Re: Wireless access by users with multiple devices

["Doty, Timothy T." <tdoty () MST EDU>]

What is the issue? Does it matter if a user has multiple wireless devices
active? Is there a shortage of addresses? Insufficient wireless resources to
cope with the demand? Something else?

In our environment all network devices (other than some infrastructure) get
a public IP address from our /16.  I'd have to check to see the total
allocation for wireless as we have different subnets - some are PSK and some
are WPA. There has been a definite increase over the past few years in
mobile network devices which has caused us to allocate more/larger subnets
for wireless use (approximately a third of our active IP addresses are now
for wireless devices) in addition to bulking out our wireless network in
terms of geographical coverage and number of clients that can be handled.

We require network devices to be registered to a user and by default there
are number limits to avoid creative user behavior (we have very creative
students) but if a student really had 50 network devices I don't see why he
wouldn't be able to register them, it would just require IT intervention.
All devices registered to a user "belong" to the same subscriber in our
traffic shaper so a student with 50 devices trying to download on each of
them is not going to be happy with the results. This is a deliberate
configuration on our part and helps to reduce abuse.

The main problem we've had with wireless devices is that users often won't
register them. To facilitate the registration process we have a certain
number of IP addresses reserved for unregistered systems - basically no
Internet access but they can get to the online registration form. The issue
is that this is often "good enough" access for the user and they just don't
bother to register. Or they aren't aware/don't care that the device is
proactively acquiring a wireless IP address. Which means that the
unregistered IP address pool gets exhausted. To help with this issue if a
system stays on an unregistered IP address for too long it is automatically
registered in a way to deny any DHCP requests. It helps, but does not
resolve issue.

We don't have any policy limiting the number of wireless devices a user can
register, from that point of view it is just considered an alternate way to
connect to the network. The main reason there are any limits to the number
of device registrations per user is to prevent abuse. From a traffic shaping
perspective all devices registered to a user share the same bandwidth
allocation. To my knowledge we have enough access points to give reasonable
client coverage so inability to connect to the wireless network is either a
client issue or exhaustion of the IP address pool (normally the unregistered
device pool).

Tim Doty

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Christopher Jones
Sent: Thursday, September 16, 2010 6:11 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Wireless access by users with multiple devices

 

We are currently grappling with the issue of concurrent wireless access by
users with multiple devices.  For those of you who may have dealt with this
already, do you have any thoughts, suggestions, recommendations surrounding
policies, strategies?  Thanks.

 

Christopher Jones

IT Security Administrator

University of the Fraser Valley

Christopher.Jones () ufv ca

Attachment: smime.p7s
Description: