+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
Wireless Networks Thread, Supporting public devices on school wireless network? in Technical; What are other primay/secondary school districts doing with regard to supporting wifi-capable devices brought into the building by the public? ...
  1. #1

    Join Date
    Oct 2011
    Location
    rural northwest Wisconsin
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Question Supporting public devices on school wireless network?

    What are other primay/secondary school districts doing with regard to supporting wifi-capable devices brought into the building by the public?

    Since the building wireless is E-Rate (federal funding) supported, in the United States we have to apply CIPA (child internet protection act) filtering rules to the public bringing in their own wireless-capable devices. Although adults are generally exempt from CIPA requirements, we have no way of knowing if they are an adult that is exempt from CIPA, or a child which is not, so the requirements must be applied broadly to all anonymous network users.

    This means proxy filtering must be applied to devices brought in by the public, and unfortunately proxying on mobile wireless devices is a horrible mish-mash of unsupported capabilities or hidden features. For example, I know from research that some Android devices have proxying built-in, but the standard user interface doesn't "expose" it to the regular user.

    ,

    It appears that the best that can be offered so far is a tiered approach, offering transparent proxying for devices that make proxying really hard to do. For these devices they will not be able to have secure/encrypted web access because the transparent proxy protocol does not and can not support encryption. Not having secure web transactions available will severely hobble many devices.

    For the devices that support auto-proxy configuration, there can be a second tier, with a proxy.pac / proxy.wpad, but that too is a challenge because some devices which can do auto-proxy detection often default to manual mode, and still need twiddling in a control panel or with hidden settings on the device just to enable auto-proxy capabilities.

    Manual proxy configuration is the least desirable because these devices by their very nature do not stay at school, and may wander onto many other wireless networks. If manual proxying is forced enabled, then when they go home they can't get on the Internet because their device is still trying to use the school's proxy filtering.

    ,

    Overall this whole process appears to be a quagmire since we can't control what mobile devices the public brings in and expects to be able to "just work", but this is a apparently a mess which many schools are going to be dragged into.

  2. #2

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,714
    Thank Post
    269
    Thanked 1,116 Times in 1,012 Posts
    Rep Power
    345
    Not sure if you have this option but We simply say no!

  3. #3

    Join Date
    Oct 2011
    Location
    rural northwest Wisconsin
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Say no to what, to the filtering requirement? Sure, schools and other government organizations in the USA can do that.

    It just means that federal E-Rate funding can not be used for the dedicated fiber-optic Internet service (covers 60+% of the Internet services bill, which is something like $4,000-$6,000 a month), nor can any network devices, equipment or cabling which was installed or purchased using e-Rate discounts be used.

    So.... looks like we're gonna be doing CIPA filtering of public devices....

  4. #4

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,714
    Thank Post
    269
    Thanked 1,116 Times in 1,012 Posts
    Rep Power
    345
    No We simply don't allow lower school students/staff to bring in devices which don't belong to the school. The only exception to this is We allow sixth form students to bring in laptops which We have to put into wireless but the uptake on this is minimal 40/50 so adding them to the wireless and giving them a script to enable/disable proxy.

  5. #5

    Join Date
    Oct 2005
    Posts
    943
    Thank Post
    225
    Thanked 174 Times in 136 Posts
    Rep Power
    102
    We support this in the college I work at. Making it work was my problem.

    We tried all kinds of stuff with wpad and so-on and it just never worked reliably. Sometimes I think its down to the wpad infrastructure being a bit fragile, and in some cases I think some of the smartphone / tablet stack was coded by drunken lemurs whose experience of networks is confined to what they vaguely remember from the weekly technical column in drunken lemur weekly (bitter? me? why do you ask?)

    Anyway, moving on... we discarded any idea that worked with configuring proxy settings, and we've basically worked on making all traffic naturally routed out to the internet through a particular gateway on our network, and placed a transparent proxy at that address that can handle authentication, filtering and logging.

  6. #6

    Join Date
    Nov 2009
    Location
    Manchester
    Posts
    1,010
    Thank Post
    6
    Thanked 181 Times in 169 Posts
    Rep Power
    49
    We let kids use their devices on our Guest Wifi.

    The password is advertised throughout the school and the filtering is at "Lower School" levels so it is pretty strict. We also won't help anyone with problems getting onto the Guest wifi etc, it is there and available to use and that's it.

  7. #7

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,800
    Thank Post
    110
    Thanked 582 Times in 503 Posts
    Blog Entries
    1
    Rep Power
    223
    I would suggest you simply provide it on an 'as-is' basis with minimal support. As for your filtering, block everything apart from web access and transparently proxy that. Simple, effective and covers you for your legal requirements.

  8. #8

    Join Date
    May 2008
    Location
    London
    Posts
    7
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    A few vendors now support OpenDNS which is easy to configure generic filtering for a Visitor network. Aruba and others do that

  9. #9


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,534
    Thank Post
    271
    Thanked 752 Times in 590 Posts
    Rep Power
    218
    List what you know works.
    List what you know works with limitations (with suggestions for mitigation).
    List what you know doesn't work.

    Make that a one-page, prominently displayed A4 laminated sign. Test it with an an elderly relative and rewrite until they can understand it. Get reception staff to hand it out with the captive portal credentials.

    Occasionally update list as you get the chance to test new devices.
    Last edited by pete; 13th October 2011 at 04:12 PM.

  10. #10

    Join Date
    May 2011
    Location
    Jus North of London, close but not too close
    Posts
    671
    Thank Post
    155
    Thanked 51 Times in 49 Posts
    Rep Power
    33
    At last school we had guest wireless network setup but it would not work to https sites which didn't bother us. Also we had to go through the HGFL filtering whatever happened so that protected students a bit.

  11. #11

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,881
    Thank Post
    1,316
    Thanked 1,738 Times in 1,087 Posts
    Blog Entries
    19
    Rep Power
    563
    To deal with the mish mash of devices and how to set the proxy for them you have a few options. The easiest for the end user is to use a transparent proxy so that no settings need to be put in place. This does have limitations though.

    Ideal scenario ... possibly ...

    There is an available public / guest SSID. This is VLANed off froth rest of the network and the output is routed into a filtering device / appliance, which is set to operate as a transparent proxy. If this device can also operate as a firewall too you have effectively created a DMZ. This can be important for when you also want to consider not just filtering web pages over HTTP but also the activity on other ports. This can range from ensuring ports are open for things like Android Marketplace or locking down the ability to send emails via port 25 in case someone brings in an infected laptop that has a mass-mailer worm on it. Access between this VLAN and the school can be limited ... and you could limit it to a secure web front-end to remote desktop services of some sort ... Citrix, SGD, etc. If students are bring their own device in then they can use the guest network but accessing work, etc is via a controlled device (i.e. the Remote Server).

    The barriers to this ... setting up your managed wireless network to allow this. Prevent people from just plugging in a laptop to an available free network port on the wall. The investment in the infrastructure for Remote Services. The filtering / firewall device / appliance. The time to manage and maintain the solution.

    Not a complete list, but enough to get you going, perhaps.

  12. Thanks to GrumbleDook from:

    drewp (19th October 2011)

  13. #12

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,800
    Thank Post
    110
    Thanked 582 Times in 503 Posts
    Blog Entries
    1
    Rep Power
    223
    Also, ensure you use wireless isolation. The last thing you want is one compromised device on your public WLAN infecting everyone else using it.

  14. #13

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,608
    Thank Post
    49
    Thanked 444 Times in 330 Posts
    Rep Power
    136
    I would read this article before opening your wifi up to any Tom, Dick or Harry that happens to walk in...

    Study shows viral SSIDs could be creating a massive wireless botnet | TechRepublic

    Its a bit old but the basic priciple still applies, several footbal clubs have fallen foul of what effectively becomes a massive DOS attack, people with phones in their pockets all scanning for wifi and associating at every oppourtunity resulting in DHCP scope exhaustion overloaded AP's and LAN and WAN bandwidth issues.

    Better to have a simple WEP or WPA key requirement so that casual passers by dont just associate by default.

    Google Viral SSID for more Info.

  15. #14
    maveriick's Avatar
    Join Date
    Jun 2011
    Location
    Florida
    Posts
    27
    Thank Post
    1
    Thanked 1 Time in 1 Post
    Rep Power
    0
    We apply a very strick filter (the same as our student) via M86 for our guest network.
    This covers our issues with CIPA.
    Our network power levels are set to only go 15 Ft beyond our walls. So they can not get it in most situations near the school.

  16. #15

    Join Date
    Oct 2011
    Location
    rural northwest Wisconsin
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    This is just a theory, but it seems possible to use javascript to get the user's browser ID string, and then for devices that are known to need additional fiddling to get working, direct them to a common website that tells them how to fix the problem.

    Here is where I would direct people:

    Wpad Wiki

    Page redirects could be created for each specific troublesome browser ID (the ID is the page, which redirects to a human-readable fix page).


    Part of the reasoning here is that this is hardly a problem limited to just me and my little school district. This is a problem that is only going to get worse around the planet, as mobile devices are hauled to schools in greater and greater numbers.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Moving MX-200 IP Address On Trapeze Wireless Network
    By DaveP in forum How do you do....it?
    Replies: 0
    Last Post: 2nd September 2010, 07:23 AM
  2. Connect ethernet device (printer) to wireless network
    By nicklec in forum Wireless Networks
    Replies: 6
    Last Post: 16th July 2010, 12:58 PM
  3. A Definitive Guide ... to guest / student devices on a wireless network.
    By GrumbleDook in forum Netbooks, PDA and Phones
    Replies: 8
    Last Post: 19th April 2010, 02:07 PM
  4. Replies: 4
    Last Post: 10th May 2008, 01:32 PM
  5. Logging on via Wireless network
    By maniac in forum Wireless Networks
    Replies: 13
    Last Post: 21st July 2007, 09:32 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •