fairly cheap way:
setup vlans - isolate guest wireless from rest of network
use smoothwall as a transparent proxy for guest wireless - license is not much and you can use old low spec kit
run dhcp on one server for the guest scope allowing any device to connect
run dhcp for rest of network on a different server but use whitelist of mac addresses - this can be done through microsoft DHCP server - see other threads - this only allows approved devices to get an address on your main network
i would ask the question again to make sure i have seen the state of some of our kids equipment (chargers etc) fire hazzard is not the word
Pat testing is NOT a legal requirement.
@sonofsanta - Thanks for asking the questions. I'd been considering the same thing as it's in the plans I have been putting together for the next year.
Our LEA provide a third domain called GuestNet - this allows pupils the opportunity to use their personal learning devices when the need arises. I'd not thought of an AUP until I read your post - but have now asked the LEA if they have one.
Our LEA are linked to Aruba Networking and it is their kit we will be using. A central controller is connected to satellite controllers in the schools. All seems to work from what I've discussed with other schools in Swansea.
Certain managed wireless systems allow channels to be layered so that one channel can be used as a dirty network with a centralised mac filtering system which can be used in conjuction with transparent authentication on Smoothwall box for web filtering.
RDP protocol can be used to access TS for curriculum files and resources without touching the school curriculum network with virus etc.
This is the way we are looking which will also allow for other wireless devices to use the clean channels for curriculum use with IPads. IPods, android tablets, smartphones etc etc.
All this after a risk analysis is looked at for every device. :)
Although we already have certain parts of the school open to wireless APs under mac filtering and encrypted key access it will be a new managed system from one of the top suppliers after much deliberation and trials.
I posted a couple of things about user owned devices here if you search my posts. We have about 140 on site at any one time. Many are phones which a couple of people from SLT now are keen to get rid of.!?
I'll try and go over some of your points
• Would require the instigation of a technical project that would certainly involve a significant investment of time, and potentially budget.
Thats a given, there's always going to be time and money needed for 'progress'. All you need to do is outline the infrastructure costs to SLT (wireless, running remote apps and bandwidth)
Provide the method of working via the network, again SLT need to know the options and costs of making this possible. thinking along the lines of google apps (next to nothing), citrix (expensive)Quote:
• Work would be saved in a single location rather than on the network; therefore if students forget their device their work will be completely unavailable and there will be no regular backup of their work. Despite warnings of these limitations students are likely to favour working on personal devices still.
Don't dwell on it, an AUP will have this coveredQuote:
• Danger of loss of expensive personal equipment (particularly on public transport to and from school)
This is probably the biggest hurdle. We've recycled a load of old staff laptops with linux for this purpose. We'll never have enough though.Quote:
• Possibly lead to poorer students feeling excluded
Again, don't dwell on it. If teachers don't want personal devices in their lessons then they'll tell the kids not to use them. Teachers can see if kids are working on ipads if they're sharing their documents.Quote:
• May offer a greater distraction to students, as personal devices are likely to have personal data (e.g. photos) and possibly games available.
only if you have a dinosaur network. Ultimately your going to be supporting a large number of browsers in my experience it isn't really a big deal. If the kids want their devices connected they will work out how to do it and share it with their friends, ICT learning in progress ;)Quote:
• Should personal devices be allowed, IT Support will be unable to support them to prevent abuse of our services and prevent strain on our time supporting a large number of myriad devices.
don't launch it unless you can support it. write the proposal and get SLT acceptance. Don't forget you'll need more bandwidth on you internet connection.Quote:
• If popular, would likely require investment in improving our wireless coverage, ideally with a managed (intelligent) system (5 figure cost).
firewall the internal network. http(s) access only.Quote:
• Security risk from viruses – steps can be taken to mitigate this but there will always be a risk from zero-day exploits that haven’t been seen before
We use radius here and offer WiFi to the sixth form and year 11 - In return for their MAC address they are given the key to log on.
Their MAC is entered into a local database within the managed wireless and then their AD account is added to a guest wireless group. Then when they access the SSID and go on the internet they are prompted to logon using AD account.
We dont support the devices directly but will help where we can - also have an active thread on our VLE where students share there issues and solutions etc if there are any blips.
They can access the internet and things like home access plus for their documents etc - in future we plan to offer Xenapp.
Not heard back from last night's meeting yet, but really hoping they let me wait the year.
Increasingly starting to suspect the best/easiest way to do this will be with a managed wireless system - I suspect we would need it anyway as at the moment, we just have a handful of dumb 802.11n APs dotted around as there's less than two dozen mobile devices on the network anyway - just a handful of laptops for the times when they're needed, a spattering of netbooks. If we start allowing personal student devices there's not much chance that infrastructure will hold up.
Might be worth looking getting HAP+ running to prevent the SPOF nature of local storage as well. And so the snowball rolls on...
We too are looking at options for open wireless for students. We have a managed wireless system in place (Xirrus) and can set up a new SSID on a separate VLAN to keep the traffic seperate. We'd probably then look at a new server to handle DHCP (to registered MACs only) with a transparent proxy. Our LEA use NetSweeper, hopefully we can utilise that somehow also. RADIUS and AD authentication would be good, so we can place all registered users in a group - and firewalling to allow only port 80 as someone suggested earlier is a great idea!
My question - is there any product / appliance 'out of the box' that can do this at the moment (linking in to an existing wireless system)? I realise we can do all of this anyhow with various software and hardware but wondered if there was anything available?
We have started a BYOD scheme with our Sixth Form students this term, and its been a good success. As you would expect from my many posts on the topic over the last 4 to 5 years, I have used Ruckus wireless for my managed wireless, Smoothwall for the filtering, DNS and DHCP on this Sixth Form BYOD LAN and using Juniper Switching for the nice VLANs.
In terms of success, no complaints from students or the few staff using it, students logon to Ruckus into the Sixth Form wireless SSID, this is AD Security Group based, thus i have to add your account into an AD group before you can pass that point, once you have passed the Ruckus you can then get to the Smoothwall SSL Auth page and it then authenticates you against the main AD on our main systems, that be the last point you play with the main systems as you are put into the Sixth Form wifi VLAN and all you get is the internet and from that you get to the internet, webmail, vle and files and it works great :)
May I ask: What is meant by "KS5 filtered internet" and "KS3 filtered internet"