Restricting Wireless Access on Campus?

Diety_in_A_Minor asks: "How would one set up a wireless network on a campus such that restrictions can occur by classroom? My back of the napkin solution would be to relate MAC addresses to class schedules, and have the DHCP server allow access to student-registered MAC addresses only during specific times. Although possible, this solution requires tremendous maintenance. What other solutions are there? One class in a building will require restrictions, while both classrooms adjacent to it need open access."

NoCatNet!

[cfoster611]

I've been meaning to setup a system using NoCat

It creates a splash-screen authentication at first connection. Either that or mandatory VPN.

802.1x + RADIUS

[Russ+Steffen]

What about using 802.1x with a RADIUS server that has time based access controls (like Radiator) ?

Re:802.1x + RADIUS

[lpret]

I second this. at my university we use 1x and RADIUS and we can allow users during a time period to authenticate successfully. This means we can track who is on when, while allowing them to borrow a laptop or whatever. look at your hardware and see if it's an option. by the way, are you familiar with the International Resnet Symposium? Currently underway at Princeton University, it's a great place to bounce ideas off of others and hear what other poeple (and vendors) have to offer.

Re:802.1x + RADIUS

[rasz]

Agreed. 802.1x is the only way to go.
Mac filtering ? Ar you even serious ?
ifconfig wi0 lladdr 01:02:03:04:05:06

Radius and good acces policy, some centralised CMSlike management console and your set.

Use a simple solution.

[Harik]

You don't need technology to solve this problem.

All your students should register their MAC address in order to get a working IP. Use whatever your vender provdes for making sure someone isn't getting on without that.

Make a policy stating that you can't do , then audit occasionally. When you find an invalid MAC, send them a warning letter.

Besides, it's impossible to enforce. If someone borrows a laptop, they suddenly get locked-out of the online lecture? What do you want them to do, whip out a cellphone in the back of the hall and call tech support?

2 examples

[neglige]

I know 2 examples of universities that have WLAN on the entire (well, almost) campus.

1) Register your MAC address electronically, print out a form stating you will abide to the terms of usage, sign it, hand it in, and your MAC addess will receive an IP from DHCP the next day. VPN required (with group passwords). Connections are filtered through a firewall.

2) No registration required, but you need to install a VPN client with a certificate which can be generated on a website which is only available from a computer with a campus-IP. Again, a firewall restricts connections, depending on the type of user (students have more restrictive filters than employees).

Of course each solution requires you to have an account at the university (LDAP check).

As we are also using PDAs, VPN is a bit of a burden, but so far the various devices (iPAQ & Palm 5xx) can handle it, more or less. A major annoyance is the fact that you tend to turn off the PDA to save power. This cuts the VPN connection, so you need to log in again and again and..... :/

Depends on the Wireless System

[routerwhore]

Any of the next gen wireless platforms provide this functionality quite handily. They are completely centralized, user aware, include per-user firewalls, heavy duty encryption (2 Gbps IPSEC) and allow policies to be set based on location and time of day. When you are an organization that needs to manage more then 10 APs, you get a big boy system to do it. Let the small guys roll their own.

Disclaimer: I'm guilty of rolling my own as much as anyone, but there is such a thing as using the right tool for the job and I have decided this is the way to go in regards to wireless.

Spend $$$

[drix]

At my school (Berkeley) they're using something by Vernier, most likely this, to require login and password for WLAN access. It's pretty cool--anyone can get a DHCP lease but apparently the Vernier access manager maintains a dynamic routing table that drops all your traffic until you've authenticated. Since they've managed to link the access manager in with the strange Kerberos-ish auth mechanism our school uses ("CalNet") I've a feeling the system is quite flexible and could be easily integrated with class schedules to provide the solution you're looking for. (The literature says it supports all the usual suspects--Kerberos, LDAP, Radius, NT, etc. and those are flexible enough on their own to do it.)

Location tracking - it can be done!

[berteag00]

...but not with off-the-shelf solutions. See the research of Dan Wallach, Rice University (my alma mater). He's been doing some research on baysian methods of determining a wireless node's location based on its signal strength at multiple APs. Surprisingly robust, even in the face of people maliciously modulating their signal strength, et al. See his work here. Remeber, it's still in the research stage: but if you could implement it on a large scale, you'd make a pretty penny doing so!

Re:Yeah, go off MAC addresses,

[La+Camiseta]

If they're stupid enough to let the kids bring in a computer or PDA, then they deserve it. Anyways, who in their right mind would let a kid bust out a laptop or PDA in an exam situation.

(And if they do, what's to stop the kids from creating an ad-hoc network and sharing answers? There's no real way to stop that. Or maybe downloading the info earlier and just going off of it during the exam?)

If they must have computers for a final exams, then that's what computer labs are for.

You want to spend money

[Famanoran]

and get a BlueSocket device. Truely, they are the best.