+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 24
General Chat Thread, Wifi in your school, who has access to it? in General; Quite simply, who has access to your wifi within your school? For us it was staff and sixth form students. ...
  1. #1
    rad
    rad is offline
    rad's Avatar
    Join Date
    Jan 2009
    Location
    Middlesex
    Posts
    2,482
    Thank Post
    335
    Thanked 308 Times in 236 Posts
    Rep Power
    109

    Wifi in your school, who has access to it?

    Quite simply, who has access to your wifi within your school?

    For us it was staff and sixth form students. It appears the password to the wifi has been leaked and lower years have access to it, I have raised this with SLT.

    Just interested what other schools do. We have 2000 students.

  2. #2

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,941
    Thank Post
    886
    Thanked 1,694 Times in 1,472 Posts
    Blog Entries
    12
    Rep Power
    447
    You should use something like radius. The authentication is based on the domain username and password. Set it so only students in 6th form can login.

    We offer BYOD to staff. Staff are able to login and use the service using AD credentials. Although they get a delivered Citrix session and not an internet connection.

  3. 2 Thanks to FN-GM:

    rad (1st March 2014), speckytecky (28th February 2014)

  4. #3

    Join Date
    Nov 2012
    Location
    Surrey
    Posts
    62
    Thank Post
    4
    Thanked 9 Times in 9 Posts
    Rep Power
    5
    We have four SSIDs:

    The first extending our internal subnet and used only by school owned devices. The passphrase is a very unmemorable and only known by a select few (3 people).
    The second is used for guest access but mainly to allow staff internet access for their mobiles etc... access controlled using Radius.
    The third is used for the sixth form students bringing their own devices to use in school as above access controlled using Radius.
    The forth is used by students participating in a 1:1 device scheme protected using again a very unmemorable passphrase issued using our MDM solution and know by me and written in our site documentation and then radius authentication primarily for keeping track of who is doing what on the web.

  5. Thanks to Sibrows from:

    rad (1st March 2014)

  6. #4

    Join Date
    Oct 2005
    Location
    hey hey hey, stay outta my shed. STAY OUT OF MY SHED.
    Posts
    1,023
    Thank Post
    238
    Thanked 193 Times in 149 Posts
    Rep Power
    106
    We implement RADIUS so we don't have any "the password" issues and make it available to all staff and students.

  7. Thanks to Roberto from:

    rad (1st March 2014)

  8. #5
    rad
    rad is offline
    rad's Avatar
    Join Date
    Jan 2009
    Location
    Middlesex
    Posts
    2,482
    Thank Post
    335
    Thanked 308 Times in 236 Posts
    Rep Power
    109
    This is very helpful, I'd like to add, our wifi is in the pipeline for upgrade and I think this will push it along nicely. The current setup is about 6 years old supported by the LEA using Cisco kit.

    Keep the ideas and info coming

  9. #6
    IrritableTech's Avatar
    Join Date
    Nov 2007
    Location
    West Yorkshire
    Posts
    797
    Thank Post
    84
    Thanked 173 Times in 142 Posts
    Rep Power
    65
    We have different SSIDs for domain connected devices, guest devices, sixth form devices, staff devices and cashless tills.

    We control access using our ruckus controller, AD and dynamic pre shared keys.

    I need to setup a radius server though to do dynamic vlan assignments - we've hit the limit on SSIDs.

  10. #7

    Join Date
    Oct 2013
    Posts
    55
    Thank Post
    2
    Thanked 9 Times in 5 Posts
    Rep Power
    3
    Using ruckus we have 5 different WLANS:-

    One for School owned devices (Staff issued laptops, tablets etc) controlled using MAC address.

    Another for all 5 laptop trolleys, (4 in departments, 1 mobile), again controlled by MAC address

    Another for Staff BYOD, controlled using AD authentication.

    Another for 6th form BYOD, again controlled using AD authentication (they have to sign an AUP before they are made members of the security group that the ruckus controller looks for to allow access).

    And another for guest access controlled using generated guest passes on the ruckus controller.

  11. #8

    Join Date
    Jan 2014
    Location
    Isle Of Wight
    Posts
    82
    Thank Post
    87
    Thanked 7 Times in 7 Posts
    Rep Power
    3
    I have no objection of staff having access to it as long as they follow our internet usage policy; however they do not know the wifi password; the device has to be manually added and the device, serial and owner are recorded. All pupil devices have it pre-installed and re-registered on ever successful connection.

  12. #9

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,941
    Thank Post
    886
    Thanked 1,694 Times in 1,472 Posts
    Blog Entries
    12
    Rep Power
    447
    Quote Originally Posted by IWDave View Post
    I have no objection of staff having access to it as long as they follow our internet usage policy; however they do not know the wifi password; the device has to be manually added and the device, serial and owner are recorded. All pupil devices have it pre-installed and re-registered on ever successful connection.
    If staff have admin rights they will be able to view the Key.

  13. #10

    Join Date
    Dec 2009
    Posts
    48
    Thank Post
    0
    Thanked 8 Times in 4 Posts
    Rep Power
    11
    we have only ever given the key to staff, as giving the key to students would mean that some could access it from home as they live directly behind the school ! however now on the wisdom of a few (not me) we have purchased a batch of android tablets and it's going to be fun locking these down so the kids don't access our key on them (as soon as they do every kids mobile phone in the school will be browsing via our wireless ), surfaces I would have agreed with then I could have used GP .I was asked if our sports hall team that run clubs at night could give our key to it's customers but I had to explain that they had never agreed to our usage policy.

  14. #11

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,941
    Thank Post
    886
    Thanked 1,694 Times in 1,472 Posts
    Blog Entries
    12
    Rep Power
    447
    Quote Originally Posted by sjpage10 View Post
    we have only ever given the key to staff, as giving the key to students would mean that some could access it from home as they live directly behind the school ! however now on the wisdom of a few (not me) we have purchased a batch of android tablets and it's going to be fun locking these down so the kids don't access our key on them (as soon as they do every kids mobile phone in the school will be browsing via our wireless ), surfaces I would have agreed with then I could have used GP .I was asked if our sports hall team that run clubs at night could give our key to it's customers but I had to explain that they had never agreed to our usage policy.
    You could setup your wireless so it disables the SSID after hours. No chance of using it then.

  15. #12
    DrCheese's Avatar
    Join Date
    Apr 2008
    Posts
    1,028
    Thank Post
    97
    Thanked 158 Times in 107 Posts
    Rep Power
    58
    We have three SSID's.

    • One for school owned devices, i.e laptops. Only "Domain computers" & a few user groups can access this. This is routeable to the main network
    • One for ALL students & Staff to access the Internet. They just bump through using 802.11x on our smoothwall machine. Devices on this WLAN can't talk to each other.
    • Last, I have another one setup for visitors that presents them with a logon page when they join it. We have various AD accounts that can join can login this for a day at a time & we give it out to visitors when they show. This is ran via PFSense. On this, we also have the 802.11x cert available for Staff/student users who can't easily join the 802.11x auth using Windows 7 laptops (There's a guide you have to follow to make Win 7 work with smoothwall)


    As mentioned in various other threads, We have no issue with students using our Internet connection (We have a gb link...) Our logic has always been that if we don't allow access to our wifi, students will just use 3g connections instead that we can't track. Smoothwall allows us to see what each students phone is doing. Also, it helps with devices are stolen as we can see which access point they are connected to and help catch the culprit.
    Last edited by DrCheese; 1st March 2014 at 07:25 PM.

  16. #13

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,262
    Thank Post
    111
    Thanked 242 Times in 193 Posts
    Blog Entries
    1
    Rep Power
    74
    @DrCheese

    Can you point me in the direction of any guides etc that you used to set us pfsense in this way?

    To the OP. My answer is 'to anyone who signs the aup' 802.1x with computer account authentication on two essids and one using user authentication (for BYOD) and finally a guest with captive portal (which is horrifically crude, hence my asking about pfsense)

  17. #14
    DrCheese's Avatar
    Join Date
    Apr 2008
    Posts
    1,028
    Thank Post
    97
    Thanked 158 Times in 107 Posts
    Rep Power
    58
    Well... I could just use smothwalls SSL login page on the other SSID rather than pfsense, but it offers little in the way of customisation. I couldn't do much beyond change the logo of the page & one line of text. I wanted to be able to let users download the SSL cert for the staff/student wifi as well.

    Using PFsense I can also set certain devices to bypass login entirely (via MAC) and I can leave a comment showing who's it is (& force it to a certain IP for tracking) I needed this for users that had older phones that didn't want to login every day, which is all I could do with smoothwalls SSL page.

    Don't have a guide I'm afraid, it was all guess work! It's not too difficult tho, just install Squid and set it to transparent mode. If you want to do filtering you can pass the traffic through the smoothie or install dansguardian and do it that way.

  18. #15

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,793
    Thank Post
    1,789
    Thanked 2,180 Times in 1,615 Posts
    Rep Power
    771
    Quote Originally Posted by DrCheese View Post
    Well... I could just use smothwalls SSL login page on the other SSID rather than pfsense, but it offers little in the way of customisation. I couldn't do much beyond change the logo of the page & one line of text. I wanted to be able to let users download the SSL cert for the staff/student wifi as well.
    Pretty much how we did it. We instruct everyone to follow the instructions on our website and download the cert from there.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 0
    Last Post: 10th August 2010, 07:44 PM
  2. How to get Sharepoint going in your schools
    By GrumbleDook in forum Virtual Learning Platforms
    Replies: 11
    Last Post: 28th March 2010, 08:25 PM
  3. Replies: 19
    Last Post: 1st April 2008, 10:01 AM
  4. Replies: 19
    Last Post: 29th May 2007, 01:19 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •