Wireless guest access
After a little advice please! We have a Xirrus wireless network in place, at present it operates over 2 VLANs.
1. Vlan1 School wireless on the school network for school devices, at present only requires a password and filtered via our Lightspeed box with the SWGFL filter turned right down to the bare bones. A Radius server will be set up in the next couple of months for this.
2. Vlan50 Guest wireless, totally seperate IP network with a Linux DHCP server and accesses the internet through a seperate port on our router, however it goes through the same SWGFL filter. We want to control who has access to this, i.e. limit it to 6th form, teachers, guests etc. School management want to have a system similar to, say, a hotel, with a webpage that they have to log into. How do other people do this?
Any help appreciated. Regards
You will need some kind of captive portal to control user access granularly.
We use Aruba here which has that included and can link to Active Directory if required.
I built something a bit similar recently.
I used an Ubuntu server running Samba to verify usernames and passwords coming off a Cisco Radius client. The beauty of this approach was that the devices didn't have to be domain members, so phones, iPads and other stuff works great. But this was my design brief. Once authenticated using Samba, the Ubuntu server gave the device an IP address through DHCP.
Cisco radius client> Ubuntu Radius server running Freeradius > authenticates using Samba against AD > Ubuntu DHCP server assigns IP address to client > client now on network.
It actually works quite well, though it was a pain in the cheeks. I'd have a look at something like Packetfence before trying to roll your own.
Some pages I bookmarked during this endeavour:
Thanks for that I'll have a look at those resources. I also didn't realise that Xirrus have something called Xirrus management Access, so I'll look at that.
Thanks for the replies guys.
Xirrus Probably has a captive portal.
If not we use pFsesne ( free linux security distro ) to run our BYOD captive portals.
Your Lightspeed appliance can provide a captive portal linked to your directory system also, if you can run both VLANS through it.
Originally Posted by manick
At present the wireless guest doesn't go through the Rocket, although we are planning to upgrade to a newer server soon for it. In the end I've installed the PFsense Captive portal as a stopgap measure, works very well and very easy to set up!
Thanks for the replies guys.
Theres a difference between Guest and BYOD.
If you do a captive portal as mentioned above, that allows your existing users to use the wireless, but thats a BYOD solution not a Guest.
If you do a captive portal on a Guest wireless, what are they meant to put in to authenticate as they dont have AD details......
In my head a guest wireless is for people external to school (visitors from other schools, local authority, parents, governors perhaps....) who need internet access, they'll have no AD credentials so can't login to a captive portal unless you give over a generic username and password to use.
I think you need to decide if you want a Guest or a BYOD solution, then go from there.
We do a BYOD and a Guest, the BYOD is dealt with by captive portal through Lightspeed and needs an AD account to login, the Guest does a Ruckus 'captive portal' I suppose and requires a Ruckus key to proceed and access the internet which has to be given over in reception.
The guest users will have to autheniticate against active directory. You can use ntlm in squid see Features/Authentication - Squid Web Proxy Wiki it might give you some ideas for your setup.
We, at present, want to only have school owned devices on our internal range as we only have 2000 IP addresses, as the majority of BYOD devices will be mobile phones, I'm not too fussed about allowing them access to the internal range as, apart from the internet, there's not too much they would use on the school network, although there are many ways with which they can gain access to their school stuff externally if they want to. Regarding authentication, I'm just setting users up individually at the moment, not too much trouble really and also for guests we are issuing vouchers. Don't get too caught up on the fact that we have named it 'Guest wireless' we still allow students and staff access to it. When we've got a dual bridge Lightspeed rocket, then I will look at setting authentication up via AD.
Thanks for all the replies.