Restricting Wireless Access on Campus?

Diety_in_A_Minor asks: "How would one set up a wireless network on a campus such that restrictions can occur by classroom? My back of the napkin solution would be to relate MAC addresses to class schedules, and have the DHCP server allow access to student-registered MAC addresses only during specific times. Although possible, this solution requires tremendous maintenance. What other solutions are there? One class in a building will require restrictions, while both classrooms adjacent to it need open access."

Old Tech

[Muggins+the+Mad]

Change the student password every hour. Have the teacher easily able to see what the password is.

Write the password on the blackboard at the start of the class. Possibly have several different passwords with different levels of access.

- Muggins the Mad

Weaken signal strength

[SpaFF]

Asside from changing the password (or WEP key) constantly and having the professor tell the students what it is each class, you could shield the classroom so that the signal doesn't travel outside of it. This of course assumes that the access point is in the classroom and that the room is small enough to electromagnetically shield economically. Depending on the size of the room (big lecture halls) you might be able to just turn the signal strength of the AP down low enough so that it can't be reached outside of the room.

MAC addresses?

[Nasarius]

Why not associate usernames with schedules and save yourself the hassle? Require a VPN logon for the wireless network, and deny access to specific users at the right times.

NoCatNet!

[cfoster611]

I've been meaning to setup a system using NoCat

It creates a splash-screen authentication at first connection. Either that or mandatory VPN.

Two words

[deanpole]

Faraday Cage

... is room with metal walls, and screens (like you see on the front of a microwave) to pass air.

Old fashioned

[aridhol]

Why is it required that this one room not have any network connectivity? Why not do it the old-fashioned way: tell the students that network access is prohibited.

What kind of school is this? Is it a college or university? The students are paying their way, let them waste their money by ignoring the class. Is it a K-12 school? Send a note home to the parents or disable the account of those caught using the 'net when they shouldn't.

Re:Old fashioned

[kalidasa]

You really don't want students to have WiFi capaibilities in an examination environment. Remember, there are two kinds of WiFi network: infrastructure, and peer-to-peer.

802.1x + RADIUS

[Russ+Steffen]

What about using 802.1x with a RADIUS server that has time based access controls (like Radiator) ?

Re:802.1x + RADIUS

[lpret]

I second this. at my university we use 1x and RADIUS and we can allow users during a time period to authenticate successfully. This means we can track who is on when, while allowing them to borrow a laptop or whatever. look at your hardware and see if it's an option. by the way, are you familiar with the International Resnet Symposium? Currently underway at Princeton University, it's a great place to bounce ideas off of others and hear what other poeple (and vendors) have to offer.

Why?

[SecretFire]

I think we need a lot more information about the circumstances here. Is there some sort of test that requires students to have a laptop but not access the internet?

Or is it some old teacher that thinks that it'll somehow force people listen to their boring, pointless lectures, when the students will likely just find something else to entertain themselves with.

Use a simple solution.

[Harik]

You don't need technology to solve this problem.

All your students should register their MAC address in order to get a working IP. Use whatever your vender provdes for making sure someone isn't getting on without that.

Make a policy stating that you can't do , then audit occasionally. When you find an invalid MAC, send them a warning letter.

Besides, it's impossible to enforce. If someone borrows a laptop, they suddenly get locked-out of the online lecture? What do you want them to do, whip out a cellphone in the back of the hall and call tech support?

Seconded...

[Gordonjcp]

I mean, ffs, presumably these are University students we're talking about here? Are you deliberately treating them like naughty children as part of some kind of weird-ass psychological experiment?

Mind you, what do you expect from a country where you can buy a gun when you're 12 but you can't drink anywhere until you're 21?

2 examples

[neglige]

I know 2 examples of universities that have WLAN on the entire (well, almost) campus.

1) Register your MAC address electronically, print out a form stating you will abide to the terms of usage, sign it, hand it in, and your MAC addess will receive an IP from DHCP the next day. VPN required (with group passwords). Connections are filtered through a firewall.

2) No registration required, but you need to install a VPN client with a certificate which can be generated on a website which is only available from a computer with a campus-IP. Again, a firewall restricts connections, depending on the type of user (students have more restrictive filters than employees).

Of course each solution requires you to have an account at the university (LDAP check).

As we are also using PDAs, VPN is a bit of a burden, but so far the various devices (iPAQ & Palm 5xx) can handle it, more or less. A major annoyance is the fact that you tend to turn off the PDA to save power. This cuts the VPN connection, so you need to log in again and again and..... :/

Depends on the Wireless System

[routerwhore]

Any of the next gen wireless platforms provide this functionality quite handily. They are completely centralized, user aware, include per-user firewalls, heavy duty encryption (2 Gbps IPSEC) and allow policies to be set based on location and time of day. When you are an organization that needs to manage more then 10 APs, you get a big boy system to do it. Let the small guys roll their own.

Disclaimer: I'm guilty of rolling my own as much as anyone, but there is such a thing as using the right tool for the job and I have decided this is the way to go in regards to wireless.

Impossible

[photon317]

Even if you do acces control by MAC address or VPN login as others have stated, students will just swap wireless cards or vpn logins with someone on a different schedule when they need to.

Don't do it at all.

[Charles+Dart]

It's a bad idea, students will either hack it or switch to cellular modems. Just let the tight-assed professors deal with it and tell them to join us in the twenty-first century.

What you are doing shows a lack of respect to the students. If a student wants to waste their opportunity to be educated let em. The good students will voluntaraly go by the rules.

Belive me if you try to implement this system you are in for a world of hurt.

Spend $$$

[drix]

At my school (Berkeley) they're using something by Vernier, most likely this, to require login and password for WLAN access. It's pretty cool--anyone can get a DHCP lease but apparently the Vernier access manager maintains a dynamic routing table that drops all your traffic until you've authenticated. Since they've managed to link the access manager in with the strange Kerberos-ish auth mechanism our school uses ("CalNet") I've a feeling the system is quite flexible and could be easily integrated with class schedules to provide the solution you're looking for. (The literature says it supports all the usual suspects--Kerberos, LDAP, Radius, NT, etc. and those are flexible enough on their own to do it.)