Restricting Wireless Access on Campus? 89
Diety_in_A_Minor asks: "How would one set up a wireless network on a campus such that restrictions can occur by classroom? My back of the napkin solution would be to relate MAC addresses to class schedules, and have the DHCP server allow access to student-registered MAC addresses only during specific times. Although possible, this solution requires tremendous maintenance. What other solutions are there? One class in a building will require restrictions, while both classrooms adjacent to it need open access."
Old Tech (Score:5, Insightful)
Write the password on the blackboard at the start of the class. Possibly have several different passwords with different levels of access.
- Muggins the Mad
a better idea (Score:1, Funny)
2. establish three checkpoints that students must pass before entry into campus.
3. at first checkpoint verify that people wishing to enter have a valid student id.
4. at second checkpoint perform checks on biometric data encoded in student id cards
5. at third checkpoint perform full cavity searches to verify that no unauthorized internet access equipment is being carried into the authorized internet acce
Re:Old Tech (Score:3, Funny)
Of course, you'd have to shield all of the rooms and then put an access point in every room that could be shut off. But, as long as we're talking about off the wall solutions, I thought I'd throw it out there.
Re:Old Tech (Score:1)
If you actually call it a problem. I had a professor who used to get so flustered at a cell ring that he would rant for 5-10 minutes. Effectively giving me room to ignore him and play games on my Palm...
Re:Old Tech (Score:1)
Weaken signal strength (Score:5, Interesting)
MAC addresses? (Score:5, Insightful)
Re:MAC addresses? (Score:1)
Re:MAC addresses? (Score:3, Insightful)
Don't waste your time.
The determined student can ever-so-easily skate right past MAC filtering. For example, if I'm in the class where I'm not supposed to connect, I can just sniff a MAC from the adjacent (wide-open) room and use that. Or just make one up, if you are using a blacklist instead of a whitelist.
Go with NoCat or, more preferably, a VPN. Anyone can associate with the AP, but the AP is firewalled from the rest of the
NoCatNet! (Score:3, Informative)
It creates a splash-screen authentication at first connection. Either that or mandatory VPN.
Two words (Score:5, Funny)
... is room with metal walls, and screens (like you see on the front of a microwave) to pass air.
Old fashioned (Score:5, Insightful)
What kind of school is this? Is it a college or university? The students are paying their way, let them waste their money by ignoring the class. Is it a K-12 school? Send a note home to the parents or disable the account of those caught using the 'net when they shouldn't.
Seconded... (Score:5, Funny)
Mind you, what do you expect from a country where you can buy a gun when you're 12 but you can't drink anywhere until you're 21?
Re:Old fashioned (Score:2)
Perhaps its an exam situation or something, and the exam is online?
Re:Old fashioned (Score:5, Insightful)
Re:Old fashioned (Score:2)
Re:Old fashioned (Score:2)
Re:Old fashioned (Score:1)
The OP really needs to give some information about why the heck he considers this necessary in the first place.
802.1x + RADIUS (Score:5, Informative)
Re:802.1x + RADIUS (Score:3, Insightful)
802.1x is more cross-platform than propietary VPN solutions, requires no instructor cooperation changing keys or announcing new keys, requires no hacking up of a DHCP server, etc.
Re:802.1x + RADIUS (Score:4, Informative)
Re:802.1x + RADIUS (Score:2, Informative)
Mac filtering ? Ar you even serious ?
ifconfig wi0 lladdr 01:02:03:04:05:06
Radius and good acces policy, some centralised CMSlike management console and your set.
Re:802.1x + RADIUS (Score:1)
Have you ever tried it? What it actually does is "masquerade" on the DHCP level but not the physical link level. The DHCP will try to send to 01:02:03:04:05:06 but the physical link doesn't know were that is!
It hasn't worked for me at least...
Re:802.1x + RADIUS (Score:1)
wired in each room (Score:1)
This question doesn't make much sense (Score:2)
And what keeps students in the middle classroom from connecting the access points on the other side of the wall? You need to explain the situation in more detail.
