Providing wireless internet access for student laptops

[meastaugh1]

We're floating the idea of providing Wireless internet access to which students can connect their personal laptops.

Theoretically, I'd be using Procurve 530 APs to various Procurve switches (2524, 2650, 4100 etc). I'd create a student SSID and VLAN and patch them on the APs. Then I just need to add a port on the router (providing DHCP) to the student VLAN. The router facilitates the connection between our network and the leased line to our Grid.

re: DHCP, would it be acceptable to have the router provide DHCP to the student VLAN, while my Windows Server provides DHCP for the default VLAN, since both VLANs won't be communicating?

Does that sound feasible?

[stickinsect]

Well, I would give it a go, just set up one or 2 routers (if you have any spare, or just take down 1 or 2 routers that dont get used) and set them up as a temporary beta access point. so just let them log onto the router and make them put in their cc3 cresidentials (or whatever system you use) so no-one else who may be around the school can use it and see how it goes...

[b4bob]

Hi we're talking to suppliers to outline a wlan for a new build with a 6th form 'dropin' facility. Because of the numbers we're discussing having managed switches and 'thin' APs. This will allow a web based control panel to control access both thru the switch to the network and the actual ability to connect, for all APs from one point. On top of this will be auto load sharing/hand off so if the students are all at one end of the room then the other APs will share the work. If you have 'thick' (standard) APs then the nearest gets all the workload and your speeds drop right off. Not particularily cheap but nice n shiney! Otherwise we run a std thick AP from a trolley/vault and that's fine for a room.

[Ric_]

@meastaugh1: Although technically sound, does that plan take into account the Ts & Cs of your Internet connection and will you be filtering the connection so that you live up to your duty of care?

Will you also be charging for the service as it will inevitably add to your workload?

Managed wireless systems such as BlueSocket can be configured to sort all these problems out and allow the APs to broadcast multiple SSIDs on different VLANs. There is even a built in web doobery that you can set up to take credit card payment!

[meastaugh1]

Thanks all for your replies thus far.

@meastaugh1: Although technically sound, does that plan take into account the Ts & Cs of your Internet connection and will you be filtering the connection so that you live up to your duty of care?

I would consult with our Grid re: T&C of service. I would hope to provide an additional layer of filtering and monitoring through our Fortinet box, which is due to materialise shortly.

Will you also be charging for the service as it will inevitably add to your workload?

Certainly not initially as it would only be intended for a select few. I'd rather stay away from charging if possible.

[dan400007]

I find the 3Com wireless controllers work well and provide a long list of functions (reasonably priced for education too). If you do go for a 'thin ap' solution I'd recommend having a supplier that has proper support for the product so they can assist in the setup. That is unless you've got a decent amount of free time.

As far as controlling internet access I'd be tempted to put an ISA box on the VLAN that has 3 nics. One for the Internet access, one for the VLAN and one for access to your domain. Then you can get all the users to authenticate on the ISA box using their domain username/password. Surely that way you'd be able to meet the T+C of your RBC.

[Oops_my_bad]

Managed wireless systems such as BlueSocket can be configured to sort all these problems out and allow the APs to broadcast multiple SSIDs on different VLANs. There is even a built in web doobery that you can set up to take credit card payment!

Ric, would the bluesocket stuff do VLANS even if your network only has the one VLAN? (if that makes sense)

[Sylv3r]

We have just setup a VLAN for our wireless network with a Smoothwall box providing p2p, MSN blocking and dishing out the IP's through its DHCP server. The smoothwall box then connects to a proxy server and then out to the outside world.

Haven't rolled it out to any students yet, but through testing in the last couple of days it looks promising.

Has anybody used smoothwall 3.0 and setup DansGuardian / some sort of web filtering to enable the blocking of blacklisted sites. There is a level of filtering provided by our LEA and we use a Censornet box on the main curriculum network but we need to provide additonal filtering on the laptops also.

Thanks

[spc-rocket]

We're floating the idea of providing Wireless internet access to which students can connect their personal laptops.

Theoretically, I'd be using Procurve 530 APs to various Procurve switches (2524, 2650, 4100 etc). I'd create a student SSID and VLAN and patch them on the APs. Then I just need to add a port on the router (providing DHCP) to the student VLAN. The router facilitates the connection between our network and the leased line to our Grid.

re: DHCP, would it be acceptable to have the router provide DHCP to the student VLAN, while my Windows Server provides DHCP for the default VLAN, since both VLANs won't be communicating?

Does that sound feasible?

Hi there,

We have implemented this using the Cisco Aironet APs and it works well. We have completely seperated this network from the main network by using VLANs. The default gateway for the student's wireless network is the firewall which has filtering software (added addition NIC to the FW) and it filter the internet access all from single point i.e. the firewall (ISA Server). At the ISA server we also given the student ability to access their My Docs (via easylink) and their webmail (OWA) and Internet Access with heavy restrictions (via web filtering). It works well and the APs are used for the corp. network as well because it supports VLANs and multiple SSIDs.

Regarding the DHCP server i would just setup a normal windows box with DHCP server on the same network as the student's wireless and let that dish out the IP addfess, this way its not touching on anything to do with the main network. If this PC/Server crashes then all that is lost is the student's wireless network. A Virtual server could also come in handy for this i suppose.

To manage the non-domain laptops we use 802.1x authentication with IAS server to authenticate users using their normal network username and password. This has been a great success because they don't have to remember yet another logon credentials.

HTH,

Ash.

[Ric_]

Ric, would the bluesocket stuff do VLANS even if your network only has the one VLAN? (if that makes sense)

You run all your wireless traffic along a separate VLAN back to the controller. The controller then handles who and what has access to where.