+ Post New Thread
Results 1 to 9 of 9
Netbooks, PDA and Phones Thread, A Definitive Guide ... to guest / student devices on a wireless network. in Technical; Ok, I know that there is not a definitive answer on this, and it has been discussed on many threads ...
  1. #1

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,990
    Thank Post
    1,359
    Thanked 1,827 Times in 1,134 Posts
    Blog Entries
    19
    Rep Power
    602

    A Definitive Guide ... to guest / student devices on a wireless network.

    Ok, I know that there is not a definitive answer on this, and it has been discussed on many threads with a number of options ... but as a way of kick-starting getting as wide a range of answers as possible would people like to post what they do and how they do it, mentioning specific technologies and suppliers if needed) and I will collate them over on the 'how-to' area.

  2. #2

    Sylv3r's Avatar
    Join Date
    Jul 2005
    Location
    Co. Durham
    Posts
    3,235
    Thank Post
    375
    Thanked 381 Times in 339 Posts
    Rep Power
    148
    We use a Smoothwall UTM 1000 and segregate our wireless network away from our standard Curriculum network. All AP's are on this network and Smoothwall deals with DHCP.

    I have created business size cards with a map of the school on one side with the school layout and indications of the WAP across the school and the opposite side has the security key - we don't use AD integration etc unfortunately but this is something we will look at in the future. The filtering is carried out using our Smoothwall box also which allows us to provide access to our students and guests to the sites we wish them to have access too. Students / Staff can access their MyDocuments via the Schools Learning Gateway (Sharepoint) and the Salamander MyDocuments webpart.

  3. Thanks to Sylv3r from:

    GrumbleDook (7th April 2010)

  4. #3

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,990
    Thank Post
    1,359
    Thanked 1,827 Times in 1,134 Posts
    Blog Entries
    19
    Rep Power
    602
    Thanks for the info ... do you segregate the wireless and standard curriculum using VLANs or by physically separate wiring?

  5. #4


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    We are likely to be doing this over the summer. Plan so far:
    vlans segregated from general network
    No encryption - 'free' access network, like cafe's
    All traffic redirected to smoothwall. Http/https only, using AD authentication.
    migrate all services to VLE and googlemail/docs and http access. no more shared drives hooray.

    edit: almost forgot - we'll try and use web based printing using Papercut
    and supply other apps over Citrix and SIMS via Sims Learning Gateway
    Last edited by CyberNerd; 7th April 2010 at 02:31 PM.

  6. Thanks to CyberNerd from:

    GrumbleDook (7th April 2010)

  7. #5

    Sylv3r's Avatar
    Join Date
    Jul 2005
    Location
    Co. Durham
    Posts
    3,235
    Thank Post
    375
    Thanked 381 Times in 339 Posts
    Rep Power
    148
    Quote Originally Posted by GrumbleDook View Post
    Thanks for the info ... do you segregate the wireless and standard curriculum using VLANs or by physically separate wiring?
    Forgot that bit - VLAN's.

  8. #6

    Join Date
    Jul 2008
    Location
    Dubai
    Posts
    24
    Thank Post
    32
    Thanked 2 Times in 2 Posts
    Rep Power
    13
    We are about to revamp our whole network. It will be costly. Although we are considering other options, we are currently are looking at the following.
    Create 6 VLANs
    1. Green - Staff
    2. Red - students
    3. Blue - VoIP
    4. Yellow - Video streaming/multicasting
    5. Black - Security cameras
    6. Wireless

    These VLANS will be reflected in our OUs and policies.

    We plan to implement the standard fibre between buildings with copper runs within the building. These copper runs will be from the IDF to the drop box with no switch between except in the case of a student computer lab.

    Copper runs will be with White Sands Engineering (or Superior Essex) 6xCat5e bundled - each cat5e cable colour representing a VLAN. These will drop to a surface mount box with a 6-port faceplate with each rj45 jack a different colour representing the VLAN. Each device will plug into its appropriate VLAN.

    We are examining the Wireless solutions that will allow assigning to a VLAN based on MAC or SSID, or something similar. This is not finalized.

    A supposedly cheaper solution to the above is using HP MSM317 which will allow pulling only one cable instead of the bundled 6xcat5e. I do not know if it can deliver the bandwidth we anticipate. With PM Brown and Pres Obama targeting 100Mbps to the home, we believe that will become a reality. Consequently, we expect apps to be written for this bandwidth. We have this opportunity to revamp our network, so we will try to max out our capacity as much as possible. We are not sure cat 6A is needed and we are not convinced cat6 will give us much over cat5e as our environment is not very hostile.

    As we expand, we do not expect to use hosted solutions. We expect to keep everything in-house and contract managed services when needed.

  9. Thanks to Patman from:

    GrumbleDook (19th April 2010)

  10. #7
    robk's Avatar
    Join Date
    Nov 2005
    Location
    Ashbourne
    Posts
    548
    Thank Post
    179
    Thanked 130 Times in 109 Posts
    Blog Entries
    1
    Rep Power
    49
    We have a unsecured wireless vlan, with a smoothwall UTM-1000 firewalling and connecting this to the rest of the network. I am about to look at enabling client isolation on our ruckus aps to provide client to client securitly.

