if they dont want to listen to the lecture they obv dont wanna pass. I sit in lectures with my pbook taking notes, accessing the presentation in the lecture theater, getting files needed for the weeks work etc. I assume you have spent alot on an 'e campus' so whats the point on deining access to it. Having an e campus is a great tool for learning, if i get confused by a word, i can google it,