I haven't changed anything specifically in my AUP, but I probably should, this was kind of the trial run to see if people used it and how it worked. I only really have students on and they have all signed an AUP. I don't have a user authentication trail, but I have their MAC address in the wireless and can see them move around from AP to AP. The filter records everything so I have a trail that way too and the filter is really locked down. I had to open it a little because yahoo was fully blocked. They can't do anything that I would block on the regular side, so webmail, myspace and facebook are blocked. They can search and look up general stuff. I have DHCP so I can see the name of the device so in our school I could look through Skyward and have staff pick out the student who had the device. If I found something funny I can block the MAC right on the wireless and then they are done. I have not heard complaints about I can't get to this site. I think most students think that they are being sneeky because they are on the wireless. They aren't suppose to have the devices out during the school day so there isn't much traffic. I have had our wireless up for 2 years and had students ask when is it going to get opened up and I always told them I wasn't until I could control it. What I want to do is connect everything via LDAP, but Ruckus hasn't pushed out the eDir LDAP part. So if I switch to Windows I can have direct user authentication and would bring students in under that, but still keep them tunneled to the outside world. With staff I create a user on the wireless and it manages the user by installing a program on the device to set everything up from what SSID it uses to the group they are in. The stuff I am more worried about is the MI-Fi's that is see come up on the wireless system and other things like that can allow others to access. Even our iMacs can turn into a hot spot so I am happy with the guest part. Dan
>>> "Michael T. Bendorf" <bendo...@a-ccentral.us> 10/21/2010 9:57 AM >>> Dan, that is awesome and exactly what I am planning to do over the next couple weeks, but did you add any verbage to your AUP to address it. Also, how do you handle abuse without an associated AAA trail? --Michael T. Bendorf-- Technology Administrator A-C Central C.U.S.D. #262 Google Voice: 217.408.0043 "I'm trying to teach myself to ask the same questions that you do during your lectures so that I do not need you any more." A good teacher is like a candle - it consumes itself to light the way for others. "The computer revolution hasn't started yet. Don't be misled by the enormous flow of money into bad defacto standards for unsophisticated buyers using poor adaptations of incomplete ideas." - Alan Kay On Thu, Oct 21, 2010 at 9:53 AM, Daniel Zobel <zob...@husd4.k12.il.us> wrote: This is one on the things I love about my Ruckus system. It has a built I'm guest ssid that I put on it's own vlan and it auto tunnels to the outside. It has an aup that says you are under the schools agreement of the aup. I have to give rights to the tunnel to hit our webserver. With my filter, cynphonix, then it is set to even stricter settings then student filtering, but they can still do what they want for the basic stuff. I also put the filter on a time limit so the guest only works from 7:45 - 4:00 during the weekday. I also put a bandwidth limit that allows only a trickle up and down. The majority of people use it for their iPods. Some students bring in a laptop. It works really well. Dan Sent from my iPhone On Oct 21, 2010, at 9:35 AM, Ben Story <ben.st...@gmail.com> wrote: In the Cisco controllers there is the concept of a lobby ambassador role. This person is given access to the controllers and is allowed to create a temporary username and password for the guest network. the guest is then prompted by a capture portal for those credentials along with the AUP. In this scenario, the school secretary or someone like that would have to give the person access. Not great for sporting events, but during the day it would work well and keep the kids off the guest network. On Thu, Oct 21, 2010 at 9:16 AM, Michael T. Bendorf <bendo...@a-ccentral.us> wrote: right - sure - just MAY - but I agree that it is expected and frankly: we want to offer it. I just want to document it and have policy to point to: right now our AUP is written in language that assumes the user is logging into AD with assigned credentials. Public access does away with most of Authentication, Authorization, and Accounting (AAA.) It also seems to open a door for students to jump over to the public side with whatever device they have brought in to get online without leaving an obvious trail. The content would still be filtered, but the AAA is gone... --Michael T. Bendorf-- Technology Administrator A-C Central C.U.S.D. #262 Google Voice: 217.408.0043 "I'm trying to teach myself to ask the same questions that you do during your lectures so that I do not need you any more." A good teacher is like a candle - it consumes itself to light the way for others. "The computer revolution hasn't started yet. Don't be misled by the enormous flow of money into bad defacto standards for unsophisticated buyers using poor adaptations of incomplete ideas." - Alan Kay On Thu, Oct 21, 2010 at 9:11 AM, Bob Morse <bmo...@d168.org> wrote: The new e-rate rules do not mandate that if our Internet access is paid for by e-rate that we MUST give access to the public. -----Original Message----- From: tech-geeks-boun...@tech-geeks.org [mailto:tech-geeks-boun...@tech-geeks.org] On Behalf Of JimHays Sent: Thursday, October 21, 2010 8:52 AM To: Tech-Geeks Mailing List Subject: Re: [tech-geeks] Public Wireless access policy At some point we need to understand and realize that we are not in a corporation but we are a public service institution paid for by public money. With the proliferation of wireless devices - and wait until Christmas this year when almost EVERYONE will have either a smartphone or some kind of wireless Internet device - the public will expect to have access when they attend school events. We can't just hid behind our conservative, staff-only, policies. We need to adjust with the times and give the public what is expected. Even USAC realizes this now with their new rule changes which allow public access to school networks paid for by E-Rate funds. (Be sure you understand those rules before giving public access to E-Rate funded Internet. At this time we don't use E-Rate to pay for our Internet so we are not governed by those rules even though our public access does fall under the new rules' scope.) Heath Henderson wrote: > We have a similar stance but have to allow people such as tri county special ed doing IEP work and visiting student teachers etc on at some > Point. I don't like it but really what is stopping them from jacking into a port on the network and getting physical access that way. Lesser of the unhook of a cable is easier for me to deal with. > > -Heath Henderson > > On Oct 21, 2010, at 7:17 AM, Dan Ragen <dera...@gmail.com> wrote: > > >> While I don't have a District wide or School wide wireless system the >> access points i do have a re for >> District personnel only. I think that you may run into trouble >> letting others in. Think of it this way, Would you let >> some one in on one of your desktops? I usually take a very >> conservative approach to this type of situation. >> >> >> On Wed, Oct 20, 2010 at 5:33 PM, Michael T. Bendorf >> <bendo...@a-ccentral.us> wrote: >> >>> Now that my wireless is installed (last AP fired up this afternoon) I have >>> had requests for the password to get on. >>> I have not provided that to anyone, but rather explained that things were >>> not ready for public access yet... >>> All of my district owned equipment has the PSK and can connect as though >>> they are hard wired...but I wonder what other districts do for public >>> access. For instance I had a student from the neighboring district want to >>> get online here to do some homework before practice (we co-op with this >>> other school.) I really felt bad saying not yet - but that is the truth of >>> it. >>> We have an active directory and we push out browser proxy settings via GPO. >>> Everyone must firs sign our current AUP and then they must authenticate with >>> our CIPAFilter before egressing to the Internet. I want to provide "the >>> public" access to a filtered Internet experience. I do not want visiting >>> mobile devices to access anything other than the public Internet. This seems >>> pretty strightforward, but something I have not set up before. >>> Even more than just the config of my HP ProCurve MSM APs/Controller my real >>> question is how do you address this from a policy point of view? Do you have >>> a separate document? Do you ask guests to sign something? Click on >>> something? Is it part of your general AUP? etc?.?.?. >>> >>> --Michael T. Bendorf-- >>> Technology Administrator >>> A-C Central C.U.S.D. #262 >>> Google Voice: 217.408.0043 >>> "I'm trying to teach myself to ask the same questions that you do during >>> your lectures so that I do not need you any more." >>> >>> A good teacher is like a candle - it consumes itself to light the way for >>> others. >>> >>> "The computer revolution hasn't started yet. Don't be misled by the enormous >>> flow of money into bad defacto standards for unsophisticated buyers using >>> poor adaptations of incomplete ideas." >>> - Alan Kay >>> >>> | Subscription info at http://www.tech-geeks.org | >>> >>> >> >> -- >> Daniel E. Ragen >> District Technology Coordinator >> Dupo CUSD 196 >> 600 Louisa Ave >> Dupo, IL 62239 >> Phone - 618-286-3214 x2141 >> dra...@dupo.stclair.k12.il.us >> >> ''Life's tough ... it's even tougher if you're stupid." >> - John Wayne >> | Subscription info at http://www.tech-geeks.org | >> > | Subscription info at http://www.tech-geeks.org | > | Subscription info at http://www.tech-geeks.org | | Subscription info at http://www.tech-geeks.org | | Subscription info at http://www.tech-geeks.org | -- -- Ben Story CCSP, CCNA, CCNA Wireless, CCDA ben.st...@gmail.com "You cannot escape the responsibility of tomorrow by evading it today. -- Abraham Lincoln | Subscription info at http://www.tech-geeks.org | | Subscription info at http://www.tech-geeks.org |
| Subscription info at http://www.tech-geeks.org |