  11. Thanks to robk from:

    GrumbleDook (19th April 2010)

  12. #8

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115
    I got to think about this quite hard for a reference implementation last year (was a lot easier to do this kind of thinking in ye olde days of physical subnets, routers-with-ACLs or if you wanted better auditing a firewall). The basic principle is pretty straight-forward: You have separate "Private", "Public" and WAN subnetworks all plugged into a firewall with suitable policy controlling what flows between them. Unless you're rolling in cash you're almost certainly going to make subnets with VLANs on any non-trivial physical network.

    The next questions are:

    1) What L3 feature set do you actually have in your core switches? I wouldn't, but if the switches do serious IP ACLs you could use them instead of a dedicated firewall.

    2) Do you have or are you getting managed wireless? I'm familiar with two basic approaches that you may or may not be able to do with a given vendor's kit:

    a) Public wireless traffic is tagged onto the Public VLAN by the controller, Private wireless traffic (always authenticated for access) is tagged onto the Private VLAN, then those VLANs and the WAN just plug into that firewall with the policies.

    b) Public traffic is dropped onto the same subnet as Private but ACLs set on the controller restrict where it can go i.e. the controller assumes the firewall role, and you don't have to use VLANs.

    YMMV but in all cases subject to organisational management capability I'd certainly want some kind of access control for Public wireless too e.g. the students have to supply their MACs as a minimum.

    Then there's the detail:

    - Wireless client isolation is a good idea full stop i.e. for all Private/Public wireless laptops/netbooks.

    - DHCP: With switches it's anyone's guess, but firewalls will inevitably serve DHCP on a given interface.

    - DNS: What Private resources can they access? Do you need DNS to resolve any local names and if so how/where do they get it?

    - Proxy: Do they need an explicit suitably filtered one to get to the Internet and if so how/where do they get it? Perhaps you can do transparent proxying?

    - VLANs/Subnets: The usual disclaimers for L2 broadcast traffic apply here i.e. if something depends on NetBIOS broadcasts or you do WOL etc. then you need sort out ip directed broadcast, multihome a management box, or something.

    - IP Addressing: This can get fiddly. Can your current address allocation from wherever accommodate being carved up into a bunch of subnets? I can't think of many reasons not to put Public behind NAT with that firewall, but the outside of that obviously needs some routable addresses. If Private is already routable I'd certainly try and keep it that way, but you might put that behind NAT as well and if so, do you know what might need R-NAT for a variety of external support providers etc?

    Finally the network security:

    - There's the inevitable risk of someone wreaking havoc after plugging their "device" directly into a Private netpoint and if you don't control that with 802.11X or whatever, then any arguments about things like the pro and cons of VLANs vs independent wiring seem a touch academic.

    - Firewall policies and ACLs just have to be correct and should be routinely reviewed. Some people have a nasty habit of not taking these seriously enough e.g. throw in new ones at a drop of a hat, occasionally with very big inadvertent holes.

    - More esoteric, less likely, but convince yourself that your kit and it's configuration is safe from VLAN hopping.

  13. 2 Thanks to PiqueABoo:

    CyberNerd (19th April 2010), GrumbleDook (19th April 2010)

  14. #9
    browolf's Avatar
    Join Date
    Jun 2005
    Location
    Mars
    Posts
    1,529
    Thank Post
    108
    Thanked 89 Times in 75 Posts
    Blog Entries
    47
    Rep Power
    40
    Our 3com wireless-network switches (WX1200s) have the ability to have multiple SSIDs and VLANS.
    So the student network exists on a guest ssid connected to its own vlan.
    In this vlan is a debian no-gui dns/dhcp/squid proxy with dual nics enabling internet access (the other card connects to the "internet vlan"). This network is public without security but access to anything once connected requires details for a web login served by the wireless switches, even ping doesn't work without it.

  15. Thanks to browolf from:

    GrumbleDook (19th April 2010)

SHARE:
+ Post New Thread

Similar Threads

  1. The Definitive Guide to SIMS.net, Moodle and LDAP Integration
    By penfold_99 in forum Virtual Learning Platforms
    Replies: 130
    Last Post: 8th September 2010, 04:50 PM
  2. HP msa750 wireless guest access?
    By nicholab in forum Wireless Networks
    Replies: 0
    Last Post: 9th October 2009, 09:27 AM
  3. Wireless Guest Access
    By steveo2000 in forum Internet Related/Filtering/Firewall
    Replies: 9
    Last Post: 19th March 2009, 06:41 PM
  4. Student Devices
    By russdev in forum Blue Skies
    Replies: 20
    Last Post: 20th January 2009, 10:15 PM
  5. Replies: 0
    Last Post: 5th January 2009, 12:53 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •