General Chat Thread, Wifi in your school, who has access to it? in General; Quite simply, who has access to your wifi within your school?
For us it was staff and sixth form students. ...
28th February 2014, 09:12 PM #1
Wifi in your school, who has access to it?
Quite simply, who has access to your wifi within your school?
For us it was staff and sixth form students. It appears the password to the wifi has been leaked and lower years have access to it, I have raised this with SLT.
Just interested what other schools do. We have 2000 students.
28th February 2014, 09:17 PM #2
You should use something like radius. The authentication is based on the domain username and password. Set it so only students in 6th form can login.
We offer BYOD to staff. Staff are able to login and use the service using AD credentials. Although they get a delivered Citrix session and not an internet connection.
2 Thanks to FN-GM:
rad (1st March 2014), speckytecky (28th February 2014)
28th February 2014, 10:25 PM #3
- Rep Power
We have four SSIDs:
The first extending our internal subnet and used only by school owned devices. The passphrase is a very unmemorable and only known by a select few (3 people).
The second is used for guest access but mainly to allow staff internet access for their mobiles etc... access controlled using Radius.
The third is used for the sixth form students bringing their own devices to use in school as above access controlled using Radius.
The forth is used by students participating in a 1:1 device scheme protected using again a very unmemorable passphrase issued using our MDM solution and know by me and written in our site documentation and then radius authentication primarily for keeping track of who is doing what on the web.
28th February 2014, 10:33 PM #4
We implement RADIUS so we don't have any "the password" issues and make it available to all staff and students.
1st March 2014, 08:24 AM #5
This is very helpful, I'd like to add, our wifi is in the pipeline for upgrade and I think this will push it along nicely. The current setup is about 6 years old supported by the LEA using Cisco kit.
Keep the ideas and info coming
1st March 2014, 09:02 AM #6
We have different SSIDs for domain connected devices, guest devices, sixth form devices, staff devices and cashless tills.
We control access using our ruckus controller, AD and dynamic pre shared keys.
I need to setup a radius server though to do dynamic vlan assignments - we've hit the limit on SSIDs.
1st March 2014, 10:47 AM #7
- Rep Power
Using ruckus we have 5 different WLANS:-
One for School owned devices (Staff issued laptops, tablets etc) controlled using MAC address.
Another for all 5 laptop trolleys, (4 in departments, 1 mobile), again controlled by MAC address
Another for Staff BYOD, controlled using AD authentication.
Another for 6th form BYOD, again controlled using AD authentication (they have to sign an AUP before they are made members of the security group that the ruckus controller looks for to allow access).
And another for guest access controlled using generated guest passes on the ruckus controller.
1st March 2014, 04:10 PM #8
- Rep Power
I have no objection of staff having access to it as long as they follow our internet usage policy; however they do not know the wifi password; the device has to be manually added and the device, serial and owner are recorded. All pupil devices have it pre-installed and re-registered on ever successful connection.
1st March 2014, 06:26 PM #9
If staff have admin rights they will be able to view the Key.
Originally Posted by IWDave
1st March 2014, 06:50 PM #10
- Rep Power
we have only ever given the key to staff, as giving the key to students would mean that some could access it from home as they live directly behind the school ! however now on the wisdom of a few (not me) we have purchased a batch of android tablets and it's going to be fun locking these down so the kids don't access our key on them (as soon as they do every kids mobile phone in the school will be browsing via our wireless ), surfaces I would have agreed with then I could have used GP .I was asked if our sports hall team that run clubs at night could give our key to it's customers but I had to explain that they had never agreed to our usage policy.
1st March 2014, 07:03 PM #11
You could setup your wireless so it disables the SSID after hours. No chance of using it then.
Originally Posted by sjpage10
1st March 2014, 07:23 PM #12
We have three SSID's.
- One for school owned devices, i.e laptops. Only "Domain computers" & a few user groups can access this. This is routeable to the main network
- One for ALL students & Staff to access the Internet. They just bump through using 802.11x on our smoothwall machine. Devices on this WLAN can't talk to each other.
- Last, I have another one setup for visitors that presents them with a logon page when they join it. We have various AD accounts that can join can login this for a day at a time & we give it out to visitors when they show. This is ran via PFSense. On this, we also have the 802.11x cert available for Staff/student users who can't easily join the 802.11x auth using Windows 7 laptops (There's a guide you have to follow to make Win 7 work with smoothwall)
As mentioned in various other threads, We have no issue with students using our Internet connection (We have a gb link...) Our logic has always been that if we don't allow access to our wifi, students will just use 3g connections instead that we can't track. Smoothwall allows us to see what each students phone is doing. Also, it helps with devices are stolen as we can see which access point they are connected to and help catch the culprit.
Last edited by DrCheese; 1st March 2014 at 07:25 PM.
1st March 2014, 07:43 PM #13
Can you point me in the direction of any guides etc that you used to set us pfsense in this way?
To the OP. My answer is 'to anyone who signs the aup' 802.1x with computer account authentication on two essids and one using user authentication (for BYOD) and finally a guest with captive portal (which is horrifically crude, hence my asking about pfsense)
1st March 2014, 08:59 PM #14
Well... I could just use smothwalls SSL login page on the other SSID rather than pfsense, but it offers little in the way of customisation. I couldn't do much beyond change the logo of the page & one line of text. I wanted to be able to let users download the SSL cert for the staff/student wifi as well.
Using PFsense I can also set certain devices to bypass login entirely (via MAC) and I can leave a comment showing who's it is (& force it to a certain IP for tracking) I needed this for users that had older phones that didn't want to login every day, which is all I could do with smoothwalls SSL page.
Don't have a guide I'm afraid, it was all guess work! It's not too difficult tho, just install Squid and set it to transparent mode. If you want to do filtering you can pass the traffic through the smoothie or install dansguardian and do it that way.
1st March 2014, 09:24 PM #15
Pretty much how we did it. We instruct everyone to follow the instructions on our website and download the cert from there.
Originally Posted by DrCheese
By DaveP in forum Jokes/Interweb Things
Last Post: 10th August 2010, 07:44 PM
By GrumbleDook in forum Virtual Learning Platforms
Last Post: 28th March 2010, 08:25 PM
By projector1 in forum Hardware
Last Post: 1st April 2008, 10:01 AM
Last Post: 29th May 2007, 01:19 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)