Main Nav

We are a small(ish) boarding school (K-12) with around 100 boarders.  We are located in a residential neighborhood with a lot of homes very close to the school.  Management wants an SSID for guests which does not require a password.  My corporate reaction is “that is crazy”.  My secondary/new to academia reaction is “why not”.

 

If the guests network is completely separated from the internal network, severely limited in bandwidth, web filtered, protocol/applications blocked etc.  Who cares?  The only potential issue I could see is web filtering can’t stop everything.

 

Then there is the whole question of how to handle “personal devices” for staff and students.  Any thought on that would be appreciated as well.  Thinking of hidden SSID (simply to make it less confusing for users) with MAC address limiting and DPSK (via Ruckus).

 

Thank you for any suggestions.  I am finding the transition from a corporate environment to academic, especially with boarding students, to be quite interesting to say the least,

Bob Williamson
Network Administrator
Annie Wright Schools | 827 N Tacoma Ave, Tacoma, WA 98403 | www.aw.org

D: +1.253.284.5465 | F: +1.253.572.3616 | Bob_Williamson@aw.org

 

Annie Wright's strong community cultivates individual learners to become

well-educated, creative, and responsible citizens for a global society.

 

    

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

AttachmentSize
image001.png2.45 KB
image002.png2.02 KB
image003.png2.28 KB

Comments

The first thought that pops into my mind is that you might need to manage violation messages from the RIAA or other copyright-concerned organizations and what will your recourse be if you do not have security. We use Audible Magic's solution to try to do our due diligence as far as government standards in a way that is mostly automatic, but there are always a few that slip through. When we get the notices, we need to be able to find the device that caused them and we can do this on the wireless through the user authentication. Somebody else might have a solution to this or another thought process (actually that would be great!). But, that is ONE of our reasons right now. The other is the cost of our Internet bandwidth. We're in an urban environment and try to conserve our resources for our students, faculty, and staff. Caroline Owens Networking and Telecommunications Saint Joseph's University (610) 660-1613
I'm very fond of our old-school Bluesocket guest portal. We require the guests to self-sponsor themselves with a 10-digit cell phone number, which their password is texted to. We get basic accountability, and you can give them a range of different classes of service/duration of guest session. Lee H. Badman Wireless/Network Engineer, ITS Adjunct Instructor, iSchool Syracuse University 315.443.3003 ________________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Caroline Owens [owens@SJU.EDU] Sent: Thursday, January 19, 2012 1:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] SSIDs, devices and guests The first thought that pops into my mind is that you might need to manage violation messages from the RIAA or other copyright-concerned organizations and what will your recourse be if you do not have security. We use Audible Magic's solution to try to do our due diligence as far as government standards in a way that is mostly automatic, but there are always a few that slip through. When we get the notices, we need to be able to find the device that caused them and we can do this on the wireless through the user authentication. Somebody else might have a solution to this or another thought process (actually that would be great!). But, that is ONE of our reasons right now. The other is the cost of our Internet bandwidth. We're in an urban environment and try to conserve our resources for our students, faculty, and staff. Caroline Owens Networking and Telecommunications Saint Joseph's University (610) 660-1613
That IS kind of cool, Lee! Caroline Owens Networking and Telecommunications Saint Joseph's University (610) 660-1613
Message from jcoehoorn@york.edu

We're a small residential college in small town in rural Nebraska with about 450 students. We have a completely open guest network, and have not had any issues. At all. There are numerous homes adjacent to campus, in most cases just across a narrow street from the access points.

I think what you'll find is that no one uses bandwidth like your students use bandwidth. These kids live and breath online. The family or two who may try to leech your bandwidth will still be nearer the edge of the range and won't get as much as they'd like, with the result that this is a drop in the bucket next to what your students use on a regular basis.

Sent from my iPod

Message from network.ipdog@gmail.com

Meraki...  ;^)

 

http://www.meraki.com/

Ephesians 4:32  &  Cheers!!!

 

good point- we use Meraki in our London campus. 35 APs, about 300 users, and a very active and effective guest environment provided as part of the solution.


