Re: Guest Wireless Restrictions

[Rich Graves <rgraves () CARLETON EDU>]

> Require any kind of registration or authentication?

Our open SSID was restructured in March. Guest access requires entry of either an AD username/password or a random 
challenge delivered to SMS (immediate entry required) or email (30-minute grace period allowed for retrieval of the 
code). We have the ability to generate bulk username/passwords for conferences, but the self-service challenge/response 
validation is easy enough that we haven't actually used "guest accounts" yet. We've had a few hundred parents, 
prospective students, dining hall staff, and community members get online without a single helpdesk call. We intend to 
reply on guest self-registration for Commencement and Reunion this year; previously, we enabled temporary SSIDs that 
were completely unrestricted.

> Restrict the bandwidth, or access to ports and functionality in any way?

Guests are behind a NGFW interface with a default-log-and-allow outbound policy. Guests are blocked from our IP space, 
except for public web servers and a few other things. Port 25 is blocked. Otherwise, it's pretty much open.

Both guests and student/faculty/staff users on the open SSID are limited to 2Mbps (most local users are on 
WPA2-Enterprise). 

> Do you allow P2P from the guest range?

Yes. And Teredo and other tunneling protocols, which are blocked for most local users.

Excessive outbound bandwidth (metered via RADIUS accounting) returns to the user to the captive portal, which tells 
them that "file sharing" can be naughty and presents an "Enable Network" button.

We have not received a DMCA complaint yet. If we do, we'll blacklist the MAC address and forward the note to their 
registered email/SMS.