Discussions

1. Guest Wifi
Recently, a discussion came up within my department about Guest Wifi as we have had tutors and contractors run into some difficulty using it.

Currently, when connecting to Guest, users are prompted to enter their name, reason for visit, and a personal email address.  Once they submit this information, they get a code to their personal email that allows them onto the Guest wifi.  This network was filtered as an elementary school student on our firewall due to students and employees using this network inappropriately.  We have since bumped up the filter to middle school student privileges. This network is the only network that doesn't require our firewall's SSL certificate.  How do you have your Guest network setup?

2. Student Wifi and security
The conversation we had about our Guest network led us to a conversation about our students' devices since our current program for 4th through 8th grade is BYOD.  For those of you that have BYOD, how have you handled the security of external devices people might bring on campus (might as well include smart phones)?  The only thing we require for BYOD devices is our SSL certificate.  

#ITSystemsandSupport

------------------------------
Gordon Carswell
Technology Trainer and Support Specialist
The Epstein School
------------------------------

Hello,

We found that trying to manage SSID passwords for student, staff, parents and visitors was a nightmare.  If we had individual passwords, then we were constantly having to change or reset them when people forget them.  If we had one password for an SSID, then everyone knew all the passwords to all the SSIDs almost immediately after they were released.  Instead of securing the wireless network in that traditional way, we use Cisco Identity Services Engine (ISE) on our network.  

We have one SSID that everyone uses and it is, on the surface, insecure and does not require any sort of log in.  However, behind the scenes, everyone that connects to my wireless network is automatically connected to the "guest" network unless we have their MAC address entered in our system.  The guest network gives users passthrough access to the Internet, but absolutely no access to the internal network and it's resources at all.  They can't even print to a local printer.  While we do not do it, you can also implement a landing page that guest users would have to sign in with, similar to what you described.

All other users that have registered MAC addresses are automatically added to whatever VLAN and security we wish them to have.  This is completely invisible to them.  It is easy for anyone to connect to our network and it is easy to control the security and access to the network at all times. 

This system does take a little bit if configuration on the front end by the technology team of course.  But once that is set up, it is seamless and extremely easy to manage.


------------------------------
James Manikas
Director of Technology
Webb School of Knoxville
------------------------------

Original Message:
Sent: 09-17-2021 09:51 PM
From: Gordon Carswell
Subject: Guest Wifi and Student Wifi Configuration

1. Guest Wifi
Recently, a discussion came up within my department about Guest Wifi as we have had tutors and contractors run into some difficulty using it.

Currently, when connecting to Guest, users are prompted to enter their name, reason for visit, and a personal email address.  Once they submit this information, they get a code to their personal email that allows them onto the Guest wifi.  This network was filtered as an elementary school student on our firewall due to students and employees using this network inappropriately.  We have since bumped up the filter to middle school student privileges. This network is the only network that doesn't require our firewall's SSL certificate.  How do you have your Guest network setup?

2. Student Wifi and security
The conversation we had about our Guest network led us to a conversation about our students' devices since our current program for 4th through 8th grade is BYOD.  For those of you that have BYOD, how have you handled the security of external devices people might bring on campus (might as well include smart phones)?  The only thing we require for BYOD devices is our SSL certificate.  

#ITSystemsandSupport

------------------------------
Gordon Carswell
Technology Trainer and Support Specialist
The Epstein School
------------------------------

That sounds like a brilliantly simple solution!  I see  you use Cisco ISE, but do you need to have a Cisco end-to-end network?  (We're a Meraki school, and I don't know if Cisco ISE is supported by Meraki equipment)

Thanks,
Justin

------------------------------
Justin Hermanek
The Alexander Dawson School
------------------------------

Original Message:
Sent: 09-20-2021 07:04 AM
From: James Manikas
Subject: Guest Wifi and Student Wifi Configuration

Hello,

We found that trying to manage SSID passwords for student, staff, parents and visitors was a nightmare.  If we had individual passwords, then we were constantly having to change or reset them when people forget them.  If we had one password for an SSID, then everyone knew all the passwords to all the SSIDs almost immediately after they were released.  Instead of securing the wireless network in that traditional way, we use Cisco Identity Services Engine (ISE) on our network.  

We have one SSID that everyone uses and it is, on the surface, insecure and does not require any sort of log in.  However, behind the scenes, everyone that connects to my wireless network is automatically connected to the "guest" network unless we have their MAC address entered in our system.  The guest network gives users passthrough access to the Internet, but absolutely no access to the internal network and it's resources at all.  They can't even print to a local printer.  While we do not do it, you can also implement a landing page that guest users would have to sign in with, similar to what you described.

All other users that have registered MAC addresses are automatically added to whatever VLAN and security we wish them to have.  This is completely invisible to them.  It is easy for anyone to connect to our network and it is easy to control the security and access to the network at all times. 

This system does take a little bit if configuration on the front end by the technology team of course.  But once that is set up, it is seamless and extremely easy to manage.


------------------------------
James Manikas
Director of Technology
Webb School of Knoxville

Original Message:
Sent: 09-17-2021 09:51 PM
From: Gordon Carswell
Subject: Guest Wifi and Student Wifi Configuration

1. Guest Wifi
Recently, a discussion came up within my department about Guest Wifi as we have had tutors and contractors run into some difficulty using it.

Currently, when connecting to Guest, users are prompted to enter their name, reason for visit, and a personal email address.  Once they submit this information, they get a code to their personal email that allows them onto the Guest wifi.  This network was filtered as an elementary school student on our firewall due to students and employees using this network inappropriately.  We have since bumped up the filter to middle school student privileges. This network is the only network that doesn't require our firewall's SSL certificate.  How do you have your Guest network setup?

2. Student Wifi and security
The conversation we had about our Guest network led us to a conversation about our students' devices since our current program for 4th through 8th grade is BYOD.  For those of you that have BYOD, how have you handled the security of external devices people might bring on campus (might as well include smart phones)?  The only thing we require for BYOD devices is our SSL certificate.  

#ITSystemsandSupport

------------------------------
Gordon Carswell
Technology Trainer and Support Specialist
The Epstein School
------------------------------

We have a mixture of Cisco and Meraki switches in place, but all of my Access points are Meraki.  It has not been a problem.  You would have to talk with an Cisco technician to be sure, but I don't think your switch manufacturer should matter.

Jim M.

------------------------------
James Manikas
Director of Technology
Webb School of Knoxville
------------------------------

Original Message:
Sent: 09-21-2021 12:24 PM
From: Justin Hermanek
Subject: Guest Wifi and Student Wifi Configuration

That sounds like a brilliantly simple solution!  I see  you use Cisco ISE, but do you need to have a Cisco end-to-end network?  (We're a Meraki school, and I don't know if Cisco ISE is supported by Meraki equipment)

Thanks,
Justin

------------------------------
Justin Hermanek
The Alexander Dawson School

Original Message:
Sent: 09-20-2021 07:04 AM
From: James Manikas
Subject: Guest Wifi and Student Wifi Configuration

Hello,

We found that trying to manage SSID passwords for student, staff, parents and visitors was a nightmare.  If we had individual passwords, then we were constantly having to change or reset them when people forget them.  If we had one password for an SSID, then everyone knew all the passwords to all the SSIDs almost immediately after they were released.  Instead of securing the wireless network in that traditional way, we use Cisco Identity Services Engine (ISE) on our network.  

We have one SSID that everyone uses and it is, on the surface, insecure and does not require any sort of log in.  However, behind the scenes, everyone that connects to my wireless network is automatically connected to the "guest" network unless we have their MAC address entered in our system.  The guest network gives users passthrough access to the Internet, but absolutely no access to the internal network and it's resources at all.  They can't even print to a local printer.  While we do not do it, you can also implement a landing page that guest users would have to sign in with, similar to what you described.

All other users that have registered MAC addresses are automatically added to whatever VLAN and security we wish them to have.  This is completely invisible to them.  It is easy for anyone to connect to our network and it is easy to control the security and access to the network at all times. 

This system does take a little bit if configuration on the front end by the technology team of course.  But once that is set up, it is seamless and extremely easy to manage.


------------------------------
James Manikas
Director of Technology
Webb School of Knoxville

Original Message:
Sent: 09-17-2021 09:51 PM
From: Gordon Carswell
Subject: Guest Wifi and Student Wifi Configuration

1. Guest Wifi
Recently, a discussion came up within my department about Guest Wifi as we have had tutors and contractors run into some difficulty using it.

Currently, when connecting to Guest, users are prompted to enter their name, reason for visit, and a personal email address.  Once they submit this information, they get a code to their personal email that allows them onto the Guest wifi.  This network was filtered as an elementary school student on our firewall due to students and employees using this network inappropriately.  We have since bumped up the filter to middle school student privileges. This network is the only network that doesn't require our firewall's SSL certificate.  How do you have your Guest network setup?

2. Student Wifi and security
The conversation we had about our Guest network led us to a conversation about our students' devices since our current program for 4th through 8th grade is BYOD.  For those of you that have BYOD, how have you handled the security of external devices people might bring on campus (might as well include smart phones)?  The only thing we require for BYOD devices is our SSL certificate.  

#ITSystemsandSupport

------------------------------
Gordon Carswell
Technology Trainer and Support Specialist
The Epstein School
------------------------------

Nice!  Thanks for sharing!

------------------------------
Justin Hermanek
The Alexander Dawson School
------------------------------

Original Message:
Sent: 09-21-2021 12:40 PM
From: James Manikas
Subject: Guest Wifi and Student Wifi Configuration

We have a mixture of Cisco and Meraki switches in place, but all of my Access points are Meraki.  It has not been a problem.  You would have to talk with an Cisco technician to be sure, but I don't think your switch manufacturer should matter.

Jim M.

------------------------------
James Manikas
Director of Technology
Webb School of Knoxville

Original Message:
Sent: 09-21-2021 12:24 PM
From: Justin Hermanek
Subject: Guest Wifi and Student Wifi Configuration

That sounds like a brilliantly simple solution!  I see  you use Cisco ISE, but do you need to have a Cisco end-to-end network?  (We're a Meraki school, and I don't know if Cisco ISE is supported by Meraki equipment)

Thanks,
Justin

------------------------------
Justin Hermanek
The Alexander Dawson School

Original Message:
Sent: 09-20-2021 07:04 AM
From: James Manikas
Subject: Guest Wifi and Student Wifi Configuration

Hello,

We found that trying to manage SSID passwords for student, staff, parents and visitors was a nightmare.  If we had individual passwords, then we were constantly having to change or reset them when people forget them.  If we had one password for an SSID, then everyone knew all the passwords to all the SSIDs almost immediately after they were released.  Instead of securing the wireless network in that traditional way, we use Cisco Identity Services Engine (ISE) on our network.  

We have one SSID that everyone uses and it is, on the surface, insecure and does not require any sort of log in.  However, behind the scenes, everyone that connects to my wireless network is automatically connected to the "guest" network unless we have their MAC address entered in our system.  The guest network gives users passthrough access to the Internet, but absolutely no access to the internal network and it's resources at all.  They can't even print to a local printer.  While we do not do it, you can also implement a landing page that guest users would have to sign in with, similar to what you described.

All other users that have registered MAC addresses are automatically added to whatever VLAN and security we wish them to have.  This is completely invisible to them.  It is easy for anyone to connect to our network and it is easy to control the security and access to the network at all times. 

This system does take a little bit if configuration on the front end by the technology team of course.  But once that is set up, it is seamless and extremely easy to manage.


------------------------------
James Manikas
Director of Technology
Webb School of Knoxville

Original Message:
Sent: 09-17-2021 09:51 PM
From: Gordon Carswell
Subject: Guest Wifi and Student Wifi Configuration

1. Guest Wifi
Recently, a discussion came up within my department about Guest Wifi as we have had tutors and contractors run into some difficulty using it.

Currently, when connecting to Guest, users are prompted to enter their name, reason for visit, and a personal email address.  Once they submit this information, they get a code to their personal email that allows them onto the Guest wifi.  This network was filtered as an elementary school student on our firewall due to students and employees using this network inappropriately.  We have since bumped up the filter to middle school student privileges. This network is the only network that doesn't require our firewall's SSL certificate.  How do you have your Guest network setup?

2. Student Wifi and security
The conversation we had about our Guest network led us to a conversation about our students' devices since our current program for 4th through 8th grade is BYOD.  For those of you that have BYOD, how have you handled the security of external devices people might bring on campus (might as well include smart phones)?  The only thing we require for BYOD devices is our SSL certificate.  

#ITSystemsandSupport

------------------------------
Gordon Carswell
Technology Trainer and Support Specialist
The Epstein School
------------------------------

James,

You bring up some additional details I didn't originally include.  Currently, we have a radius server authenticate users: students, faculty, staff to our main wifi (if you want to call it that) and then to get past our firewall, devices have to have an SSL certificate. We don't monitor student devices off campus, so when they come to campus, they potentially bring outside stuff to our network.  Some ideas we've come up with include:  further separating student wifi, almost treating them as guests, but with the few printers they have access to OR to have our VPN installed on their devices to filter stuff even when they're off campus.

In terms of our Guest wifi, since it also goes through our firewall, we've had some complaints about the way it's being filtered.  Some ideas have been to change the wifi pw weekly or biweekly OR add users to our wifi system and give them a temp pw...

------------------------------
Gordon Carswell
Technology Trainer and Support Specialist
The Epstein School
------------------------------

Original Message:
Sent: 09-20-2021 07:04 AM
From: James Manikas
Subject: Guest Wifi and Student Wifi Configuration

Hello,

We found that trying to manage SSID passwords for student, staff, parents and visitors was a nightmare.  If we had individual passwords, then we were constantly having to change or reset them when people forget them.  If we had one password for an SSID, then everyone knew all the passwords to all the SSIDs almost immediately after they were released.  Instead of securing the wireless network in that traditional way, we use Cisco Identity Services Engine (ISE) on our network.  

We have one SSID that everyone uses and it is, on the surface, insecure and does not require any sort of log in.  However, behind the scenes, everyone that connects to my wireless network is automatically connected to the "guest" network unless we have their MAC address entered in our system.  The guest network gives users passthrough access to the Internet, but absolutely no access to the internal network and it's resources at all.  They can't even print to a local printer.  While we do not do it, you can also implement a landing page that guest users would have to sign in with, similar to what you described.

All other users that have registered MAC addresses are automatically added to whatever VLAN and security we wish them to have.  This is completely invisible to them.  It is easy for anyone to connect to our network and it is easy to control the security and access to the network at all times. 

This system does take a little bit if configuration on the front end by the technology team of course.  But once that is set up, it is seamless and extremely easy to manage.


------------------------------
James Manikas
Director of Technology
Webb School of Knoxville

Original Message:
Sent: 09-17-2021 09:51 PM
From: Gordon Carswell
Subject: Guest Wifi and Student Wifi Configuration

1. Guest Wifi
Recently, a discussion came up within my department about Guest Wifi as we have had tutors and contractors run into some difficulty using it.