Message from dwcarder@wisc.edu

Hi Bob,
We rate shape the guest network to a very low total bandwidth and block all applications except email, web traffic and software/os update facilities. -Brian ________________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Caroline Owens [owens@SJU.EDU] Sent: Thursday, January 19, 2012 1:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] SSIDs, devices and guests The first thought that pops into my mind is that you might need to manage violation messages from the RIAA or other copyright-concerned organizations and what will your recourse be if you do not have security. We use Audible Magic's solution to try to do our due diligence as far as government standards in a way that is mostly automatic, but there are always a few that slip through. When we get the notices, we need to be able to find the device that caused them and we can do this on the wireless through the user authentication. Somebody else might have a solution to this or another thought process (actually that would be great!). But, that is ONE of our reasons right now. The other is the cost of our Internet bandwidth. We're in an urban environment and try to conserve our resources for our students, faculty, and staff. Caroline Owens Networking and Telecommunications Saint Joseph's University (610) 660-1613
I've seen this come up a couple of times. So I hope you don't mind me asking, what would be the advantage of providing "very low total bandwidth" for your guests? Pete M.
Message from kohster@northwestern.edu

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri Jan 27 2012 09:54:40 Central Time, Peter P Morrissey wrote: > > I've seen this come up a couple of times. So I hope you don't mind me asking, what would be the advantage of providing "very low total bandwidth" for your guests? One line of reasoning would be that you want to differentiate the guest network from your regular user network in terms of service level. Your typical user isn't going to readily appreciate the advantages that a regular WPA2 Enterprise SSID has in terms of encryption and centralized authentication, and in general you don't want the guest network to be an attractive option for your regular users. Also, depending on how your bandwidth is provisioned, you might want to prioritize/reserve traffic for your regular users over guest traffic anyway. Finally (at least from what I can think of quickly :)), depending on your physical proximity to non-University spaces, you might not want your guest network to be an attractive access option for people who are just next to your campus and could leech off your resources without being actual guests. - -- Julian Y. Koh Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key: -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAk8iyk0ACgkQDlQHnMkeAWOG3gCg0+njUvscHatzECw+i/U2O6Ut FfIAoN1Zj6rWm80IJHhZGp3JcSH++aLu =NEHh -----END PGP SIGNATURE----- ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Message from cstree2@emory.edu

No password means no encryption. A one word reason why you should not have an open network: FIRESHEEP Hidden SSIDs are also a security concern: read this: http://www.howtogeek.com/howto/28653/debunking-myths-is-hiding-your-wireles s-ssid-really-more-secure/ "If you¹re not using encryption, or you¹re using the pathetic WEP encryption scheme, it doesn¹t matter whether you hide your SSID, filter MAC addresses, or cover your head in tin foil‹your network is wide open for hacking in a matter of minutes." Chad Street Communications Architect Emory University / Healthcare On 1/27/12 10:48 AM, "Brian Helman" wrote: >We rate shape the guest network to a very low total bandwidth and block >all applications except email, web traffic and software/os update >facilities. > >-Brian >________________________________________ >From: The EDUCAUSE Wireless Issues Constituent Group Listserv >[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Caroline Owens >[owens@SJU.EDU] >Sent: Thursday, January 19, 2012 1:34 PM >To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >Subject: Re: [WIRELESS-LAN] SSIDs, devices and guests > >The first thought that pops into my mind is that you might need to manage >violation messages from the RIAA or other copyright-concerned >organizations and what will your recourse be if you do not have security. > We use Audible Magic's solution to try to do our due diligence as far as >government standards in a way that is mostly automatic, but there are >always a few that slip through. When we get the notices, we need to be >able to find the device that caused them and we can do this on the >wireless through the user authentication. > >Somebody else might have a solution to this or another thought process >(actually that would be great!). > >But, that is ONE of our reasons right now. The other is the cost of our >Internet bandwidth. We're in an urban environment and try to conserve >our resources for our students, faculty, and staff. > >Caroline Owens >Networking and Telecommunications >Saint Joseph's University >(610) 660-1613 > >
Message from bosborne@liberty.edu

In our case here at Liberty University, management wanted to use limiting to encourage those needing access to use our other official NAC policed means, while still keeping an open Guest network (Just accept our policy). It would discourage neighbors from freeloading off our limited Internet bandwidth. We are currently moving in the direction of limiting bandwidth abusers or charging for excessive usage. Bruce Osborne Network Engineer IT Network Services   (434) 592-4229   LIBERTY UNIVERSITY 40 Years of Training Champions for Christ: 1971-2011
Message from frnkblk@iname.com

How do you handle RIAA complaints?

