Educause Security Discussion mailing list archives
Re: Guest Wireless Restrictions
From: Rich Graves <rgraves () CARLETON EDU>
Date: Tue, 8 May 2012 14:39:36 -0500
Require any kind of registration or authentication?
Our open SSID was restructured in March. Guest access requires entry of either an AD username/password or a random challenge delivered to SMS (immediate entry required) or email (30-minute grace period allowed for retrieval of the code). We have the ability to generate bulk username/passwords for conferences, but the self-service challenge/response validation is easy enough that we haven't actually used "guest accounts" yet. We've had a few hundred parents, prospective students, dining hall staff, and community members get online without a single helpdesk call. We intend to reply on guest self-registration for Commencement and Reunion this year; previously, we enabled temporary SSIDs that were completely unrestricted.
Restrict the bandwidth, or access to ports and functionality in any way?
Guests are behind a NGFW interface with a default-log-and-allow outbound policy. Guests are blocked from our IP space, except for public web servers and a few other things. Port 25 is blocked. Otherwise, it's pretty much open. Both guests and student/faculty/staff users on the open SSID are limited to 2Mbps (most local users are on WPA2-Enterprise).
Do you allow P2P from the guest range?
Yes. And Teredo and other tunneling protocols, which are blocked for most local users. Excessive outbound bandwidth (metered via RADIUS accounting) returns to the user to the captive portal, which tells them that "file sharing" can be naughty and presents an "Enable Network" button. We have not received a DMCA complaint yet. If we do, we'll blacklist the MAC address and forward the note to their registered email/SMS.
Current thread:
- Guest Wireless Restrictions Nardone, Mark (May 08)
- Re: Guest Wireless Restrictions Roger A Safian (May 08)
- Re: Guest Wireless Restrictions Entwistle, Bruce (May 08)
- Re: Guest Wireless Restrictions Bob Bayn (May 08)
- Re: Guest Wireless Restrictions Josh Richard (May 08)
- Re: Guest Wireless Restrictions Rich Graves (May 08)
- Re: Guest Wireless Restrictions Brian Helman (May 08)
- Re: Guest Wireless Restrictions Childs, Aaron (May 08)