Currently, when connecting to Guest, users are prompted to enter their name, reason for visit, and a personal email address.  Once they submit this information, they get a code to their personal email that allows them onto the Guest wifi.  This network was filtered as an elementary school student on our firewall due to students and employees using this network inappropriately.  We have since bumped up the filter to middle school student privileges. This network is the only network that doesn't require our firewall's SSL certificate.  How do you have your Guest network setup?

2. Student Wifi and security
The conversation we had about our Guest network led us to a conversation about our students' devices since our current program for 4th through 8th grade is BYOD.  For those of you that have BYOD, how have you handled the security of external devices people might bring on campus (might as well include smart phones)?  The only thing we require for BYOD devices is our SSL certificate.  

#ITSystemsandSupport

------------------------------
Gordon Carswell
Technology Trainer and Support Specialist
The Epstein School
------------------------------

Hi Gordon,

If you're using Meraki, you may want to look into Sponsored Guest authentication - in this configuration, a user must have an on-campus user (someone who can be e-mailed) essentially "vouch" for them.  You can also limit long how they're able to connect for (just the day, up to like 2 weeks).  

Thanks,
Justin

------------------------------
Justin Hermanek
The Alexander Dawson School
------------------------------

Original Message:
Sent: 09-21-2021 02:15 PM
From: Gordon Carswell
Subject: Guest Wifi and Student Wifi Configuration

James,

You bring up some additional details I didn't originally include.  Currently, we have a radius server authenticate users: students, faculty, staff to our main wifi (if you want to call it that) and then to get past our firewall, devices have to have an SSL certificate. We don't monitor student devices off campus, so when they come to campus, they potentially bring outside stuff to our network.  Some ideas we've come up with include:  further separating student wifi, almost treating them as guests, but with the few printers they have access to OR to have our VPN installed on their devices to filter stuff even when they're off campus.

In terms of our Guest wifi, since it also goes through our firewall, we've had some complaints about the way it's being filtered.  Some ideas have been to change the wifi pw weekly or biweekly OR add users to our wifi system and give them a temp pw...

------------------------------
Gordon Carswell
Technology Trainer and Support Specialist
The Epstein School

Original Message:
Sent: 09-20-2021 07:04 AM
From: James Manikas
Subject: Guest Wifi and Student Wifi Configuration

Hello,

We found that trying to manage SSID passwords for student, staff, parents and visitors was a nightmare.  If we had individual passwords, then we were constantly having to change or reset them when people forget them.  If we had one password for an SSID, then everyone knew all the passwords to all the SSIDs almost immediately after they were released.  Instead of securing the wireless network in that traditional way, we use Cisco Identity Services Engine (ISE) on our network.  

We have one SSID that everyone uses and it is, on the surface, insecure and does not require any sort of log in.  However, behind the scenes, everyone that connects to my wireless network is automatically connected to the "guest" network unless we have their MAC address entered in our system.  The guest network gives users passthrough access to the Internet, but absolutely no access to the internal network and it's resources at all.  They can't even print to a local printer.  While we do not do it, you can also implement a landing page that guest users would have to sign in with, similar to what you described.

All other users that have registered MAC addresses are automatically added to whatever VLAN and security we wish them to have.  This is completely invisible to them.  It is easy for anyone to connect to our network and it is easy to control the security and access to the network at all times. 

This system does take a little bit if configuration on the front end by the technology team of course.  But once that is set up, it is seamless and extremely easy to manage.


------------------------------
James Manikas
Director of Technology
Webb School of Knoxville

Original Message:
Sent: 09-17-2021 09:51 PM
From: Gordon Carswell
Subject: Guest Wifi and Student Wifi Configuration

1. Guest Wifi
Recently, a discussion came up within my department about Guest Wifi as we have had tutors and contractors run into some difficulty using it.

Currently, when connecting to Guest, users are prompted to enter their name, reason for visit, and a personal email address.  Once they submit this information, they get a code to their personal email that allows them onto the Guest wifi.  This network was filtered as an elementary school student on our firewall due to students and employees using this network inappropriately.  We have since bumped up the filter to middle school student privileges. This network is the only network that doesn't require our firewall's SSL certificate.  How do you have your Guest network setup?

2. Student Wifi and security
The conversation we had about our Guest network led us to a conversation about our students' devices since our current program for 4th through 8th grade is BYOD.  For those of you that have BYOD, how have you handled the security of external devices people might bring on campus (might as well include smart phones)?  The only thing we require for BYOD devices is our SSL certificate.  

#ITSystemsandSupport

------------------------------
Gordon Carswell
Technology Trainer and Support Specialist
The Epstein School
------------------------------

Justin,

We have Mist/Juniper.  I'll have to do some research and see if this is viable, but I'm all for ideas.

------------------------------
Gordon Carswell
Technology Trainer and Support Specialist
The Epstein School
------------------------------

Original Message:
Sent: 09-21-2021 02:22 PM
From: Justin Hermanek
Subject: Guest Wifi and Student Wifi Configuration

Hi Gordon,

If you're using Meraki, you may want to look into Sponsored Guest authentication - in this configuration, a user must have an on-campus user (someone who can be e-mailed) essentially "vouch" for them.  You can also limit long how they're able to connect for (just the day, up to like 2 weeks).  

Thanks,
Justin

------------------------------
Justin Hermanek
The Alexander Dawson School

Original Message:
Sent: 09-21-2021 02:15 PM
From: Gordon Carswell
Subject: Guest Wifi and Student Wifi Configuration

James,

You bring up some additional details I didn't originally include.  Currently, we have a radius server authenticate users: students, faculty, staff to our main wifi (if you want to call it that) and then to get past our firewall, devices have to have an SSL certificate. We don't monitor student devices off campus, so when they come to campus, they potentially bring outside stuff to our network.  Some ideas we've come up with include:  further separating student wifi, almost treating them as guests, but with the few printers they have access to OR to have our VPN installed on their devices to filter stuff even when they're off campus.

In terms of our Guest wifi, since it also goes through our firewall, we've had some complaints about the way it's being filtered.  Some ideas have been to change the wifi pw weekly or biweekly OR add users to our wifi system and give them a temp pw...

------------------------------
Gordon Carswell
Technology Trainer and Support Specialist
The Epstein School

Original Message:
Sent: 09-20-2021 07:04 AM
From: James Manikas
Subject: Guest Wifi and Student Wifi Configuration

Hello,

We found that trying to manage SSID passwords for student, staff, parents and visitors was a nightmare.  If we had individual passwords, then we were constantly having to change or reset them when people forget them.  If we had one password for an SSID, then everyone knew all the passwords to all the SSIDs almost immediately after they were released.  Instead of securing the wireless network in that traditional way, we use Cisco Identity Services Engine (ISE) on our network.  

We have one SSID that everyone uses and it is, on the surface, insecure and does not require any sort of log in.  However, behind the scenes, everyone that connects to my wireless network is automatically connected to the "guest" network unless we have their MAC address entered in our system.  The guest network gives users passthrough access to the Internet, but absolutely no access to the internal network and it's resources at all.  They can't even print to a local printer.  While we do not do it, you can also implement a landing page that guest users would have to sign in with, similar to what you described.

All other users that have registered MAC addresses are automatically added to whatever VLAN and security we wish them to have.  This is completely invisible to them.  It is easy for anyone to connect to our network and it is easy to control the security and access to the network at all times. 

This system does take a little bit if configuration on the front end by the technology team of course.  But once that is set up, it is seamless and extremely easy to manage.


------------------------------
James Manikas
Director of Technology
Webb School of Knoxville

Original Message:
Sent: 09-17-2021 09:51 PM
From: Gordon Carswell
Subject: Guest Wifi and Student Wifi Configuration

1. Guest Wifi
Recently, a discussion came up within my department about Guest Wifi as we have had tutors and contractors run into some difficulty using it.

Currently, when connecting to Guest, users are prompted to enter their name, reason for visit, and a personal email address.  Once they submit this information, they get a code to their personal email that allows them onto the Guest wifi.  This network was filtered as an elementary school student on our firewall due to students and employees using this network inappropriately.  We have since bumped up the filter to middle school student privileges. This network is the only network that doesn't require our firewall's SSL certificate.  How do you have your Guest network setup?

2. Student Wifi and security
The conversation we had about our Guest network led us to a conversation about our students' devices since our current program for 4th through 8th grade is BYOD.  For those of you that have BYOD, how have you handled the security of external devices people might bring on campus (might as well include smart phones)?  The only thing we require for BYOD devices is our SSL certificate.  

#ITSystemsandSupport

------------------------------
Gordon Carswell
Technology Trainer and Support Specialist
The Epstein School
------------------------------

https://www.mist.com/documentation/sponsored-guest-access-wlan/

Looks like mist has the same feature (amazingly named the same as well) :)

------------------------------
Justin Hermanek
The Alexander Dawson School
------------------------------

Original Message:
Sent: 09-21-2021 02:28 PM
From: Gordon Carswell
Subject: Guest Wifi and Student Wifi Configuration

Justin,

We have Mist/Juniper.  I'll have to do some research and see if this is viable, but I'm all for ideas.

------------------------------
Gordon Carswell
Technology Trainer and Support Specialist
The Epstein School

Original Message:
Sent: 09-21-2021 02:22 PM
From: Justin Hermanek
Subject: Guest Wifi and Student Wifi Configuration

Hi Gordon,

If you're using Meraki, you may want to look into Sponsored Guest authentication - in this configuration, a user must have an on-campus user (someone who can be e-mailed) essentially "vouch" for them.  You can also limit long how they're able to connect for (just the day, up to like 2 weeks).  

Thanks,
Justin

------------------------------
Justin Hermanek
The Alexander Dawson School

Original Message:
Sent: 09-21-2021 02:15 PM
From: Gordon Carswell
Subject: Guest Wifi and Student Wifi Configuration

James,

You bring up some additional details I didn't originally include.  Currently, we have a radius server authenticate users: students, faculty, staff to our main wifi (if you want to call it that) and then to get past our firewall, devices have to have an SSL certificate. We don't monitor student devices off campus, so when they come to campus, they potentially bring outside stuff to our network.  Some ideas we've come up with include:  further separating student wifi, almost treating them as guests, but with the few printers they have access to OR to have our VPN installed on their devices to filter stuff even when they're off campus.

In terms of our Guest wifi, since it also goes through our firewall, we've had some complaints about the way it's being filtered.  Some ideas have been to change the wifi pw weekly or biweekly OR add users to our wifi system and give them a temp pw...

------------------------------
Gordon Carswell
Technology Trainer and Support Specialist
The Epstein School

Original Message:
Sent: 09-20-2021 07:04 AM
From: James Manikas
Subject: Guest Wifi and Student Wifi Configuration

Hello,

We found that trying to manage SSID passwords for student, staff, parents and visitors was a nightmare.  If we had individual passwords, then we were constantly having to change or reset them when people forget them.  If we had one password for an SSID, then everyone knew all the passwords to all the SSIDs almost immediately after they were released.  Instead of securing the wireless network in that traditional way, we use Cisco Identity Services Engine (ISE) on our network.  

We have one SSID that everyone uses and it is, on the surface, insecure and does not require any sort of log in.  However, behind the scenes, everyone that connects to my wireless network is automatically connected to the "guest" network unless we have their MAC address entered in our system.  The guest network gives users passthrough access to the Internet, but absolutely no access to the internal network and it's resources at all.  They can't even print to a local printer.  While we do not do it, you can also implement a landing page that guest users would have to sign in with, similar to what you described.

All other users that have registered MAC addresses are automatically added to whatever VLAN and security we wish them to have.  This is completely invisible to them.  It is easy for anyone to connect to our network and it is easy to control the security and access to the network at all times. 

This system does take a little bit if configuration on the front end by the technology team of course.  But once that is set up, it is seamless and extremely easy to manage.


------------------------------
James Manikas
Director of Technology
Webb School of Knoxville

Original Message:
Sent: 09-17-2021 09:51 PM
From: Gordon Carswell
Subject: Guest Wifi and Student Wifi Configuration

1. Guest Wifi
Recently, a discussion came up within my department about Guest Wifi as we have had tutors and contractors run into some difficulty using it.

Currently, when connecting to Guest, users are prompted to enter their name, reason for visit, and a personal email address.  Once they submit this information, they get a code to their personal email that allows them onto the Guest wifi.  This network was filtered as an elementary school student on our firewall due to students and employees using this network inappropriately.  We have since bumped up the filter to middle school student privileges. This network is the only network that doesn't require our firewall's SSL certificate.  How do you have your Guest network setup?

2. Student Wifi and security
The conversation we had about our Guest network led us to a conversation about our students' devices since our current program for 4th through 8th grade is BYOD.  For those of you that have BYOD, how have you handled the security of external devices people might bring on campus (might as well include smart phones)?  The only thing we require for BYOD devices is our SSL certificate.  

#ITSystemsandSupport

------------------------------
Gordon Carswell
Technology Trainer and Support Specialist
The Epstein School
------------------------------

This Mist solution sounds fairly limited in comparison to Cisco ISE, but I would bet that it is significantly cheaper, and if it does everything you need, then it is well worth looking at.

------------------------------
James Manikas
Director of Technology
Webb School of Knoxville
------------------------------

Original Message:
Sent: 09-21-2021 02:32 PM
From: Justin Hermanek
Subject: Guest Wifi and Student Wifi Configuration

https://www.mist.com/documentation/sponsored-guest-access-wlan/

Looks like mist has the same feature (amazingly named the same as well) :)

------------------------------
Justin Hermanek
The Alexander Dawson School

Original Message:
Sent: 09-21-2021 02:28 PM
From: Gordon Carswell
Subject: Guest Wifi and Student Wifi Configuration

Justin,

We have Mist/Juniper.  I'll have to do some research and see if this is viable, but I'm all for ideas.

------------------------------
Gordon Carswell
Technology Trainer and Support Specialist
The Epstein School

Original Message:
Sent: 09-21-2021 02:22 PM
From: Justin Hermanek
Subject: Guest Wifi and Student Wifi Configuration

Hi Gordon,

If you're using Meraki, you may want to look into Sponsored Guest authentication - in this configuration, a user must have an on-campus user (someone who can be e-mailed) essentially "vouch" for them.  You can also limit long how they're able to connect for (just the day, up to like 2 weeks).  

Thanks,
Justin

------------------------------
Justin Hermanek
The Alexander Dawson School

Original Message:
Sent: 09-21-2021 02:15 PM
From: Gordon Carswell
Subject: Guest Wifi and Student Wifi Configuration

James,

You bring up some additional details I didn't originally include.  Currently, we have a radius server authenticate users: students, faculty, staff to our main wifi (if you want to call it that) and then to get past our firewall, devices have to have an SSL certificate. We don't monitor student devices off campus, so when they come to campus, they potentially bring outside stuff to our network.  Some ideas we've come up with include:  further separating student wifi, almost treating them as guests, but with the few printers they have access to OR to have our VPN installed on their devices to filter stuff even when they're off campus.

In terms of our Guest wifi, since it also goes through our firewall, we've had some complaints about the way it's being filtered.  Some ideas have been to change the wifi pw weekly or biweekly OR add users to our wifi system and give them a temp pw...

------------------------------
Gordon Carswell
Technology Trainer and Support Specialist
The Epstein School

Original Message:
Sent: 09-20-2021 07:04 AM
From: James Manikas
Subject: Guest Wifi and Student Wifi Configuration

Hello,

We found that trying to manage SSID passwords for student, staff, parents and visitors was a nightmare.  If we had individual passwords, then we were constantly having to change or reset them when people forget them.  If we had one password for an SSID, then everyone knew all the passwords to all the SSIDs almost immediately after they were released.  Instead of securing the wireless network in that traditional way, we use Cisco Identity Services Engine (ISE) on our network.  

We have one SSID that everyone uses and it is, on the surface, insecure and does not require any sort of log in.  However, behind the scenes, everyone that connects to my wireless network is automatically connected to the "guest" network unless we have their MAC address entered in our system.  The guest network gives users passthrough access to the Internet, but absolutely no access to the internal network and it's resources at all.  They can't even print to a local printer.  While we do not do it, you can also implement a landing page that guest users would have to sign in with, similar to what you described.

All other users that have registered MAC addresses are automatically added to whatever VLAN and security we wish them to have.  This is completely invisible to them.  It is easy for anyone to connect to our network and it is easy to control the security and access to the network at all times. 

This system does take a little bit if configuration on the front end by the technology team of course.  But once that is set up, it is seamless and extremely easy to manage.


------------------------------
James Manikas
Director of Technology
Webb School of Knoxville

Original Message:
Sent: 09-17-2021 09:51 PM
From: Gordon Carswell
Subject: Guest Wifi and Student Wifi Configuration

1. Guest Wifi
Recently, a discussion came up within my department about Guest Wifi as we have had tutors and contractors run into some difficulty using it.

Currently, when connecting to Guest, users are prompted to enter their name, reason for visit, and a personal email address.  Once they submit this information, they get a code to their personal email that allows them onto the Guest wifi.  This network was filtered as an elementary school student on our firewall due to students and employees using this network inappropriately.  We have since bumped up the filter to middle school student privileges. This network is the only network that doesn't require our firewall's SSL certificate.  How do you have your Guest network setup?

2. Student Wifi and security
The conversation we had about our Guest network led us to a conversation about our students' devices since our current program for 4th through 8th grade is BYOD.  For those of you that have BYOD, how have you handled the security of external devices people might bring on campus (might as well include smart phones)?  The only thing we require for BYOD devices is our SSL certificate.  

#ITSystemsandSupport

------------------------------
Gordon Carswell
Technology Trainer and Support Specialist
The Epstein School
------------------------------

Gordon,

This is what I like so much with ISE.  All of this type of security is handled as soon as anyone connects to our network.  Access to printers, specific VLANs, or any other network device that I want them to have access too.  It is all by the MAC address of any device on the network with no need to any passwords of any kind.  If you already use some sort of authentication like a radius server or active directory, then the authentication can be integrated with that and network security can be assigned that way as well.

------------------------------
James Manikas
Director of Technology
Webb School of Knoxville
------------------------------

Original Message:
Sent: 09-21-2021 02:15 PM
From: Gordon Carswell
Subject: Guest Wifi and Student Wifi Configuration

James,

You bring up some additional details I didn't originally include.  Currently, we have a radius server authenticate users: students, faculty, staff to our main wifi (if you want to call it that) and then to get past our firewall, devices have to have an SSL certificate. We don't monitor student devices off campus, so when they come to campus, they potentially bring outside stuff to our network.  Some ideas we've come up with include:  further separating student wifi, almost treating them as guests, but with the few printers they have access to OR to have our VPN installed on their devices to filter stuff even when they're off campus.

In terms of our Guest wifi, since it also goes through our firewall, we've had some complaints about the way it's being filtered.  Some ideas have been to change the wifi pw weekly or biweekly OR add users to our wifi system and give them a temp pw...

------------------------------
Gordon Carswell
Technology Trainer and Support Specialist
The Epstein School

Original Message:
Sent: 09-20-2021 07:04 AM
From: James Manikas
Subject: Guest Wifi and Student Wifi Configuration

Hello,

We found that trying to manage SSID passwords for student, staff, parents and visitors was a nightmare.  If we had individual passwords, then we were constantly having to change or reset them when people forget them.  If we had one password for an SSID, then everyone knew all the passwords to all the SSIDs almost immediately after they were released.  Instead of securing the wireless network in that traditional way, we use Cisco Identity Services Engine (ISE) on our network.  

We have one SSID that everyone uses and it is, on the surface, insecure and does not require any sort of log in.  However, behind the scenes, everyone that connects to my wireless network is automatically connected to the "guest" network unless we have their MAC address entered in our system.  The guest network gives users passthrough access to the Internet, but absolutely no access to the internal network and it's resources at all.  They can't even print to a local printer.  While we do not do it, you can also implement a landing page that guest users would have to sign in with, similar to what you described.

All other users that have registered MAC addresses are automatically added to whatever VLAN and security we wish them to have.  This is completely invisible to them.  It is easy for anyone to connect to our network and it is easy to control the security and access to the network at all times. 

This system does take a little bit if configuration on the front end by the technology team of course.  But once that is set up, it is seamless and extremely easy to manage.


------------------------------
James Manikas
Director of Technology
Webb School of Knoxville

Original Message:
Sent: 09-17-2021 09:51 PM
From: Gordon Carswell
Subject: Guest Wifi and Student Wifi Configuration

1. Guest Wifi
Recently, a discussion came up within my department about Guest Wifi as we have had tutors and contractors run into some difficulty using it.

Currently, when connecting to Guest, users are prompted to enter their name, reason for visit, and a personal email address.  Once they submit this information, they get a code to their personal email that allows them onto the Guest wifi.  This network was filtered as an elementary school student on our firewall due to students and employees using this network inappropriately.  We have since bumped up the filter to middle school student privileges. This network is the only network that doesn't require our firewall's SSL certificate.  How do you have your Guest network setup?

2. Student Wifi and security
The conversation we had about our Guest network led us to a conversation about our students' devices since our current program for 4th through 8th grade is BYOD.  For those of you that have BYOD, how have you handled the security of external devices people might bring on campus (might as well include smart phones)?  The only thing we require for BYOD devices is our SSL certificate.  

#ITSystemsandSupport

------------------------------
Gordon Carswell
Technology Trainer and Support Specialist
The Epstein School
------------------------------

For Guest WiFi we have an open network that anyone can join. It has a captive portal page that says you are using our network and we monitor it. The Guest network is at least as restrictive as our most restrictive student setup. However all our student machines have monitoring client so it doesn't really matter.

For Student devices we just have PSK WPA2. I have been working with Wi-Fi so long I still have nightmares on simply getting devices connected that layering on certs and other secutiry bits has always scared me. I assume the students are bad and don't give them access to anything (and faculty honestly) on servers so not much concern there. Everything is in Microsoft cloud so it doesn't matter if they are on my network or not.

------------------------------
Brian Hoyt
French American School of Puget Sound
------------------------------

Original Message:
Sent: 09-17-2021 09:51 PM
From: Gordon Carswell
Subject: Guest Wifi and Student Wifi Configuration

1. Guest Wifi
Recently, a discussion came up within my department about Guest Wifi as we have had tutors and contractors run into some difficulty using it.

Currently, when connecting to Guest, users are prompted to enter their name, reason for visit, and a personal email address.  Once they submit this information, they get a code to their personal email that allows them onto the Guest wifi.  This network was filtered as an elementary school student on our firewall due to students and employees using this network inappropriately.  We have since bumped up the filter to middle school student privileges. This network is the only network that doesn't require our firewall's SSL certificate.  How do you have your Guest network setup?

2. Student Wifi and security
The conversation we had about our Guest network led us to a conversation about our students' devices since our current program for 4th through 8th grade is BYOD.  For those of you that have BYOD, how have you handled the security of external devices people might bring on campus (might as well include smart phones)?  The only thing we require for BYOD devices is our SSL certificate.  

#ITSystemsandSupport

------------------------------
Gordon Carswell
Technology Trainer and Support Specialist
The Epstein School
------------------------------

Thanks everyone for your input as I shared the responses with my team members.  I think we're going with a passphrase that we'll change on occasion.

------------------------------
Gordon Carswell
Technology Trainer and Support Specialist
The Epstein School
------------------------------

Original Message:
Sent: 09-17-2021 09:51 PM
From: Gordon Carswell
Subject: Guest Wifi and Student Wifi Configuration

1. Guest Wifi
Recently, a discussion came up within my department about Guest Wifi as we have had tutors and contractors run into some difficulty using it.

Currently, when connecting to Guest, users are prompted to enter their name, reason for visit, and a personal email address.  Once they submit this information, they get a code to their personal email that allows them onto the Guest wifi.  This network was filtered as an elementary school student on our firewall due to students and employees using this network inappropriately.  We have since bumped up the filter to middle school student privileges. This network is the only network that doesn't require our firewall's SSL certificate.  How do you have your Guest network setup?

2. Student Wifi and security
The conversation we had about our Guest network led us to a conversation about our students' devices since our current program for 4th through 8th grade is BYOD.  For those of you that have BYOD, how have you handled the security of external devices people might bring on campus (might as well include smart phones)?  The only thing we require for BYOD devices is our SSL certificate.  

#ITSystemsandSupport

------------------------------
Gordon Carswell
Technology Trainer and Support Specialist
The Epstein School
------------------------------