If only the middle classroom has access to some resource then just control access to that resource using something like NDS which allows limiting connections by MAC,IP,IPX addresses or by time of day, or by username.
Re:This question doesn't make much sense (Score:2)
it would be an enormously difficult setup to keep working, wanting to restrict people who are in the room b while permitting access to people in rooms a c. if he could then he should make some vpn thingy and use it based on who should be in the room b, however, since he wants open access in rooms a and c I don't really see this happening.
only reason why I would see this needed to be enforced would be during tests..
Easy. (Score:2)
Benefits: it's easy to restrict by MAC and time spent, and students get to learn time management - if they use all their bandwidth for the week on Monday, then they're going to be royally screwed for the rest of the week. That,
READ ME FIRST! (Score:2)
Re:Easy. (Score:2, Insightful)
Re:Easy. (Score:2)
Re:Easy. (Score:2, Insightful)
In most university situations it would be desirable to have accsess outwith the scheduled classes, but less desirable for use during classes (it is distracting and rude towards those taking the classes)
If it is necessary to restrict accsess (for exams etc) The easiest way is to dissalow any equipment not provided by the university. In exams I have had calcualtors provided.
Why? (Score:4, Interesting)
Or is it some old teacher that thinks that it'll somehow force people listen to their boring, pointless lectures, when the students will likely just find something else to entertain themselves with.
NoCat / VPN (Score:1)
Re:NoCat / VPN (Score:1)
Don't use Wireless (Score:3, Insightful)
Re:Don't use Wireless (Score:2)
Lawsuits for what? (Score:2)
The students could have a 30cm cable that would connnect to a network port easily reachable on their desktop.
What is difficult with that?
Jeeez.
Re:Lawsuits for what? (Score:2)
Re:Lawsuits for what? (Score:2)
Re:Don't use Wireless (Score:2)
Re:Don't use Wireless (Score:2)
Re:Don't use Wireless (Score:2)
Re:Don't use Wireless (Score:2)
Use a simple solution. (Score:4, Informative)
All your students should register their MAC address in order to get a working IP. Use whatever your vender provdes for making sure someone isn't getting on without that.
Make a policy stating that you can't do , then audit occasionally. When you find an invalid MAC, send them a warning letter.
Besides, it's impossible to enforce. If someone borrows a laptop, they suddenly get locked-out of the online lecture? What do you want them to do, whip out a cellphone in the back of the hall and call tech support?
2 examples (Score:4, Informative)
1) Register your MAC address electronically, print out a form stating you will abide to the terms of usage, sign it, hand it in, and your MAC addess will receive an IP from DHCP the next day. VPN required (with group passwords). Connections are filtered through a firewall.
2) No registration required, but you need to install a VPN client with a certificate which can be generated on a website which is only available from a computer with a campus-IP. Again, a firewall restricts connections, depending on the type of user (students have more restrictive filters than employees).
Of course each solution requires you to have an account at the university (LDAP check).
As we are also using PDAs, VPN is a bit of a burden, but so far the various devices (iPAQ & Palm 5xx) can handle it, more or less. A major annoyance is the fact that you tend to turn off the PDA to save power. This cuts the VPN connection, so you need to log in again and again and.....
Re:2 examples (Score:2)
Re:2 examples (Score:2)
First Class (Score:1)
Access points will only let known MAC addresses log on after the first class. Anyone who misses the first class, or replaces their card has to wait in some administrative-nightmare line. College students need to wait in long lines, it gives them bladder control.
Depends on the Wireless System (Score:4, Informative)
Disclaimer: I'm guilty of rolling my own as much as anyone, but there is such a thing as using the right tool for the job and I have decided this is the way to go in regards to wireless.
Impossible (Score:5, Insightful)
Even if you do acces control by MAC address or VPN login as others have stated, students will just swap wireless cards or vpn logins with someone on a different schedule when they need to.
to those suggesting mac address solutions (Score:2)
1) Set up a simple user/pass combination using osmething like NoCatAuth and tie it to their university name/password, set times they can't access based on when they're in that room.
2) Use wires
Campus Manager (Score:2)
http://www.bradford-sw.com/
This company makes a product called Campus Manager. It's basically an appliance that talks to your switches (and wireless access points, and other network hardware). It l
Re:Campus Manager (Score:2)
A managed VPN would achieve the same results as Campus Manager with the addition of strong authentication and security. A VPN sounds big and scary, but a modern one isn't. Many VPN appliances even have point and drool interfaces.
Don't do it at all. (Score:5, Insightful)
What you are doing shows a lack of respect to the students. If a student wants to waste their opportunity to be educated let em. The good students will voluntaraly go by the rules.
Belive me if you try to implement this system you are in for a world of hurt.
Re:Don't do it at all. (Score:2)
I'm trying to figure out why this needs to be done in the first place... If it's to prevent students from surfing during class but still allow them to type notes, you're fighting a losing battle. If it's to allow a professor to have laptops used (something like matlab) during a test but prevent cheating, you're fighting a
Re:Don't do it at all. (Score:2)
I wonder why nobody mentioned peer to peer over IRDA. It is short range and hard to detect and block. It would work fine for a couple facing each other cross a table in an exam.
Workaround (Score:2)
But I suspect there must be some reason why this wouldn't work.
Re:Workaround (Score:2)
Wireless access works through walls.
Re:Workaround (Score:2)
Spend $$$ (Score:4, Informative)
Re:Spend $$$ (Score:1)
It should be easy as pie. (Score:2)
mac address (Score:3, Interesting)
1) You don't have large numbers of people openly subverting the system
2) People don't have administrative access to their own boxes
Neither of which is true in a college environment. You can tell an ethernet card to change its effective mac address to anything and students will share with information with each other.
Security requires that:
a) the people with access want to protect the information from the people without access
b) The people with access cannot communicate to the people without access
You don't have either situation. Rather what you have is a 3rd party creating a security policy (which classrooms have access) which does not enjoy student support. I agree with the poster who commented on a wired solution, this seems 100x easier.
Location tracking - it can be done! (Score:2, Informative)
Re:Location tracking - it can be done! (Score:2)
That would work well unless someone is using a high gain directional antenna.
Yeah, go off MAC addresses, (Score:2, Interesting)
Come on, if you're a University, then you've already got fat pipes, and probably let the kids in dorms and the library have unlimited access, so why treat your other students like crap just because they're in the wrong location.
And if you limit their internet access, what kind of education do you think that you're providing them with by limiting the information that they can access?
Hell,
Re:Yeah, go off MAC addresses, (Score:1)
Re:Yeah, go off MAC addresses, (Score:2, Informative)
(And if they do, what's to stop the kids from creating an ad-hoc network and sharing answers? There's no real way to stop that. Or maybe downloading the info earlier and just going off of it during the exam?)
If they must have computers for a final exams, then that's what computer labs are for.
Re:Yeah, go off MAC addresses, (Score:1)
> And if they do, what's to stop the kids from creating an ad-hoc network and sharing answers?
A packet monitor
> Or maybe downloading the info earlier and just going off of it during the exam?
A freshly imaged computer
> If they must have computers for a final exams, then that's what computer labs are for.
Great point sherlock. Do you suggest they leave these labs totally detached from
Re:Yeah, go off MAC addresses, (Score:2)
RADIUS (Score:1)
quit counting beans (Score:2, Interesting)
That being said, no mac filtering or proxy solutions are going too be fool proof (or, more accuratly, geek proof). It is easy enough to setup NAT on a laptop to give access to the next room, or
Re:quit counting beans (Score:1)
You want to spend money (Score:2, Informative)
PPPoE (Score:1)
Keep it open! (Score:2, Interesting)
Wire AP to switch (Score:2)
Just have the campus electrician wire the AP to a lightswitch next to the blackboard. Then the professor can make their own decision on wireless access. The user interface requires little maintainance, is easy to use and difficult to hack without getting caught or electrocuted.
Mark
OSU setup (Score:1)
The english solution (Score:1)