 

Frank

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Joel Coehoorn
Sent: Thursday, January 19, 2012 12:45 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] SSIDs, devices and guests

 

We're a small residential college in small town in rural Nebraska with about 450 students. We have a completely open guest network, and have not had any issues. At all. There are numerous homes adjacent to campus, in most cases just across a narrow street from the access points.

 

I think what you'll find is that no one uses bandwidth like your students use bandwidth. These kids live and breath online. The family or two who may try to leech your bandwidth will still be nearer the edge of the range and won't get as much as they'd like, with the result that this is a drop in the bucket next to what your students use on a regular basis.


Sent from my iPod


Just opened or up this weekend.  I am going to do the best I can to stop users from doing illegal stuff.  We are MUCH smaller than most on this list (300 students K-12, 100 female boarding students, 100 staff, all girls past 8th grade).

 

Closing ports, filtering websites, application level filtering (layer 2) etc.

·         It is an all-girls school past 8th grade which makes it easier.

·         Filtering on the “guest” SSID will be more stringent than the internal.

·         Very granular port filtering.

·         Application signature blocking (in my case Watchguard).

·         Web filtering via Watchguard.

·         Throttle that SSID at the wireless and/or firewall.

·         Weekly reports/reviews.

 

Can’t stop everything, but …

 

Bob Williamson
Network Administrator
Annie Wright Schools | 827 N Tacoma Ave, Tacoma, WA 98403 | www.aw.org

D: +1.253.284.5465 | F: +1.253.572.3616 | Bob_Williamson@aw.org

 

Annie Wright's strong community cultivates individual learners to become

well-educated, creative, and responsible citizens for a global society.

 

    

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Frank Bulk
Sent: Saturday, January 28, 2012 3:07 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] SSIDs, devices and guests

 

How do you handle RIAA complaints?

 

Frank

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Joel Coehoorn
Sent: Thursday, January 19, 2012 12:45 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] SSIDs, devices and guests

 

We're a small residential college in small town in rural Nebraska with about 450 students. We have a completely open guest network, and have not had any issues. At all. There are numerous homes adjacent to campus, in most cases just across a narrow street from the access points.

 

I think what you'll find is that no one uses bandwidth like your students use bandwidth. These kids live and breath online. The family or two who may try to leech your bandwidth will still be nearer the edge of the range and won't get as much as they'd like, with the result that this is a drop in the bucket next to what your students use on a regular basis.


Sent from my iPod


To keep the students and employees off it. -Brian
How do you regulate the suck so guests can use it, but campus folks can't?
Give different IP addresses on the visitor network that cannot access local resources (e.g Blackboard). We also use the "allow unknown clients" in DHCP. Once a device is registered on the regular network, it will not receive a lease on the visitor network. Philippe Univ. of TN
Message from ahockett@warnerpacific.edu

AP isolation + VLAN 666 for guests. It's the only way to be sure. ;-) -Aaron
Message from trent.hurt@louisville.edu

Our current guest access is via web portal and sponsored accounts. We are looking at doing away with the need for sponsoring accounts and open it up with port/bandwidth restrictions and AUP. Our security folks are concerned with Calea, and how to handle DMCA notices. For the folks that are doing this kind of setup how are you dealing with these issues? Thanks Trent Trenton Hurt, CWNA, CCNP(W), CCNA(W), CCNA(V), CCNA(R/S) Wireless Network Administrator University of Louisville Phone (502) 852-1513 FAX (502) 852-1424
Philippe, I love that idea, but does that work in reverse? If someone accidentally uses the Guest Network first, will they get closed out of the real network when they try to join? -Brian -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C Sent: Monday, January 30, 2012 4:57 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] SSIDs, devices and guests Give different IP addresses on the visitor network that cannot access local resources (e.g Blackboard). We also use the "allow unknown clients" in DHCP. Once a device is registered on the regular network, it will not receive a lease on the visitor network. Philippe Univ. of TN
No they won't since guest don't have a registered MAC address. Only machines that have an entry in the MAC address database (eg netreg) will be subject to it. Philippe,
Close
Close


EDUCAUSE Connect
View dates and locations

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.