Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Restricting Wireless Access on Campus?

Cliff posted more than 10 years ago | from the dynamic-access-allotments dept.

Security 89

Diety_in_A_Minor asks: "How would one set up a wireless network on a campus such that restrictions can occur by classroom? My back of the napkin solution would be to relate MAC addresses to class schedules, and have the DHCP server allow access to student-registered MAC addresses only during specific times. Although possible, this solution requires tremendous maintenance. What other solutions are there? One class in a building will require restrictions, while both classrooms adjacent to it need open access."

cancel ×


Sorry! There are no comments related to the filter you selected.

Old Tech (4, Insightful)

Muggins the Mad (27719) | more than 10 years ago | (#9470527)

Change the student password every hour. Have the teacher easily able to see what the password is.

Write the password on the blackboard at the start of the class. Possibly have several different passwords with different levels of access.

- Muggins the Mad

a better idea (1, Funny)

Anonymous Coward | more than 10 years ago | (#9470908)

1. surround entire campus by 30 foot tall concrete structure with only one point for entry and access.

2. establish three checkpoints that students must pass before entry into campus.

3. at first checkpoint verify that people wishing to enter have a valid student id.

4. at second checkpoint perform checks on biometric data encoded in student id cards

5. at third checkpoint perform full cavity searches to verify that no unauthorized internet access equipment is being carried into the authorized internet access area.

6. expand campus police force, giving them a full array of lethal and non-lethal crowd control devices.

7. instruct campus police officers to randomly search students and verify that any internet access they are engaged in is authorized.

8. construct on campus detention facility. (de-commissioned student union building may be an appropriate location for this)

9. train campus police officers in "moderate physical pressure" techniques for use in extracting information about unauthorized internet access methods used by students potentially in violation of shcool's internet access policies.

and this is only the beginning of an effective strategy. there is much more you could do, but i have to stop and converse with an approaching campus police officer.

Re:Old Tech (2, Funny)

DetrimentalFiend (233753) | more than 10 years ago | (#9471584)

Two words: faraday cage

Of course, you'd have to shield all of the rooms and then put an access point in every room that could be shut off. But, as long as we're talking about off the wall solutions, I thought I'd throw it out there.

Re:Old Tech (1)

Wog (58146) | more than 10 years ago | (#9473481)

Also ends the problem of ringing cell phones in class...

If you actually call it a problem. I had a professor who used to get so flustered at a cell ring that he would rant for 5-10 minutes. Effectively giving me room to ignore him and play games on my Palm...

Re:Old Tech (1)

s.fontinalis (580601) | more than 10 years ago | (#9478806)

Is the rebar mesh used in the reinforced concrete construction suffiecently close to function as a Faraday cage?

Weaken signal strength (4, Interesting)

SpaFF (18764) | more than 10 years ago | (#9470564)

Asside from changing the password (or WEP key) constantly and having the professor tell the students what it is each class, you could shield the classroom so that the signal doesn't travel outside of it. This of course assumes that the access point is in the classroom and that the room is small enough to electromagnetically shield economically. Depending on the size of the room (big lecture halls) you might be able to just turn the signal strength of the AP down low enough so that it can't be reached outside of the room.

MAC addresses? (5, Insightful)

Nasarius (593729) | more than 10 years ago | (#9470575)

Why not associate usernames with schedules and save yourself the hassle? Require a VPN logon for the wireless network, and deny access to specific users at the right times.

Re:MAC addresses? (1)

linzeal (197905) | more than 10 years ago | (#9471378)

Why not just require a VPN for the class that needs it and run an open network? Is there a bandwidth consideration here, or am I missing something?

Re:MAC addresses? (2, Insightful)

josh3736 (745265) | more than 10 years ago | (#9474416)

A lot of people have been suggesting some kind of MAC-based access control.

Don't waste your time.

The determined student can ever-so-easily skate right past MAC filtering. For example, if I'm in the class where I'm not supposed to connect, I can just sniff a MAC from the adjacent (wide-open) room and use that. Or just make one up, if you are using a blacklist instead of a whitelist.

Go with NoCat or, more preferably, a VPN. Anyone can associate with the AP, but the AP is firewalled from the rest of the network. A VPN has the added benefit of having real data security (as opposed to WEP).

NoCatNet! (3, Informative)

cfoster611 (219409) | more than 10 years ago | (#9470607)

I've been meaning to setup a system using NoCat []

It creates a splash-screen authentication at first connection. Either that or mandatory VPN.

Two words (4, Funny)

deanpole (185240) | more than 10 years ago | (#9470608)

Faraday Cage

... is room with metal walls, and screens (like you see on the front of a microwave) to pass air.

Re:Two words (0)

Anonymous Coward | more than 10 years ago | (#9470781)

Why did 2 people mod this funny? It _is_ insightful but not funny.

Old fashioned (5, Insightful)

aridhol (112307) | more than 10 years ago | (#9470623)

Why is it required that this one room not have any network connectivity? Why not do it the old-fashioned way: tell the students that network access is prohibited.

What kind of school is this? Is it a college or university? The students are paying their way, let them waste their money by ignoring the class. Is it a K-12 school? Send a note home to the parents or disable the account of those caught using the 'net when they shouldn't.

Re:Old fashioned (0)

Anonymous Coward | more than 10 years ago | (#9470714)

mod up...usually physical security is more important

any system like that will be very hard to maintain...

Seconded... (4, Funny)

Gordonjcp (186804) | more than 10 years ago | (#9471235)

I mean, ffs, presumably these are University students we're talking about here? Are you deliberately treating them like naughty children as part of some kind of weird-ass psychological experiment?

Mind you, what do you expect from a country where you can buy a gun when you're 12 but you can't drink anywhere until you're 21?

Re:Seconded... (0)

Anonymous Coward | more than 10 years ago | (#9510123)

Please show verifiable information about where a twelve year old can buy a gun in this country.

Re:Old fashioned (1)

crazney (194622) | more than 10 years ago | (#9471261)


Perhaps its an exam situation or something, and the exam is online?

Re:Old fashioned (4, Insightful)

kalidasa (577403) | more than 10 years ago | (#9471835)

You really don't want students to have WiFi capaibilities in an examination environment. Remember, there are two kinds of WiFi network: infrastructure, and peer-to-peer.

Re:Old fashioned (1)

Guspaz (556486) | more than 10 years ago | (#9472374)

You can't really stop them from using P2P wireless short of jamming them, which is probably illegal.

Re:Old fashioned (1)

kalidasa (577403) | more than 10 years ago | (#9476294)

Sure you can. See sibling post. No personal (as in owned by students) devices with WiFi allowed in the classroom during the exam.

Re:Old fashioned (1)

bcrowell (177657) | more than 10 years ago | (#9473070)

Why not just forbid them to use laptops and PDAs during exams?

The OP really needs to give some information about why the heck he considers this necessary in the first place.

802.1x + RADIUS (4, Informative)

Russ Steffen (263) | more than 10 years ago | (#9470648)

What about using 802.1x with a RADIUS server that has time based access controls (like Radiator) ?

Re:802.1x + RADIUS (2, Insightful)

megabeck42 (45659) | more than 10 years ago | (#9471076)

This has to be the most effective solution suggested yet.

802.1x is more cross-platform than propietary VPN solutions, requires no instructor cooperation changing keys or announcing new keys, requires no hacking up of a DHCP server, etc.

Re:802.1x + RADIUS (3, Informative)

lpret (570480) | more than 10 years ago | (#9472020)

I second this. at my university we use 1x and RADIUS and we can allow users during a time period to authenticate successfully. This means we can track who is on when, while allowing them to borrow a laptop or whatever. look at your hardware and see if it's an option. by the way, are you familiar with the International Resnet Symposium? Currently underway at Princeton University, it's a great place to bounce ideas off of others and hear what other poeple (and vendors) have to offer.

Re:802.1x + RADIUS (2, Informative)

rasz (788512) | more than 10 years ago | (#9472200)

Agreed. 802.1x is the only way to go.
Mac filtering ? Ar you even serious ?
ifconfig wi0 lladdr 01:02:03:04:05:06

Radius and good acces policy, some centralised CMSlike management console and your set.

Re:802.1x + RADIUS (1)

presarioD (771260) | more than 10 years ago | (#9477729)

ifconfig wi0 lladdr 01:02:03:04:05:06

Have you ever tried it? What it actually does is "masquerade" on the DHCP level but not the physical link level. The DHCP will try to send to 01:02:03:04:05:06 but the physical link doesn't know were that is!
It hasn't worked for me at least...

Re:802.1x + RADIUS (1)

FuzzieNorn (203503) | more than 10 years ago | (#9477771)

Presumably your card driver doesn't support MAC address spoofing, then. Most do.

wired in each room (0)

TheSHAD0W (258774) | more than 10 years ago | (#9470677)

Have a wireless access point in each room connected to a switch that sends wires to each table. The access points' addresses can be configured as static, which will let you control its access via iptables or whatever.

This question doesn't make much sense (1)

craXORjack (726120) | more than 10 years ago | (#9470764)

One class in a building will require restrictions, while both classrooms adjacent to it need open access.

And what keeps students in the middle classroom from connecting the access points on the other side of the wall? You need to explain the situation in more detail.

If only the middle classroom has access to some resource then just control access to that resource using something like NDS which allows limiting connections by MAC,IP,IPX addresses or by time of day, or by username.

Re:This question doesn't make much sense (1)

gl4ss (559668) | more than 10 years ago | (#9471567)

he thinks that he could control the mac addresses the students would be using, or something.

it would be an enormously difficult setup to keep working, wanting to restrict people who are in the room b while permitting access to people in rooms a c. if he could then he should make some vpn thingy and use it based on who should be in the room b, however, since he wants open access in rooms a and c I don't really see this happening.

only reason why I would see this needed to be enforced would be during tests.. and if you have laptops the students brought in you kinda 'lost' already(if you really want to keep that open access in a and c).

Easy. (1)

Txiasaeia (581598) | more than 10 years ago | (#9470768)

Figure how much it would cost to run unlimited wireless access from 8am to 5pm weekdays (times when the classes run, in other words). Restrict by MAC address and allot bandwidth according to classes - one hour per week per hour-long class. This is the net effect you want, right?

Benefits: it's easy to restrict by MAC and time spent, and students get to learn time management - if they use all their bandwidth for the week on Monday, then they're going to be royally screwed for the rest of the week. That, and you don't need a hugely complex system regulating who has what class and allowing their MAC address to connect, but the students whose classes are ending are cut off, etc. etc.


Txiasaeia (581598) | more than 10 years ago | (#9470780)

ACK! Sorry, forget the first sentence - I was going to suggest just leaving wireless on during week days and making students pay the difference, but then inspiration REALLY hit :) Mods, be nice!

Re:Easy. (2, Insightful)

sethstorm (512897) | more than 10 years ago | (#9471094)

MAC Address Restriction wont help, people could just sniff over and masquerade as other clients. Time up on one MAC? Spoof another. Rinse and repeat until wifi wants are satisfied, since nobody is going to be on all of that time or all of that week. Rate limiting wont help if it's done this way, you're just going to get some people who will just hop from one to another MAC, and people wondering what happened to their time.

Re:Easy. (1)

kaiidth (104315) | more than 10 years ago | (#9471875)

ifconfig eth0 hw ether my:mates:mac:address...

Re:Easy. (2, Insightful)

markxz (669696) | more than 10 years ago | (#9471623)

allot bandwidth according to classes- one hour per week per hour-long class

In most university situations it would be desirable to have accsess outwith the scheduled classes, but less desirable for use during classes (it is distracting and rude towards those taking the classes)

If it is necessary to restrict accsess (for exams etc) The easiest way is to dissalow any equipment not provided by the university. In exams I have had calcualtors provided.

Why? (4, Interesting)

SecretFire (578177) | more than 10 years ago | (#9471035)

I think we need a lot more information about the circumstances here. Is there some sort of test that requires students to have a laptop but not access the internet?

Or is it some old teacher that thinks that it'll somehow force people listen to their boring, pointless lectures, when the students will likely just find something else to entertain themselves with.

NoCat / VPN (1)

rawg (23000) | more than 10 years ago | (#9471098)

Yeah, I think that the best solution is to have a NoCat login that uses a database to tell what times the login is valid. You can do the same with VPN. Query the DB like "where $current_time > start_time and $current_time end_time". Use that query when validating logins.

Re:NoCat / VPN (1)

netsharc (195805) | more than 10 years ago | (#9479906)

Knowing students, what's preventing a currently "non-privileged" student to borrow the username/password from a priveledged one.. :)

Don't use Wireless (2, Insightful)

miyako (632510) | more than 10 years ago | (#9471121)

Wireless is good for a lot of things, but it seems to me that this "solution" will require so much more time and effort that you might as well just use a wired solution. It shouldn't be too hard to have a router in each classroom that can be turned on or off as is appropriate. With a wireless solution you are pretty much relegated to turning off each individual students access based on their schedual, which is going to be much more difficult to impliment effectively.

Re:Don't use Wireless (1)

fm6 (162816) | more than 10 years ago | (#9471461)

You've got to be kidding. Imagine a classroom with 30 students, each with his/her own ethernet cable. Then imagine the lawsuits....

Lawsuits for what? (1)

jotaeleemeese (303437) | more than 10 years ago | (#9471614)

Is common sense dead in the US?

The students could have a 30cm cable that would connnect to a network port easily reachable on their desktop.

What is difficult with that?


Re:Lawsuits for what? (1)

fm6 (162816) | more than 10 years ago | (#9476326)

What is difficult? How about the cost? And how do you connect the ports to the desks? Most classrooms don't have raised floors.

Re:Lawsuits for what? (1)

cloudmaster (10662) | more than 10 years ago | (#9476719)

Most hardware stores have those rubber things that lay on the floor and hide cables, though. It'd be cheaper to buy a cheap switch, a handful of cables, and some floor runners than it would be to buy an access point capable of handling that many clients *and* paying someone to configure an overcomplicated access control scheme. :)

Re:Don't use Wireless (1)

jpmkm (160526) | more than 10 years ago | (#9471935)

What the hell are you talking about? "oh fuck that dude plugged in his ethernet cable I'm going to sue the school!!!" Imagine a classroom with 30 students, each with his/her own pencil. Then imagine the lawsuits...

Re:Don't use Wireless (1)

fm6 (162816) | more than 10 years ago | (#9476355)

OK, never mind the legal nonsense, just ask any teacher if they like the idea of all the cables all over the place

Re:Don't use Wireless (1)

jpmkm (160526) | more than 10 years ago | (#9490742)

All over the place? In all the wired classrooms I've seen, there are jacks and power outlets at the desks(actually a big long table thing). It's no more than a couple feet from the laptop to the jacks. No cables on the floor or anything. If you just throw a hub in a room and say, "hook up" then sure, you might have problems. If it is done correctly, though, then there is nothing to worry about.

Re:Don't use Wireless (1)

KingOfBLASH (620432) | more than 10 years ago | (#9472311)

You make a good point, especially considering that he's going to have to buy wireless access points anyway....

Use a simple solution. (3, Informative)

Harik (4023) | more than 10 years ago | (#9471189)

You don't need technology to solve this problem.

All your students should register their MAC address in order to get a working IP. Use whatever your vender provdes for making sure someone isn't getting on without that.

Make a policy stating that you can't do , then audit occasionally. When you find an invalid MAC, send them a warning letter.

Besides, it's impossible to enforce. If someone borrows a laptop, they suddenly get locked-out of the online lecture? What do you want them to do, whip out a cellphone in the back of the hall and call tech support?

2 examples (3, Informative)

neglige (641101) | more than 10 years ago | (#9471411)

I know 2 examples of universities that have WLAN on the entire (well, almost) campus.

1) Register your MAC address electronically, print out a form stating you will abide to the terms of usage, sign it, hand it in, and your MAC addess will receive an IP from DHCP the next day. VPN required (with group passwords). Connections are filtered through a firewall.

2) No registration required, but you need to install a VPN client with a certificate which can be generated on a website which is only available from a computer with a campus-IP. Again, a firewall restricts connections, depending on the type of user (students have more restrictive filters than employees).

Of course each solution requires you to have an account at the university (LDAP check).

As we are also using PDAs, VPN is a bit of a burden, but so far the various devices (iPAQ & Palm 5xx) can handle it, more or less. A major annoyance is the fact that you tend to turn off the PDA to save power. This cuts the VPN connection, so you need to log in again and again and..... :/

Re:2 examples (1)

Garak (100517) | more than 10 years ago | (#9473537)

At the local university they use MAC filtering and WPA. You have to use a wifi nic they approve of(all 802.11g) and register your mac address with them(only one mac per student :/). I'm not sure if they are using VPN beyond that, I don't really see the need. You already know who is using the network based on the MAC, and as far as I know its not possible to change the MAC on any wifi nics.

Re:2 examples (1)

Garak (100517) | more than 10 years ago | (#9473605)

Actually I just tried to change the mac address on my wrt54g wireless router with openwrt firmware. No problem, take the wireless interface down and change the mac.(Yes the router supports client mode)

Secure wireless everywhere? what about my laptop (0, Offtopic)

Icyfire0573 (719207) | more than 10 years ago | (#9471510)

I'm still trying to get my 120mHz laptop to reckognize my wireless card (i think its borked)

Re:Secure wireless everywhere? what about my lapto (0)

Anonymous Coward | more than 10 years ago | (#9473348)

Go millihertz.

First Class (1)

Big Sean O (317186) | more than 10 years ago | (#9471636)

Everyone shows up to the first class (if only to get the syllabus). Anyone who logs on wirelessly during the first class will have their MAC address recorded for that room.

Access points will only let known MAC addresses log on after the first class. Anyone who misses the first class, or replaces their card has to wait in some administrative-nightmare line. College students need to wait in long lines, it gives them bladder control.

Depends on the Wireless System (3, Informative)

routerwhore (552333) | more than 10 years ago | (#9471828)

Any of the next gen wireless platforms [] provide this functionality quite handily. They are completely centralized, user aware, include per-user firewalls, heavy duty encryption (2 Gbps IPSEC) and allow policies to be set based on location and time of day. When you are an organization that needs to manage more then 10 APs, you get a big boy system to do it. Let the small guys roll their own.

Disclaimer: I'm guilty of rolling my own as much as anyone, but there is such a thing as using the right tool for the job and I have decided this is the way to go in regards to wireless.

Impossible (4, Insightful)

photon317 (208409) | more than 10 years ago | (#9472031)

Even if you do acces control by MAC address or VPN login as others have stated, students will just swap wireless cards or vpn logins with someone on a different schedule when they need to.

to those suggesting mac address solutions (1)

nuggetman (242645) | more than 10 years ago | (#9472038)

I'd like to remind you that those can be spoofed easily. Someone in room A gets the mac address of someone in room B or room C and suddenly they're wireless again.

1) Set up a simple user/pass combination using osmething like NoCatAuth and tie it to their university name/password, set times they can't access based on when they're in that room.

2) Use wires

Campus Manager (1)

jhealy1024 (234388) | more than 10 years ago | (#9472468)

While this is probably overkill for what you need, you may find it helpful in other parts of your network. I run the network at a private boarding school, and we use it to keep kids off the network at certain times (detention, lights out, etc). Several other schools and colleges in the Northeast also use it.

This company makes a product called Campus Manager. It's basically an appliance that talks to your switches (and wireless access points, and other network hardware). It learns MAC addresses and associates them with users, and tracks which physical ports they're connected to.

The system allows you to take actions on ports based on the MAC address connected to them. You can flip VLANs based on who links up to a port, or you can schedule ports to flip on a regular basis. If your WAPs support VLANs, you could do this in your classrooms. If they don't, the device can also act as a RADIUS server and the WAPs can talk to that to allow/deny access.

The system allows you to "force" registration, so users must link their MAC addresses with their names when they first come on the network. Once they've done that, you can easily group students and apply scheduled access to each group.

You can even give limited access to certain users (e.g., the faculty), so they can turn ports/users on and off whenever they want (for example, if they have a test that day).

Again, this may be overkill for what you need, but if you're looking for a more powerful general solution, this may be something you'd want to look in to.


Re:Campus Manager (1)

Bishop (4500) | more than 10 years ago | (#9473973)

Every feature you list depends on the MAC. It is trivial to spoof a MAC.

A managed VPN would achieve the same results as Campus Manager with the addition of strong authentication and security. A VPN sounds big and scary, but a modern one isn't. Many VPN appliances even have point and drool interfaces.

Don't do it at all. (4, Insightful)

Charles Dart (731692) | more than 10 years ago | (#9472492)

It's a bad idea, students will either hack it or switch to cellular modems. Just let the tight-assed professors deal with it and tell them to join us in the twenty-first century.

What you are doing shows a lack of respect to the students. If a student wants to waste their opportunity to be educated let em. The good students will voluntaraly go by the rules.

Belive me if you try to implement this system you are in for a world of hurt.

Re:Don't do it at all. (1)

ameoba (173803) | more than 10 years ago | (#9472905)

On top of that, any real solution would require you to have full access to class registration data. Considering the way most schools treat their IT people, you're not going to get this.

I'm trying to figure out why this needs to be done in the first place... If it's to prevent students from surfing during class but still allow them to type notes, you're fighting a losing battle. If it's to allow a professor to have laptops used (something like matlab) during a test but prevent cheating, you're fighting a losing battle.

This is the kind of thing that's likely not even really a problem and just bothers one specific professor who is probably in the English department and doesn't have any idea of the complexity of solving it & the ease of which any solution could be worked around.

Re:Don't do it at all. (0)

Anonymous Coward | more than 9 years ago | (#9489429)

I agree why should you restrict access to the internet. If a student doesn't want to learn then why force them. Even if you manage to set up a network that restricts internet usage,there will be a lot of retaliation. So you have to make a choice: Have internet usage restricted and have students miss out on class because they are protesting or rallying against the restrictions or have students be able to log on whenever they feel and have high attendence in the class rooms. Also the people that procrastinate and leave everything till the last minute will be resourceless because they will be trying to find information on the internet but dont have access to it.

Just because some professors are whining and complaining that some of their students are not paying attention doesn't mean anything. It should be the student's choice wheter they pay attention or not pay attention.they should not be forced to pay attention

Re:Don't do it at all. (1)

Technician (215283) | more than 10 years ago | (#9492205)

It's a bad idea, students will either hack it or switch to cellular modems.

I wonder why nobody mentioned peer to peer over IRDA. It is short range and hard to detect and block. It would work fine for a couple facing each other cross a table in an exam.

Workaround (1)

sakusha (441986) | more than 10 years ago | (#9472853)

There must be an idiot-simple workaround. Wireless routers are dirt cheap, maybe the simplest solution would be just to give a preconfigured wireless router to each teacher, have them take it with them to class, and remove it when their class is done. Then they can physically remove the access point when it's not being used for their class. Each class could have a different preconfigged router, just plug and go for the duration of the class.
But I suspect there must be some reason why this wouldn't work.

Re:Workaround (1)

Bombcar (16057) | more than 10 years ago | (#9474247)

But I suspect there must be some reason why this wouldn't work.

Wireless access works through walls.

Re:Workaround (1)

sakusha (441986) | more than 10 years ago | (#9474921)

You're missing the point. In my idea, the routers would be preconfigured to that class of students' computers only, only those students would have access via a fixed password. Then disconnect the router to shut it down at the end of the class. This only deals with time limits on access, not on who can access, that has to be dealt with through regular router configuration. The time restriction seems to be the toughest problem. Of course I'm presuming the router has some sort of NVRAM to keep configuration data between classes, when it's powered down.

Spend $$$ (3, Informative)

drix (4602) | more than 10 years ago | (#9473410)

At my school (Berkeley [] ) they're using something by Vernier, most likely this [] , to require login and password for WLAN access. It's pretty cool--anyone can get a DHCP lease but apparently the Vernier access manager maintains a dynamic routing table that drops all your traffic until you've authenticated. Since they've managed to link the access manager in with the strange Kerberos-ish auth mechanism our school uses ("CalNet [] ") I've a feeling the system is quite flexible and could be easily integrated with class schedules to provide the solution you're looking for. (The literature says it supports all the usual suspects--Kerberos, LDAP, Radius, NT, etc. and those are flexible enough on their own to do it.)

Re:Spend $$$ (1)

IrateEmperor (786843) | more than 10 years ago | (#9478520)

Go (Air)bears...The Calnet authentification is linked directly to the Student ID numbers and specific passwords of the students. Interestingly enough, for some strange reason, in most of my boring late afternoon classes, I can't seem to get on the network...

Re:Spend $$$ (0)

Anonymous Coward | more than 10 years ago | (#9500661)

Berkeley? Ha! What software ever came out of there?


It should be easy as pie. (1)

rice_burners_suck (243660) | more than 10 years ago | (#9473453)

I don't think it will take a tremendous effort to relate MAC addresses to schedules. You could do it by having individual students set up one or more MAC addresses under their account, through an automated process that's required to make their wireless work on each of their computers. Once each student has a list of MAC addresses associated with them, you create, at the beginning of each term, a database that relates these MAC addresses to times of the day. All this occurs through a script. When students add or drop a class, your school will invoke the script that modifies that student's table of times for their MAC addresses. I can see why it would take a bit of effort to program all of that, but afterwards, it would all happen automatically.

heh (0, Offtopic)

pluggo (98988) | more than 10 years ago | (#9474567)

Just don't use a Netgear or Linksys router. I hear they have some security problems or something. :)

mac address (2, Interesting)

jbolden (176878) | more than 10 years ago | (#9474605)

The problem with most of these mac address based solutions is they assume:

1) You don't have large numbers of people openly subverting the system

2) People don't have administrative access to their own boxes

Neither of which is true in a college environment. You can tell an ethernet card to change its effective mac address to anything and students will share with information with each other.

Security requires that:
a) the people with access want to protect the information from the people without access
b) The people with access cannot communicate to the people without access

You don't have either situation. Rather what you have is a 3rd party creating a security policy (which classrooms have access) which does not enjoy student support. I agree with the poster who commented on a wired solution, this seems 100x easier.

Location tracking - it can be done! (2, Informative)

berteag00 (78331) | more than 10 years ago | (#9476043)

...but not with off-the-shelf solutions. See the research of Dan Wallach, Rice University (my alma mater). He's been doing some research on baysian methods of determining a wireless node's location based on its signal strength at multiple APs. Surprisingly robust, even in the face of people maliciously modulating their signal strength, et al. See his work here. [] Remeber, it's still in the research stage: but if you could implement it on a large scale, you'd make a pretty penny doing so!

Re:Location tracking - it can be done! (1)

Technician (215283) | more than 10 years ago | (#9492220)

determining a wireless node's location based on its signal strength at multiple APs

That would work well unless someone is using a high gain directional antenna.

Yeah, go off MAC addresses, (2, Interesting)

La Camiseta (59684) | more than 10 years ago | (#9476233)

and see how long before that I use something like Knoppix STD [] to change my MAC address and get my ass into the network.

Come on, if you're a University, then you've already got fat pipes, and probably let the kids in dorms and the library have unlimited access, so why treat your other students like crap just because they're in the wrong location.

And if you limit their internet access, what kind of education do you think that you're providing them with by limiting the information that they can access?

Hell, and even if you try to, odds are that anybody with half a brain will hack it, or the user with access is going to set up their system as an IP masquerading AP.

Re:Yeah, go off MAC addresses, (1)

Narkov (576249) | more than 10 years ago | (#9476452)

FFS...think outside the square. What about examination situations? You generally don't want students downloading the answer from google instead of creating it themselves.

Re:Yeah, go off MAC addresses, (2, Informative)

La Camiseta (59684) | more than 10 years ago | (#9476632)

If they're stupid enough to let the kids bring in a computer or PDA, then they deserve it. Anyways, who in their right mind would let a kid bust out a laptop or PDA in an exam situation.

(And if they do, what's to stop the kids from creating an ad-hoc network and sharing answers? There's no real way to stop that. Or maybe downloading the info earlier and just going off of it during the exam?)

If they must have computers for a final exams, then that's what computer labs are for.

Re:Yeah, go off MAC addresses, (0)

Anonymous Coward | more than 9 years ago | (#9489525)

A good solution would be to turn off the internet access for the duration of the test then we the test is over turn it back on and have a website that shows all the times when the network is going to be turned off and for how long or schedules posted throughout the campus.easy fast and hack proof

Re:Yeah, go off MAC addresses, (1)

Narkov (576249) | more than 10 years ago | (#9526412)

I use a computer all the time in examination situations. Coding and network administration are two such examples.

> And if they do, what's to stop the kids from creating an ad-hoc network and sharing answers?

A packet monitor

> Or maybe downloading the info earlier and just going off of it during the exam?

A freshly imaged computer

> If they must have computers for a final exams, then that's what computer labs are for.

Great point sherlock. Do you suggest they leave these labs totally detached from the LAN all the time? It goes back to the original question which you have failed to answer - how do you lock out a particular room/location if all computers have access to the same AP/wireless setup? Hint: the answer isn't ban computers or kill the electricity.

Re:Yeah, go off MAC addresses, (1)

gcaseye6677 (694805) | more than 10 years ago | (#9492007)

In addition to the issues listed here, it is just too much trouble to try to restrict wireless communication. There's no foolproof way to do it without spending a lot of time and money, and even then someone will hack it. For instance, how would you control student access to wireless internet through a cellular provider? Unless there's some really compelling reason to restrict access that the original submitter left out, it seems like much more trouble than its worth.


dg41 (743918) | more than 10 years ago | (#9477221)

I agree w/ some of the posts above. At my school (Wright State), we use a wireless network, with RADIUS authentication that expires every two hours. Give instructors the choice of allowing equipment or not; I had a prof who strictly forbid the use of Palms in class.

quit counting beans (2, Interesting)

Game Genie (656324) | more than 10 years ago | (#9477965)

If a student decides to sit and screw around on the internet during class rather than listen that is their own problem, they have the right to fail. At worst this may be a minor disruption to the class, in which it is always within the prof's disgression to give them the boot. This is college, not high school.

That being said, no mac filtering or proxy solutions are going too be fool proof (or, more accuratly, geek proof). It is easy enough to setup NAT on a laptop to give access to the next room, or spoof your MAC. As I see it, there are two possible solutions that would virtually gaurentee that you accieve what you are trying to accomplish:

Magneticly seal each classroom: difficult, expensive, effective.

Jam 2.4 GHz in classrooms that you don't want access in: Cheaper, but may cause unwanted interference. Leaves 802.11a wide open for repeaters. Questionable legality?

Best of all, both of these solutions have the added benifit of blocking those &*$#!@#%$*% cell phones!

Re:quit counting beans (1)

emorphien (770500) | more than 10 years ago | (#9479385)

Agreed, it's not worth the effort. If the student is being disruptive that's one thing, but if they're not paying attention let them fail. There are plenty of classes I've been in where you might want to look something up online to back up or refute what the prof says. This is too much baby sitting for college. If a professor doesn't want things being used that's all they have to say.

You want to spend money (2, Informative)

Famanoran (568910) | more than 10 years ago | (#9479767)

and get a BlueSocket device. Truely, they are the best.

PPPoE (1)

bungeejumper (469270) | more than 10 years ago | (#9480064)

User-level authentication...all you need is a Radius server.

Keep it open! (2, Interesting)

beej_55 (789241) | more than 10 years ago | (#9481276)

We'll never get anywhere by building fences. You've heard the Linux quote, "In a world without windows and gates, who needs walls and fences." My sipmle solution is to just let the people on the network, use a public/private hotspot, D-Link makes some nice ones. Simple, but effective.

Wire AP to switch (1)

mfarver (43681) | more than 10 years ago | (#9485175)

Assuming that there is one AP per classroom, and connections to adjacent classrooms do not work well:

Just have the campus electrician wire the AP to a lightswitch next to the blackboard. Then the professor can make their own decision on wireless access. The user interface requires little maintainance, is easy to use and difficult to hack without getting caught or electrocuted.


OSU setup (1)

Alphasniper (603307) | more than 10 years ago | (#9497068)

The Ohio State University has many wireless access points all over the campus. Since they already have pre-existing online student logins, those are used to gain online access. When you "hook up" to the router and open an internet browser is just pulls up a username verification page. That way any traffic from your address during the login period is associated with your username. Please excuse my simplistic explanation, i'm not at the ubergeek level yet :-p 4lpha-$

The english solution (1)

Monkeyfobia (761469) | more than 10 years ago | (#9497377)

Theres a big difference between universtiys/high schools(or english colleges) pupils(normally) want to be there, so if they dont want to listen to the lecture they obv dont wanna pass. I sit in lectures with my pbook taking notes, accessing the presentation in the lecture theater, getting files needed for the weeks work etc. I assume you have spent alot on an 'e campus' so whats the point on deining access to it. Having an e campus is a great tool for learning, if i get confused by a word, i can google it, reserve a book from the libary and get it later. Restricting this will be detrimental to learning, and pupils will allways find a way roumd. If i goto the only lecture theater without access, ill use bluetooth and GPRS to dial up if i need to.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?