Wireless Networks Thread, Supporting public devices on school wireless network? in Technical; What are other primay/secondary school districts doing with regard to supporting wifi-capable devices brought into the building by the public?
10th October 2011, 06:59 PM #1
- Rep Power
Supporting public devices on school wireless network?
What are other primay/secondary school districts doing with regard to supporting wifi-capable devices brought into the building by the public?
Since the building wireless is E-Rate (federal funding) supported, in the United States we have to apply CIPA (child internet protection act) filtering rules to the public bringing in their own wireless-capable devices. Although adults are generally exempt from CIPA requirements, we have no way of knowing if they are an adult that is exempt from CIPA, or a child which is not, so the requirements must be applied broadly to all anonymous network users.
This means proxy filtering must be applied to devices brought in by the public, and unfortunately proxying on mobile wireless devices is a horrible mish-mash of unsupported capabilities or hidden features. For example, I know from research that some Android devices have proxying built-in, but the standard user interface doesn't "expose" it to the regular user.
It appears that the best that can be offered so far is a tiered approach, offering transparent proxying for devices that make proxying really hard to do. For these devices they will not be able to have secure/encrypted web access because the transparent proxy protocol does not and can not support encryption. Not having secure web transactions available will severely hobble many devices.
For the devices that support auto-proxy configuration, there can be a second tier, with a proxy.pac / proxy.wpad, but that too is a challenge because some devices which can do auto-proxy detection often default to manual mode, and still need twiddling in a control panel or with hidden settings on the device just to enable auto-proxy capabilities.
Manual proxy configuration is the least desirable because these devices by their very nature do not stay at school, and may wander onto many other wireless networks. If manual proxying is forced enabled, then when they go home they can't get on the Internet because their device is still trying to use the school's proxy filtering.
Overall this whole process appears to be a quagmire since we can't control what mobile devices the public brings in and expects to be able to "just work", but this is a apparently a mess which many schools are going to be dragged into.
IDG Tech News
10th October 2011, 07:04 PM #2
Not sure if you have this option but We simply say no!
10th October 2011, 07:17 PM #3
- Rep Power
Say no to what, to the filtering requirement? Sure, schools and other government organizations in the USA can do that.
It just means that federal E-Rate funding can not be used for the dedicated fiber-optic Internet service (covers 60+% of the Internet services bill, which is something like $4,000-$6,000 a month), nor can any network devices, equipment or cabling which was installed or purchased using e-Rate discounts be used.
So.... looks like we're gonna be doing CIPA filtering of public devices....
10th October 2011, 07:22 PM #4
No We simply don't allow lower school students/staff to bring in devices which don't belong to the school. The only exception to this is We allow sixth form students to bring in laptops which We have to put into wireless but the uptake on this is minimal 40/50 so adding them to the wireless and giving them a script to enable/disable proxy.
10th October 2011, 07:25 PM #5
We support this in the college I work at. Making it work was my problem.
We tried all kinds of stuff with wpad and so-on and it just never worked reliably. Sometimes I think its down to the wpad infrastructure being a bit fragile, and in some cases I think some of the smartphone / tablet stack was coded by drunken lemurs whose experience of networks is confined to what they vaguely remember from the weekly technical column in drunken lemur weekly (bitter? me? why do you ask?)
Anyway, moving on... we discarded any idea that worked with configuring proxy settings, and we've basically worked on making all traffic naturally routed out to the internet through a particular gateway on our network, and placed a transparent proxy at that address that can handle authentication, filtering and logging.
11th October 2011, 10:06 AM #6
We let kids use their devices on our Guest Wifi.
The password is advertised throughout the school and the filtering is at "Lower School" levels so it is pretty strict. We also won't help anyone with problems getting onto the Guest wifi etc, it is there and available to use and that's it.
11th October 2011, 11:17 AM #7
I would suggest you simply provide it on an 'as-is' basis with minimal support. As for your filtering, block everything apart from web access and transparently proxy that. Simple, effective and covers you for your legal requirements.
13th October 2011, 04:27 PM #8
- Rep Power
A few vendors now support OpenDNS which is easy to configure generic filtering for a Visitor network. Aruba and others do that
13th October 2011, 05:08 PM #9
List what you know works.
List what you know works with limitations (with suggestions for mitigation).
List what you know doesn't work.
Make that a one-page, prominently displayed A4 laminated sign. Test it with an an elderly relative and rewrite until they can understand it. Get reception staff to hand it out with the captive portal credentials.
Occasionally update list as you get the chance to test new devices.
Last edited by pete; 13th October 2011 at 05:12 PM.
13th October 2011, 05:27 PM #10
At last school we had guest wireless network setup but it would not work to https sites which didn't bother us. Also we had to go through the HGFL filtering whatever happened so that protected students a bit.
13th October 2011, 05:28 PM #11
To deal with the mish mash of devices and how to set the proxy for them you have a few options. The easiest for the end user is to use a transparent proxy so that no settings need to be put in place. This does have limitations though.
Ideal scenario ... possibly ...
There is an available public / guest SSID. This is VLANed off froth rest of the network and the output is routed into a filtering device / appliance, which is set to operate as a transparent proxy. If this device can also operate as a firewall too you have effectively created a DMZ. This can be important for when you also want to consider not just filtering web pages over HTTP but also the activity on other ports. This can range from ensuring ports are open for things like Android Marketplace or locking down the ability to send emails via port 25 in case someone brings in an infected laptop that has a mass-mailer worm on it. Access between this VLAN and the school can be limited ... and you could limit it to a secure web front-end to remote desktop services of some sort ... Citrix, SGD, etc. If students are bring their own device in then they can use the guest network but accessing work, etc is via a controlled device (i.e. the Remote Server).
The barriers to this ... setting up your managed wireless network to allow this. Prevent people from just plugging in a laptop to an available free network port on the wall. The investment in the infrastructure for Remote Services. The filtering / firewall device / appliance. The time to manage and maintain the solution.
Not a complete list, but enough to get you going, perhaps.
Thanks to GrumbleDook from:
drewp (19th October 2011)
13th October 2011, 05:31 PM #12
Also, ensure you use wireless isolation. The last thing you want is one compromised device on your public WLAN infecting everyone else using it.
13th October 2011, 05:41 PM #13
I would read this article before opening your wifi up to any Tom, Dick or Harry that happens to walk in...
Study shows viral SSIDs could be creating a massive wireless botnet | TechRepublic
Its a bit old but the basic priciple still applies, several footbal clubs have fallen foul of what effectively becomes a massive DOS attack, people with phones in their pockets all scanning for wifi and associating at every oppourtunity resulting in DHCP scope exhaustion overloaded AP's and LAN and WAN bandwidth issues.
Better to have a simple WEP or WPA key requirement so that casual passers by dont just associate by default.
Google Viral SSID for more Info.
13th October 2011, 05:47 PM #14
We apply a very strick filter (the same as our student) via M86 for our guest network.
This covers our issues with CIPA.
Our network power levels are set to only go 15 Ft beyond our walls. So they can not get it in most situations near the school.
24th October 2011, 05:18 AM #15
- Rep Power
Here is where I would direct people:
Page redirects could be created for each specific troublesome browser ID (the ID is the page, which redirects to a human-readable fix page).
Part of the reasoning here is that this is hardly a problem limited to just me and my little school district. This is a problem that is only going to get worse around the planet, as mobile devices are hauled to schools in greater and greater numbers.
By DaveP in forum How do you do....it?
Last Post: 2nd September 2010, 08:23 AM
By nicklec in forum Wireless Networks
Last Post: 16th July 2010, 01:58 PM
By GrumbleDook in forum Netbooks, PDA and Phones
Last Post: 19th April 2010, 03:07 PM
Last Post: 10th May 2008, 02:32 PM
By maniac in forum Wireless Networks
Last Post: 21st July 2007, 10:32 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)