Sorry if this has been asked before, but I couldn't find anything on the non-technical side if things. I've been asked to do some research into what other schools do.
I'd like to offer 6th form students here the ability to use their own laptops/netbooks on the school's wireless network (with a captive portal, specific ESSID+VLAN, MAC authentication, firewall zone/policies, transparent proxy to enforce the usual filtering policies and only allowing them internet access, no fileserver/printing/other access). I'm happy with the technical side of things. The 6th form students ask for access, but I'm not allowed to let them use it yet.
So, do you provide guest-style wireless access? If so, who do you allow guest-style access to? What access do you provide them with? What devices do you permit? Are they required to register in some fashion? Are they required to meet certain criteria before being permitted access? (Such as having some AV software installed, registering their MAC address with the IT support team or similar).
I have a system im place at current using a "Guest" VLAN on our switch that is controlling the traffic via an ACL.
We have a couple of RADIUS / Network Policy Servers that do the work of accepting the connection and assigning the students to the guest VLAN / domain machines to the normal VLAN's.
We then restrict the traffic internally allowing only DHCP and DNS traffic to the local subnets, then allow all traffic to the firewall / UTM (which does the content filtering and firewall rules take care of comms)
ACL is as follows - 10.2.x.x being the "Guest" VLAN
ip access-list extended GuestACL
remark "PERMIT DHCP AND DNS TRAFFIC"
permit udp 10.2.0.0 0.0.0.255 0.0.0.0 255.255.255.255 eq 53
permit udp 10.2.0.0 0.0.0.255 0.0.0.0 255.255.255.255 eq 67
permit udp 10.2.0.0 0.0.0.255 0.0.0.0 255.255.255.255 eq 68
remark "PERMIT TCP AND UDP PROTOCOLS TO FIREWALL"
permit tcp 10.2.0.0 0.0.0.255 10.0.0.100 0.0.0.0
permit udp 10.2.0.0 0.0.0.255 10.0.0.100 0.0.0.0
remark "DENY ALL OTHER INTERNAL TRAFFIC"
deny tcp 10.2.0.0 0.0.0.255 10.0.0.0 0.255.255.255
deny udp 10.2.0.0 0.0.0.255 10.0.0.0 0.255.255.255
remark "ALLOW ALL OTHER TRAFFIC"
permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
We have also installed Remote Desktop Services ((Virtual Servers)1 connection broker, 3 RDS hosts / web access servers), and there is a "Student" VLAN with the same ACL except we have allowed RDP traffic to our RDS servers internally.
Works really well, need any info PM me and i'll be happy to send you my contact details.
I have a SSID for our sixth form students on our BlueSocket wireless network. The BlueSecure controller provides a captive portal and then directs them to our Citrix Secure Gateway login. Access to everything else is denied by the controller.
I have number of access points in the 6th forms common room and study rooms with and WPA key. All of these access points are wired via a switch back to an OpenBSD firewall that allows DHCP requests and web traffic, it also redirects all web traffic to the school internal proxy. (This means that the students do not have to configure proxies locally on their laptops.) Its a small scale deployment at the moment and cost just the cost of the access points.
I do want to extend it over the rest of the school and will use VLAN's to do that securely. We also require that the student log their laptop with us before they are provided with the key really just so that we can keep track of whats going on and can trace any traffic back to the user if we need to.