We get requests every 3-4 months to create an open SSID for on-campus Board of Regents Meetings.
Our solution was to contract with AT&T WiFi to provide guest access across campus. We advertise the "attwifi" SSID on our wireless infrastructure, hand off layer two traffic to an appliance provided by them (for NAT'ing and/or tunneling) and then route the output of the appliance through our normal Internet connection. We paid for the appliances up front and then pay a monthly fee to AT&T. AT&T handles all the CALEA and DMCA issues. AT&T benefits because any of their cell-phone customers in range of the "attwifi" SSID automatically offload their wireless IP traffic to our network. The Board of Regents IT support still complains that users have to click on a splash page to connect to wireless, but we are working through that :-). -Neil ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Jeff Kell [jeff-k...@utc.edu] Sent: Tuesday, May 20, 2014 6:47 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] requests for open, unauthenticated, no portal WiFi We use essentially the eduroam services guidelines (https://www.eduroam.us/node/69) but we have bandwidth restrictions on "guest" WiFi that are not applied to actual eduroam traffic. Jeff On 5/20/2014 1:31 PM, Heath Barnhart wrote: I'm using a simple ACL to restrict traffic. For VPN access we are allowing SSL and some well know ports used by many VPNs. My supervisor said he got the list from somewhere on Educause, though I never saw the actual documentation. -- Heath Barnhart ITS Network Administrator Washburn University 785-670-2307 On Tue, 2014-05-20 at 12:01 +0000, Osborne, Bruce W (Network Services) wrote: Heath, What do you allow for VPN? There are several different technologies used. Bruce Osborne Network Engineer – Wireless Team IT Network Services (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Heath Barnhart [mailto:heath.barnh...@washburn.edu] Sent: Monday, May 19, 2014 11:01 AM Subject: Re: requests for open, unauthenticated, no portal WiFi There are certain laws you might fall under if you allow open access, such as CALEA. We recently put in an open/unauthenticated network, but with restrictions. Visitors must still register there devices (thought there is no validation), we only allow for 3 days of access followed by a 3 day exclusion period, and we limit what services can be used to basic stuff like HTTP, HTTPS, FTP, SSH, and VPN. -- Heath Barnhart ITS Network Administrator Washburn University 785-670-2307 On Thu, 2014-05-15 at 12:52 -0400, Chuck Anderson wrote: Has anyone had to deal with administration requests for completely open, unauthenticated WiFi with no captive port auth for guest access to use during events or generally? What arguments do you use against this kind of deployment? We are in a city and do not wish to become the ISP for surrounding neighborhoods. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
