+ Post New Thread
Results 1 to 4 of 4
How do you do....it? Thread, Students bringing their own devices in in Technical; Hi, Sorry if this has been asked before, but I couldn't find anything on the non-technical side if things. I've ...
  1. #1

    Join Date
    Apr 2007
    Posts
    8
    Thank Post
    0
    Thanked 2 Times in 2 Posts
    Rep Power
    0

    Question Students bringing their own devices in

    Hi,

    Sorry if this has been asked before, but I couldn't find anything on the non-technical side if things. I've been asked to do some research into what other schools do.

    I'd like to offer 6th form students here the ability to use their own laptops/netbooks on the school's wireless network (with a captive portal, specific ESSID+VLAN, MAC authentication, firewall zone/policies, transparent proxy to enforce the usual filtering policies and only allowing them internet access, no fileserver/printing/other access). I'm happy with the technical side of things. The 6th form students ask for access, but I'm not allowed to let them use it yet.

    So, do you provide guest-style wireless access? If so, who do you allow guest-style access to? What access do you provide them with? What devices do you permit? Are they required to register in some fashion? Are they required to meet certain criteria before being permitted access? (Such as having some AV software installed, registering their MAC address with the IT support team or similar).

    Thanks in advance,

    Steven

  2. #2

    Join Date
    Aug 2007
    Location
    Deal, Kent
    Posts
    343
    Thank Post
    12
    Thanked 73 Times in 51 Posts
    Rep Power
    27
    Steven,

    I have a system im place at current using a "Guest" VLAN on our switch that is controlling the traffic via an ACL.

    We have a couple of RADIUS / Network Policy Servers that do the work of accepting the connection and assigning the students to the guest VLAN / domain machines to the normal VLAN's.

    We then restrict the traffic internally allowing only DHCP and DNS traffic to the local subnets, then allow all traffic to the firewall / UTM (which does the content filtering and firewall rules take care of comms)

    ACL is as follows - 10.2.x.x being the "Guest" VLAN

    Code:
    ip access-list extended GuestACL
     
    remark "PERMIT DHCP AND DNS TRAFFIC"
    permit udp 10.2.0.0 0.0.0.255 0.0.0.0 255.255.255.255 eq 53 
    permit udp 10.2.0.0 0.0.0.255 0.0.0.0 255.255.255.255 eq 67 
    permit udp 10.2.0.0 0.0.0.255 0.0.0.0 255.255.255.255 eq 68 
     
    remark "PERMIT TCP AND UDP PROTOCOLS TO FIREWALL"
    permit tcp 10.2.0.0 0.0.0.255 10.0.0.100 0.0.0.0
    permit udp 10.2.0.0 0.0.0.255 10.0.0.100 0.0.0.0
     
    remark "DENY ALL OTHER INTERNAL TRAFFIC"
    deny tcp 10.2.0.0 0.0.0.255 10.0.0.0 0.255.255.255
    deny udp 10.2.0.0 0.0.0.255 10.0.0.0 0.255.255.255
     
    remark "ALLOW ALL OTHER TRAFFIC"
    permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
    permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

    We have also installed Remote Desktop Services ((Virtual Servers)1 connection broker, 3 RDS hosts / web access servers), and there is a "Student" VLAN with the same ACL except we have allowed RDP traffic to our RDS servers internally.

    Works really well, need any info PM me and i'll be happy to send you my contact details.

    Regards,
    Simon

  3. #3

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,592
    Thank Post
    109
    Thanked 770 Times in 598 Posts
    Rep Power
    183
    I have a SSID for our sixth form students on our BlueSocket wireless network. The BlueSecure controller provides a captive portal and then directs them to our Citrix Secure Gateway login. Access to everything else is denied by the controller.

  4. #4
    soapyfish's Avatar
    Join Date
    Dec 2008
    Location
    Hertfordshire
    Posts
    180
    Thank Post
    49
    Thanked 7 Times in 5 Posts
    Blog Entries
    1
    Rep Power
    13
    Hi,

    I have number of access points in the 6th forms common room and study rooms with and WPA key. All of these access points are wired via a switch back to an OpenBSD firewall that allows DHCP requests and web traffic, it also redirects all web traffic to the school internal proxy. (This means that the students do not have to configure proxies locally on their laptops.) Its a small scale deployment at the moment and cost just the cost of the access points.


    I do want to extend it over the rest of the school and will use VLAN's to do that securely. We also require that the student log their laptop with us before they are provided with the key really just so that we can keep track of whats going on and can trace any traffic back to the user if we need to.

SHARE:
+ Post New Thread

Similar Threads

  1. Students bringing in own laptops
    By Rod_Mustard in forum How do you do....it?
    Replies: 31
    Last Post: 18th May 2009, 09:11 AM
  2. Bringing a Sharepoint 2007 server into an ISA
    By thesk8rjesus in forum Virtual Learning Platforms
    Replies: 4
    Last Post: 8th May 2009, 10:49 AM
  3. Blocking usb devices for students
    By Neville in forum Windows
    Replies: 1
    Last Post: 13th February 2009, 12:14 PM
  4. Laser Link bringing down network
    By nip in forum Wireless Networks
    Replies: 10
    Last Post: 27th May 2008, 09:47 AM
  5. Bringing Linux To The Students
    By Pear in forum *nix
    Replies: 20
    Last Post: 27th June 2006, 12:09 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •