Slashdot Mirror

← Back to Stories (view on slashdot.org)

Restricting Wireless Access on Campus?

Posted by Cliff on from the dynamic-access-allotments dept.

Diety_in_A_Minor asks: "How would one set up a wireless network on a campus such that restrictions can occur by classroom? My back of the napkin solution would be to relate MAC addresses to class schedules, and have the DHCP server allow access to student-registered MAC addresses only during specific times. Although possible, this solution requires tremendous maintenance. What other solutions are there? One class in a building will require restrictions, while both classrooms adjacent to it need open access."

31 of 89 comments (clear)

  1. Old Tech by Muggins+the+Mad · · Score: 4, Insightful

    Change the student password every hour. Have the teacher easily able to see what the password is.

    Write the password on the blackboard at the start of the class. Possibly have several different passwords with different levels of access.

    - Muggins the Mad

    1. Re:Old Tech by DetrimentalFiend · · Score: 2, Funny

      Two words: faraday cage

      Of course, you'd have to shield all of the rooms and then put an access point in every room that could be shut off. But, as long as we're talking about off the wall solutions, I thought I'd throw it out there.

  2. Weaken signal strength by SpaFF · · Score: 4, Interesting

    Asside from changing the password (or WEP key) constantly and having the professor tell the students what it is each class, you could shield the classroom so that the signal doesn't travel outside of it. This of course assumes that the access point is in the classroom and that the room is small enough to electromagnetically shield economically. Depending on the size of the room (big lecture halls) you might be able to just turn the signal strength of the AP down low enough so that it can't be reached outside of the room.

    --
    -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT d? s: a-- C++++ UL++++ P++ L+++ E- W++ N o-- K- w--- O- M+ V PS+ P
  3. MAC addresses? by Nasarius · · Score: 5, Insightful

    Why not associate usernames with schedules and save yourself the hassle? Require a VPN logon for the wireless network, and deny access to specific users at the right times.

    --
    LOAD "SIG",8,1
    1. Re:MAC addresses? by josh3736 · · Score: 2, Insightful
      A lot of people have been suggesting some kind of MAC-based access control.

      Don't waste your time.

      The determined student can ever-so-easily skate right past MAC filtering. For example, if I'm in the class where I'm not supposed to connect, I can just sniff a MAC from the adjacent (wide-open) room and use that. Or just make one up, if you are using a blacklist instead of a whitelist.

      Go with NoCat or, more preferably, a VPN. Anyone can associate with the AP, but the AP is firewalled from the rest of the network. A VPN has the added benefit of having real data security (as opposed to WEP).

  4. NoCatNet! by cfoster611 · · Score: 3, Informative

    I've been meaning to setup a system using NoCat

    It creates a splash-screen authentication at first connection. Either that or mandatory VPN.

    --
    --- Kicking the Cheat since late 2002
  5. Two words by deanpole · · Score: 4, Funny
    Faraday Cage

    ... is room with metal walls, and screens (like you see on the front of a microwave) to pass air.

  6. Old fashioned by aridhol · · Score: 5, Insightful
    Why is it required that this one room not have any network connectivity? Why not do it the old-fashioned way: tell the students that network access is prohibited.

    What kind of school is this? Is it a college or university? The students are paying their way, let them waste their money by ignoring the class. Is it a K-12 school? Send a note home to the parents or disable the account of those caught using the 'net when they shouldn't.

    --
    I can't say that I don't give a fuck. I've just run out of fuck to give.
    1. Re:Old fashioned by kalidasa · · Score: 4, Insightful

      You really don't want students to have WiFi capaibilities in an examination environment. Remember, there are two kinds of WiFi network: infrastructure, and peer-to-peer.

  7. 802.1x + RADIUS by Russ+Steffen · · Score: 4, Informative

    What about using 802.1x with a RADIUS server that has time based access controls (like Radiator) ?

    1. Re:802.1x + RADIUS by megabeck42 · · Score: 2, Insightful

      This has to be the most effective solution suggested yet.

      802.1x is more cross-platform than propietary VPN solutions, requires no instructor cooperation changing keys or announcing new keys, requires no hacking up of a DHCP server, etc.

      --
      fnord.
    2. Re:802.1x + RADIUS by lpret · · Score: 3, Informative

      I second this. at my university we use 1x and RADIUS and we can allow users during a time period to authenticate successfully. This means we can track who is on when, while allowing them to borrow a laptop or whatever. look at your hardware and see if it's an option. by the way, are you familiar with the International Resnet Symposium? Currently underway at Princeton University, it's a great place to bounce ideas off of others and hear what other poeple (and vendors) have to offer.

      --
      This is my digital signature. 10011011001
    3. Re:802.1x + RADIUS by rasz · · Score: 2, Informative

      Agreed. 802.1x is the only way to go.
      Mac filtering ? Ar you even serious ?
      ifconfig wi0 lladdr 01:02:03:04:05:06

      Radius and good acces policy, some centralised CMSlike management console and your set.

      --
      Go grab those torrents.
  8. Why? by SecretFire · · Score: 4, Interesting
    I think we need a lot more information about the circumstances here. Is there some sort of test that requires students to have a laptop but not access the internet?

    Or is it some old teacher that thinks that it'll somehow force people listen to their boring, pointless lectures, when the students will likely just find something else to entertain themselves with.

  9. Re:Easy. by sethstorm · · Score: 2, Insightful

    MAC Address Restriction wont help, people could just sniff over and masquerade as other clients. Time up on one MAC? Spoof another. Rinse and repeat until wifi wants are satisfied, since nobody is going to be on all of that time or all of that week. Rate limiting wont help if it's done this way, you're just going to get some people who will just hop from one to another MAC, and people wondering what happened to their time.

    --
    Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
  10. Don't use Wireless by miyako · · Score: 2, Insightful

    Wireless is good for a lot of things, but it seems to me that this "solution" will require so much more time and effort that you might as well just use a wired solution. It shouldn't be too hard to have a router in each classroom that can be turned on or off as is appropriate. With a wireless solution you are pretty much relegated to turning off each individual students access based on their schedual, which is going to be much more difficult to impliment effectively.

    --
    Famous Last Words: "hmm...wikipedia says it's edible"
  11. Use a simple solution. by Harik · · Score: 3, Informative
    You don't need technology to solve this problem.

    All your students should register their MAC address in order to get a working IP. Use whatever your vender provdes for making sure someone isn't getting on without that.

    Make a policy stating that you can't do , then audit occasionally. When you find an invalid MAC, send them a warning letter.

    Besides, it's impossible to enforce. If someone borrows a laptop, they suddenly get locked-out of the online lecture? What do you want them to do, whip out a cellphone in the back of the hall and call tech support?

  12. Seconded... by Gordonjcp · · Score: 4, Funny
    I mean, ffs, presumably these are University students we're talking about here? Are you deliberately treating them like naughty children as part of some kind of weird-ass psychological experiment?


    Mind you, what do you expect from a country where you can buy a gun when you're 12 but you can't drink anywhere until you're 21?

  13. 2 examples by neglige · · Score: 3, Informative

    I know 2 examples of universities that have WLAN on the entire (well, almost) campus.

    1) Register your MAC address electronically, print out a form stating you will abide to the terms of usage, sign it, hand it in, and your MAC addess will receive an IP from DHCP the next day. VPN required (with group passwords). Connections are filtered through a firewall.

    2) No registration required, but you need to install a VPN client with a certificate which can be generated on a website which is only available from a computer with a campus-IP. Again, a firewall restricts connections, depending on the type of user (students have more restrictive filters than employees).

    Of course each solution requires you to have an account at the university (LDAP check).

    As we are also using PDAs, VPN is a bit of a burden, but so far the various devices (iPAQ & Palm 5xx) can handle it, more or less. A major annoyance is the fact that you tend to turn off the PDA to save power. This cuts the VPN connection, so you need to log in again and again and..... :/

    --
    My cats ate my karma. They also wrote this comment.
  14. Re:Easy. by markxz · · Score: 2, Insightful

    allot bandwidth according to classes- one hour per week per hour-long class

    In most university situations it would be desirable to have accsess outwith the scheduled classes, but less desirable for use during classes (it is distracting and rude towards those taking the classes)

    If it is necessary to restrict accsess (for exams etc) The easiest way is to dissalow any equipment not provided by the university. In exams I have had calcualtors provided.

  15. Depends on the Wireless System by routerwhore · · Score: 3, Informative
    Any of the next gen wireless platforms provide this functionality quite handily. They are completely centralized, user aware, include per-user firewalls, heavy duty encryption (2 Gbps IPSEC) and allow policies to be set based on location and time of day. When you are an organization that needs to manage more then 10 APs, you get a big boy system to do it. Let the small guys roll their own.

    Disclaimer: I'm guilty of rolling my own as much as anyone, but there is such a thing as using the right tool for the job and I have decided this is the way to go in regards to wireless.

  16. Impossible by photon317 · · Score: 4, Insightful


    Even if you do acces control by MAC address or VPN login as others have stated, students will just swap wireless cards or vpn logins with someone on a different schedule when they need to.

    --
    11*43+456^2
  17. Don't do it at all. by Charles+Dart · · Score: 4, Insightful

    It's a bad idea, students will either hack it or switch to cellular modems. Just let the tight-assed professors deal with it and tell them to join us in the twenty-first century.

    What you are doing shows a lack of respect to the students. If a student wants to waste their opportunity to be educated let em. The good students will voluntaraly go by the rules.

    Belive me if you try to implement this system you are in for a world of hurt.

  18. Spend $$$ by drix · · Score: 3, Informative

    At my school (Berkeley) they're using something by Vernier, most likely this, to require login and password for WLAN access. It's pretty cool--anyone can get a DHCP lease but apparently the Vernier access manager maintains a dynamic routing table that drops all your traffic until you've authenticated. Since they've managed to link the access manager in with the strange Kerberos-ish auth mechanism our school uses ("CalNet") I've a feeling the system is quite flexible and could be easily integrated with class schedules to provide the solution you're looking for. (The literature says it supports all the usual suspects--Kerberos, LDAP, Radius, NT, etc. and those are flexible enough on their own to do it.)

    --

    I think there is a world market for maybe five personal web logs.
  19. mac address by jbolden · · Score: 2, Interesting

    The problem with most of these mac address based solutions is they assume:

    1) You don't have large numbers of people openly subverting the system

    2) People don't have administrative access to their own boxes

    Neither of which is true in a college environment. You can tell an ethernet card to change its effective mac address to anything and students will share with information with each other.

    Security requires that:
    a) the people with access want to protect the information from the people without access
    b) The people with access cannot communicate to the people without access

    You don't have either situation. Rather what you have is a 3rd party creating a security policy (which classrooms have access) which does not enjoy student support. I agree with the poster who commented on a wired solution, this seems 100x easier.

  20. Location tracking - it can be done! by berteag00 · · Score: 2, Informative

    ...but not with off-the-shelf solutions. See the research of Dan Wallach, Rice University (my alma mater). He's been doing some research on baysian methods of determining a wireless node's location based on its signal strength at multiple APs. Surprisingly robust, even in the face of people maliciously modulating their signal strength, et al. See his work here. Remeber, it's still in the research stage: but if you could implement it on a large scale, you'd make a pretty penny doing so!

  21. Yeah, go off MAC addresses, by La+Camiseta · · Score: 2, Interesting

    and see how long before that I use something like Knoppix STD to change my MAC address and get my ass into the network.

    Come on, if you're a University, then you've already got fat pipes, and probably let the kids in dorms and the library have unlimited access, so why treat your other students like crap just because they're in the wrong location.

    And if you limit their internet access, what kind of education do you think that you're providing them with by limiting the information that they can access?

    Hell, and even if you try to, odds are that anybody with half a brain will hack it, or the user with access is going to set up their system as an IP masquerading AP.

    1. Re:Yeah, go off MAC addresses, by La+Camiseta · · Score: 2, Informative

      If they're stupid enough to let the kids bring in a computer or PDA, then they deserve it. Anyways, who in their right mind would let a kid bust out a laptop or PDA in an exam situation.

      (And if they do, what's to stop the kids from creating an ad-hoc network and sharing answers? There's no real way to stop that. Or maybe downloading the info earlier and just going off of it during the exam?)

      If they must have computers for a final exams, then that's what computer labs are for.

  22. quit counting beans by Game+Genie · · Score: 2, Interesting
    If a student decides to sit and screw around on the internet during class rather than listen that is their own problem, they have the right to fail. At worst this may be a minor disruption to the class, in which it is always within the prof's disgression to give them the boot. This is college, not high school.

    That being said, no mac filtering or proxy solutions are going too be fool proof (or, more accuratly, geek proof). It is easy enough to setup NAT on a laptop to give access to the next room, or spoof your MAC. As I see it, there are two possible solutions that would virtually gaurentee that you accieve what you are trying to accomplish:

    Magneticly seal each classroom: difficult, expensive, effective.

    Jam 2.4 GHz in classrooms that you don't want access in: Cheaper, but may cause unwanted interference. Leaves 802.11a wide open for repeaters. Questionable legality?

    Best of all, both of these solutions have the added benifit of blocking those &*$#!@#%$*% cell phones!

  23. You want to spend money by Famanoran · · Score: 2, Informative

    and get a BlueSocket device. Truely, they are the best.

  24. Keep it open! by beej_55 · · Score: 2, Interesting

    We'll never get anywhere by building fences. You've heard the Linux quote, "In a world without windows and gates, who needs walls and fences." My sipmle solution is to just let the people on the network, use a public/private hotspot, D-Link makes some nice ones. Simple, but effective.