Slashdot Mirror
Restricting Wireless Access on Campus?
Diety_in_A_Minor asks: "How would one set up a wireless network on a campus such that restrictions can occur by classroom? My back of the napkin solution would be to relate MAC addresses to class schedules, and have the DHCP server allow access to student-registered MAC addresses only during specific times. Although possible, this solution requires tremendous maintenance. What other solutions are there? One class in a building will require restrictions, while both classrooms adjacent to it need open access."
Change the student password every hour. Have the teacher easily able to see what the password is.
Write the password on the blackboard at the start of the class. Possibly have several different passwords with different levels of access.
- Muggins the Mad
Asside from changing the password (or WEP key) constantly and having the professor tell the students what it is each class, you could shield the classroom so that the signal doesn't travel outside of it. This of course assumes that the access point is in the classroom and that the room is small enough to electromagnetically shield economically. Depending on the size of the room (big lecture halls) you might be able to just turn the signal strength of the AP down low enough so that it can't be reached outside of the room.
-----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT d? s: a-- C++++ UL++++ P++ L+++ E- W++ N o-- K- w--- O- M+ V PS+ P
Why not associate usernames with schedules and save yourself the hassle? Require a VPN logon for the wireless network, and deny access to specific users at the right times.
LOAD "SIG",8,1
I've been meaning to setup a system using NoCat
It creates a splash-screen authentication at first connection. Either that or mandatory VPN.
--- Kicking the Cheat since late 2002
... is room with metal walls, and screens (like you see on the front of a microwave) to pass air.
What kind of school is this? Is it a college or university? The students are paying their way, let them waste their money by ignoring the class. Is it a K-12 school? Send a note home to the parents or disable the account of those caught using the 'net when they shouldn't.
I can't say that I don't give a fuck. I've just run out of fuck to give.
What about using 802.1x with a RADIUS server that has time based access controls (like Radiator) ?
Have a wireless access point in each room connected to a switch that sends wires to each table. The access points' addresses can be configured as static, which will let you control its access via iptables or whatever.
And what keeps students in the middle classroom from connecting the access points on the other side of the wall? You need to explain the situation in more detail.
If only the middle classroom has access to some resource then just control access to that resource using something like NDS which allows limiting connections by MAC,IP,IPX addresses or by time of day, or by username.
Liberals call everyone Nazis yet they are the closest thing to it.
Benefits: it's easy to restrict by MAC and time spent, and students get to learn time management - if they use all their bandwidth for the week on Monday, then they're going to be royally screwed for the rest of the week. That, and you don't need a hugely complex system regulating who has what class and allowing their MAC address to connect, but the students whose classes are ending are cut off, etc. etc.
Condemnant quod non intellegunt.
ACK! Sorry, forget the first sentence - I was going to suggest just leaving wireless on during week days and making students pay the difference, but then inspiration REALLY hit :) Mods, be nice!
Condemnant quod non intellegunt.
1. surround entire campus by 30 foot tall concrete structure with only one point for entry and access.
2. establish three checkpoints that students must pass before entry into campus.
3. at first checkpoint verify that people wishing to enter have a valid student id.
4. at second checkpoint perform checks on biometric data encoded in student id cards
5. at third checkpoint perform full cavity searches to verify that no unauthorized internet access equipment is being carried into the authorized internet access area.
6. expand campus police force, giving them a full array of lethal and non-lethal crowd control devices.
7. instruct campus police officers to randomly search students and verify that any internet access they are engaged in is authorized.
8. construct on campus detention facility. (de-commissioned student union building may be an appropriate location for this)
9. train campus police officers in "moderate physical pressure" techniques for use in extracting information about unauthorized internet access methods used by students potentially in violation of shcool's internet access policies.
and this is only the beginning of an effective strategy. there is much more you could do, but i have to stop and converse with an approaching campus police officer.
Or is it some old teacher that thinks that it'll somehow force people listen to their boring, pointless lectures, when the students will likely just find something else to entertain themselves with.
Yeah, I think that the best solution is to have a NoCat login that uses a database to tell what times the login is valid. You can do the same with VPN. Query the DB like "where $current_time > start_time and $current_time end_time". Use that query when validating logins.
The above is not worth reading.
Wireless is good for a lot of things, but it seems to me that this "solution" will require so much more time and effort that you might as well just use a wired solution. It shouldn't be too hard to have a router in each classroom that can be turned on or off as is appropriate. With a wireless solution you are pretty much relegated to turning off each individual students access based on their schedual, which is going to be much more difficult to impliment effectively.
Famous Last Words: "hmm...wikipedia says it's edible"
All your students should register their MAC address in order to get a working IP. Use whatever your vender provdes for making sure someone isn't getting on without that.
Make a policy stating that you can't do , then audit occasionally. When you find an invalid MAC, send them a warning letter.
Besides, it's impossible to enforce. If someone borrows a laptop, they suddenly get locked-out of the online lecture? What do you want them to do, whip out a cellphone in the back of the hall and call tech support?
Mind you, what do you expect from a country where you can buy a gun when you're 12 but you can't drink anywhere until you're 21?
I know 2 examples of universities that have WLAN on the entire (well, almost) campus.
:/
1) Register your MAC address electronically, print out a form stating you will abide to the terms of usage, sign it, hand it in, and your MAC addess will receive an IP from DHCP the next day. VPN required (with group passwords). Connections are filtered through a firewall.
2) No registration required, but you need to install a VPN client with a certificate which can be generated on a website which is only available from a computer with a campus-IP. Again, a firewall restricts connections, depending on the type of user (students have more restrictive filters than employees).
Of course each solution requires you to have an account at the university (LDAP check).
As we are also using PDAs, VPN is a bit of a burden, but so far the various devices (iPAQ & Palm 5xx) can handle it, more or less. A major annoyance is the fact that you tend to turn off the PDA to save power. This cuts the VPN connection, so you need to log in again and again and.....
My cats ate my karma. They also wrote this comment.
I'm still trying to get my 120mHz laptop to reckognize my wireless card (i think its borked)
Is common sense dead in the US?
The students could have a 30cm cable that would connnect to a network port easily reachable on their desktop.
What is difficult with that?
Jeeez.
IANAL but write like a drunk one.
Everyone shows up to the first class (if only to get the syllabus). Anyone who logs on wirelessly during the first class will have their MAC address recorded for that room.
Access points will only let known MAC addresses log on after the first class. Anyone who misses the first class, or replaces their card has to wait in some administrative-nightmare line. College students need to wait in long lines, it gives them bladder control.
My father is a blogger.
Disclaimer: I'm guilty of rolling my own as much as anyone, but there is such a thing as using the right tool for the job and I have decided this is the way to go in regards to wireless.
Even if you do acces control by MAC address or VPN login as others have stated, students will just swap wireless cards or vpn logins with someone on a different schedule when they need to.
11*43+456^2
I'd like to remind you that those can be spoofed easily. Someone in room A gets the mac address of someone in room B or room C and suddenly they're wireless again.
1) Set up a simple user/pass combination using osmething like NoCatAuth and tie it to their university name/password, set times they can't access based on when they're in that room.
2) Use wires
...and that's all there is to it.
While this is probably overkill for what you need, you may find it helpful in other parts of your network. I run the network at a private boarding school, and we use it to keep kids off the network at certain times (detention, lights out, etc). Several other schools and colleges in the Northeast also use it.
http://www.bradford-sw.com/
This company makes a product called Campus Manager. It's basically an appliance that talks to your switches (and wireless access points, and other network hardware). It learns MAC addresses and associates them with users, and tracks which physical ports they're connected to.
The system allows you to take actions on ports based on the MAC address connected to them. You can flip VLANs based on who links up to a port, or you can schedule ports to flip on a regular basis. If your WAPs support VLANs, you could do this in your classrooms. If they don't, the device can also act as a RADIUS server and the WAPs can talk to that to allow/deny access.
The system allows you to "force" registration, so users must link their MAC addresses with their names when they first come on the network. Once they've done that, you can easily group students and apply scheduled access to each group.
You can even give limited access to certain users (e.g., the faculty), so they can turn ports/users on and off whenever they want (for example, if they have a test that day).
Again, this may be overkill for what you need, but if you're looking for a more powerful general solution, this may be something you'd want to look in to.
Jason
It's a bad idea, students will either hack it or switch to cellular modems. Just let the tight-assed professors deal with it and tell them to join us in the twenty-first century.
What you are doing shows a lack of respect to the students. If a student wants to waste their opportunity to be educated let em. The good students will voluntaraly go by the rules.
Belive me if you try to implement this system you are in for a world of hurt.
There must be an idiot-simple workaround. Wireless routers are dirt cheap, maybe the simplest solution would be just to give a preconfigured wireless router to each teacher, have them take it with them to class, and remove it when their class is done. Then they can physically remove the access point when it's not being used for their class. Each class could have a different preconfigged router, just plug and go for the duration of the class.
But I suspect there must be some reason why this wouldn't work.
Go millihertz.
At my school (Berkeley) they're using something by Vernier, most likely this, to require login and password for WLAN access. It's pretty cool--anyone can get a DHCP lease but apparently the Vernier access manager maintains a dynamic routing table that drops all your traffic until you've authenticated. Since they've managed to link the access manager in with the strange Kerberos-ish auth mechanism our school uses ("CalNet") I've a feeling the system is quite flexible and could be easily integrated with class schedules to provide the solution you're looking for. (The literature says it supports all the usual suspects--Kerberos, LDAP, Radius, NT, etc. and those are flexible enough on their own to do it.)
I think there is a world market for maybe five personal web logs.
I don't think it will take a tremendous effort to relate MAC addresses to schedules. You could do it by having individual students set up one or more MAC addresses under their account, through an automated process that's required to make their wireless work on each of their computers. Once each student has a list of MAC addresses associated with them, you create, at the beginning of each term, a database that relates these MAC addresses to times of the day. All this occurs through a script. When students add or drop a class, your school will invoke the script that modifies that student's table of times for their MAC addresses. I can see why it would take a bit of effort to program all of that, but afterwards, it would all happen automatically.
Just don't use a Netgear or Linksys router. I hear they have some security problems or something. :)
Pulling together is the aim of despotism and tyranny. Free men pull in all kinds of directions. It's the only way to mak
The problem with most of these mac address based solutions is they assume:
1) You don't have large numbers of people openly subverting the system
2) People don't have administrative access to their own boxes
Neither of which is true in a college environment. You can tell an ethernet card to change its effective mac address to anything and students will share with information with each other.
Security requires that:
a) the people with access want to protect the information from the people without access
b) The people with access cannot communicate to the people without access
You don't have either situation. Rather what you have is a 3rd party creating a security policy (which classrooms have access) which does not enjoy student support. I agree with the poster who commented on a wired solution, this seems 100x easier.
...but not with off-the-shelf solutions. See the research of Dan Wallach, Rice University (my alma mater). He's been doing some research on baysian methods of determining a wireless node's location based on its signal strength at multiple APs. Surprisingly robust, even in the face of people maliciously modulating their signal strength, et al. See his work here. Remeber, it's still in the research stage: but if you could implement it on a large scale, you'd make a pretty penny doing so!
and see how long before that I use something like Knoppix STD to change my MAC address and get my ass into the network.
Come on, if you're a University, then you've already got fat pipes, and probably let the kids in dorms and the library have unlimited access, so why treat your other students like crap just because they're in the wrong location.
And if you limit their internet access, what kind of education do you think that you're providing them with by limiting the information that they can access?
Hell, and even if you try to, odds are that anybody with half a brain will hack it, or the user with access is going to set up their system as an IP masquerading AP.
I agree w/ some of the posts above. At my school (Wright State), we use a wireless network, with RADIUS authentication that expires every two hours. Give instructors the choice of allowing equipment or not; I had a prof who strictly forbid the use of Palms in class.
That being said, no mac filtering or proxy solutions are going too be fool proof (or, more accuratly, geek proof). It is easy enough to setup NAT on a laptop to give access to the next room, or spoof your MAC. As I see it, there are two possible solutions that would virtually gaurentee that you accieve what you are trying to accomplish:
Magneticly seal each classroom: difficult, expensive, effective.
Jam 2.4 GHz in classrooms that you don't want access in: Cheaper, but may cause unwanted interference. Leaves 802.11a wide open for repeaters. Questionable legality?
Best of all, both of these solutions have the added benifit of blocking those &*$#!@#%$*% cell phones!
and get a BlueSocket device. Truely, they are the best.
User-level authentication...all you need is a Radius server.
We'll never get anywhere by building fences. You've heard the Linux quote, "In a world without windows and gates, who needs walls and fences." My sipmle solution is to just let the people on the network, use a public/private hotspot, D-Link makes some nice ones. Simple, but effective.
Assuming that there is one AP per classroom, and connections to adjacent classrooms do not work well:
Just have the campus electrician wire the AP to a lightswitch next to the blackboard. Then the professor can make their own decision on wireless access. The user interface requires little maintainance, is easy to use and difficult to hack without getting caught or electrocuted.
Mark
The Ohio State University has many wireless access points all over the campus. Since they already have pre-existing online student logins, those are used to gain online access. When you "hook up" to the router and open an internet browser is just pulls up a username verification page. That way any traffic from your address during the login period is associated with your username. Please excuse my simplistic explanation, i'm not at the ubergeek level yet :-p
4lpha-$
Theres a big difference between universtiys/high schools(or english colleges) pupils(normally) want to be there, so if they dont want to listen to the lecture they obv dont wanna pass. I sit in lectures with my pbook taking notes, accessing the presentation in the lecture theater, getting files needed for the weeks work etc. I assume you have spent alot on an 'e campus' so whats the point on deining access to it. Having an e campus is a great tool for learning, if i get confused by a word, i can google it, reserve a book from the libary and get it later. Restricting this will be detrimental to learning, and pupils will allways find a way roumd. If i goto the only lecture theater without access, ill use bluetooth and GPRS to dial up if i need to.