Slashdot Mirror

← Back to Stories (view on slashdot.org)

Restricting Wireless Access on Campus?

Posted by Cliff on from the dynamic-access-allotments dept.

Diety_in_A_Minor asks: "How would one set up a wireless network on a campus such that restrictions can occur by classroom? My back of the napkin solution would be to relate MAC addresses to class schedules, and have the DHCP server allow access to student-registered MAC addresses only during specific times. Although possible, this solution requires tremendous maintenance. What other solutions are there? One class in a building will require restrictions, while both classrooms adjacent to it need open access."

7 of 89 comments (clear)

  1. NoCatNet! by cfoster611 · · Score: 3, Informative

    I've been meaning to setup a system using NoCat

    It creates a splash-screen authentication at first connection. Either that or mandatory VPN.

    --
    --- Kicking the Cheat since late 2002
  2. 802.1x + RADIUS by Russ+Steffen · · Score: 4, Informative

    What about using 802.1x with a RADIUS server that has time based access controls (like Radiator) ?

    1. Re:802.1x + RADIUS by lpret · · Score: 3, Informative

      I second this. at my university we use 1x and RADIUS and we can allow users during a time period to authenticate successfully. This means we can track who is on when, while allowing them to borrow a laptop or whatever. look at your hardware and see if it's an option. by the way, are you familiar with the International Resnet Symposium? Currently underway at Princeton University, it's a great place to bounce ideas off of others and hear what other poeple (and vendors) have to offer.

      --
      This is my digital signature. 10011011001
  3. Use a simple solution. by Harik · · Score: 3, Informative
    You don't need technology to solve this problem.

    All your students should register their MAC address in order to get a working IP. Use whatever your vender provdes for making sure someone isn't getting on without that.

    Make a policy stating that you can't do , then audit occasionally. When you find an invalid MAC, send them a warning letter.

    Besides, it's impossible to enforce. If someone borrows a laptop, they suddenly get locked-out of the online lecture? What do you want them to do, whip out a cellphone in the back of the hall and call tech support?

  4. 2 examples by neglige · · Score: 3, Informative

    I know 2 examples of universities that have WLAN on the entire (well, almost) campus.

    1) Register your MAC address electronically, print out a form stating you will abide to the terms of usage, sign it, hand it in, and your MAC addess will receive an IP from DHCP the next day. VPN required (with group passwords). Connections are filtered through a firewall.

    2) No registration required, but you need to install a VPN client with a certificate which can be generated on a website which is only available from a computer with a campus-IP. Again, a firewall restricts connections, depending on the type of user (students have more restrictive filters than employees).

    Of course each solution requires you to have an account at the university (LDAP check).

    As we are also using PDAs, VPN is a bit of a burden, but so far the various devices (iPAQ & Palm 5xx) can handle it, more or less. A major annoyance is the fact that you tend to turn off the PDA to save power. This cuts the VPN connection, so you need to log in again and again and..... :/

    --
    My cats ate my karma. They also wrote this comment.
  5. Depends on the Wireless System by routerwhore · · Score: 3, Informative
    Any of the next gen wireless platforms provide this functionality quite handily. They are completely centralized, user aware, include per-user firewalls, heavy duty encryption (2 Gbps IPSEC) and allow policies to be set based on location and time of day. When you are an organization that needs to manage more then 10 APs, you get a big boy system to do it. Let the small guys roll their own.

    Disclaimer: I'm guilty of rolling my own as much as anyone, but there is such a thing as using the right tool for the job and I have decided this is the way to go in regards to wireless.

  6. Spend $$$ by drix · · Score: 3, Informative

    At my school (Berkeley) they're using something by Vernier, most likely this, to require login and password for WLAN access. It's pretty cool--anyone can get a DHCP lease but apparently the Vernier access manager maintains a dynamic routing table that drops all your traffic until you've authenticated. Since they've managed to link the access manager in with the strange Kerberos-ish auth mechanism our school uses ("CalNet") I've a feeling the system is quite flexible and could be easily integrated with class schedules to provide the solution you're looking for. (The literature says it supports all the usual suspects--Kerberos, LDAP, Radius, NT, etc. and those are flexible enough on their own to do it.)

    --

    I think there is a world market for maybe five personal web logs.