At TCU, we have a no router/no hub/no student network device policy. We flush out a lot of APs by looking for funny TTL values with our IDS. When we see the odd TTLs, we shut the offender down (every device that they registered) and require them to remove it. This helps a lot! Beware, that if a student is running multiple operating systems on the same system (ie VMware - Oracle VirtualBox) and is NAT'ing the guest, funny TTL's will show up and cause them to be disabled. Additionally, this does not address wireless devices not interconnected to your network where you don't have visibility to TTLs.
For those interested in the TTL concept - we got the idea from this article: http://isc.sans.edu/diary.html?storyid=10615 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Lee H Badman Sent: Friday, November 11, 2011 7:37 AM To: [email protected] Subject: Re: [WIRELESS-LAN] College deals with wireless issues At Syracuse, we had a stringent "no rogues" policy since early on, endorsed by our CIO and enforced as we see 'em. The interference issue is one concern, but security is another as our NAC and hostreg systems are bypassed when the rogues come to town. Many students don't know about the "don't install your own" policy (it's a rule, not a request for us) despite the many ways we try to get the word to them before they get here as freshmen, and during move-in. At the same time, we do a good enough job that the number we have to take down during a semester is manageable, and most of them are found and eliminated from my office as we've developed good methodology for identification and removal that rarely needs feet on the ground to find them. I firmly believe that growing the culture for all campus demographics (not just students- faculty and staff as well) that rogues aren't allowed with good education on why- has been a big part of our success. We restrict our games to the wired network at this point and that is a very clean delineation. Not sure how long we can get away with it going forward... we do have unique situations where we go outside of the "it either does 802.1x or it goes on the wire" party line. We quietly MAC-register certain devices on our guest WLAN (powered by Bluesocket)- like game consoles used by students in leased hotel space off campus. We have brought in the campus WLAN for them, but the wired network is the hotel's, with both performance and support by hotel being disappointing. We also have Korean students with myLGNet VOIP/WLAN phones that show up with a very loud wireless router as a base station. We make them put the base station away but in return register them on the guest network so they can now wander campus to talk to home, rather than just be restricted to their base station. And we have a few toy robots, Kindles, horrible smartphones that take 617 steps to maybe get going on .1x if the moon is in the right phase, that we also quietly put into the guest space. We don't advertise it, but it serves as a good solution for when things don't fit the .1x network and the wired network isn't the answer. Lee H. Badman Wireless/Network Engineer Information Technology and Services Adjunct Instructor, iSchool Syracuse University 315 443-3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Justin Sipher Sent: Thursday, November 10, 2011 7:53 PM To: [email protected] Subject: Re: [WIRELESS-LAN] College deals with wireless issues Hi all, I see Frank came across the article from our student newspaper. Bravo as it was "published" late late night. Must be a Google-Alert or something equivalent. :-) (btw that is how I saw it about 5am today also) The student (freshman) reporter did a decent job with the article but with any situation like this they missed what I consider to be important details that this group would appreciate. I worked had to help explain things in layman's terms. Something we all strive to do. We had a very-brief but noticeable DNS hiccup on Monday on our acad/admin LAN. As you know know DNS is like air, all our network services need it to live. I won't bother you with the DNS problem that is now resolved. That triggered them to ask about other (but totally unrelated) network issues. The meat of the issue is our ResNet wifi service. We added Wifi in the dorms last academic year. As the article states we have outsources ResNet to our regional broadband provider (TW Cable) 6+ years ago. I'm a big fan of this as the Internet bandwidth, 24x7 tech support, and infrastructure support is as good if not better than we could do locally. I also think this relates to IT "letting go" of things where we don't provide strategic value. Residential networking on campus, is similar to that off-campus (if you have off-campus student populations). The issue of outsourcing may be somewhat of an aside for this list. Anyway, after testing their residential wifi solution (~ 2 years ago) we decided to go with a hardware solution they have used in hotels, etc.. It's an external antenna solution from Bel-Air. I know TWC (and frankly us also) were not prepared for the extent of the demand. TWC was thinking that if we have ~ 2k students in the dorms they would need to support up to 1500 users/devices simultaneously. Before we went live we educated them to the reality of today's 18-22 year old regarding # of wifi devices and the "always on" nature of the users and/or their devices. We got them to use 802.1x rather than browser redirect authentication to allow for usable mobile access. TWC & Bel-Air are making progress technically. I think our biggest current challenge is a cat and mouse situation with personal AP's. I'd say we have 400+ personal AP's in the dorms. This is causing interference and making thing worse. Is banning personal AP's the norm for most of you? We are probably going down that path, but only after TWC adds a handful more AP's to increase the chance of thing working as desired when we do that. BTW any of you see this? Does it sound familiar. http://www.nytimes.com/2011/10/25/business/ipads-change-economics-and-speed-of-hotel-wi-fi-on-the-road.html?_r=1 Best, ....Justin ________________________ Justin Sipher Chief Technology Officer Skidmore College Saratoga Springs, NY [email protected]<mailto:[email protected]> 518-580-5909 Begin forwarded message: From: "Parker, Ron" <[email protected]<mailto:[email protected]>> Date: November 10, 2011 1:07:39 PM EST To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] College deals with wireless issues Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]<mailto:[email protected]>> It looks like the reply-to on the list isn't working right or something. I posted a witty rejoinder to this message and it went only to the original poster rather than the list. Frank has probably implemented an e-mail sender filter as a result. Perhaps our gracious list admin could check and see if I'm mistaken? I couldn't tell how much of what happened at Skidmore was a Time Warner problem versus other issues. There seem to be a lot of things all going on at the same time. I've heard my colleagues at other colleges talk about challenges with outsourcing residence hall networking. One of them had what sounds like a similar experience with a virus outbreak at the beginning of this semester. Unfortunately, it was the college IT staff running around fixing things and taking the blame rather than the vendor. Since this is the wireless list, I'll focus on the wireless issues. If you ask me, this is the important quote: "'The original design of the wireless system in the residence halls was to provide supplemental coverage to the wired network in your rooms," said Sipher'" So a student is sitting there with an unused 100 meg or gig wired port that would probably work fine but the Skidmore folks are being sent running around with their hair on fire because the outsourced wireless is overloaded. I just think user expectations of wireless are unrealistic and we in IT are probably not doing a good job of correcting that. I routinely tell people here to use a wired connection if what they are doing is important. This is in spite of the fact that we have a honking new wireless system with the latest and greatest magic available. I am definitely in the club of "been there done that" along with the folks at Skidmore. Sounds like they are trying to do a good job of communicating about the situation and I've always found that goes a long way towards making everyone happier. There is a lot of good information in that article. -- Ron Parker, Director of Information Technology, Brazosport College Voice: (979) 230-3480 FAX: (979) 230-3111 http://www.brazosport.edu This e-mail sent from my non-mobile, 64-bit, quad core, Windows 7 workstation. -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Frank Bulk Sent: Thursday, November 10, 2011 9:02 AM To: [email protected]<mailto:[email protected]> Subject: [WIRELESS-LAN] College deals with wireless issues http://www.skidmorenews.com/news/information-technology-department-addresses -wireless-issues-1.2691856#.TrvkfkMUqdA This article has some details but doesn't make it very clear if all the problems have been DNS or otherwise, but I thought there might be some people on this list who find this news article interesting. I don't think Skidmore is on this list, as I don't meant to embarrass anyone. We've all "been there" in one circumstance or another. Frank ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
