At Liberty University, we use an in-house designed portal system. Our portal server provides DNS (using destination NAT on wireless). The DNS server has a very short TTL on the results to minimizes DNS cache poisoning. If the client tries to lookup a permitted entry, the request is forwarder to real DNS servers for resolution. If the client tries to do to any other entry, they are given the portal server ip address as the result. We also control using ip address firewall rules, but we tend to use subnets to permit the provider to move servers without us needing to update our ip address restrictions.
Bruce Osborne Network Engineer – Wireless Team IT Network Services (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Britton Anderson [mailto:[email protected]] Sent: Thursday, January 8, 2015 8:42 PM Subject: Re: New Device Activation WLAN These devices prompt for a wireless network during the activation process, but won't let a webauth succeed. I like Hunter's idea of adding the Apple/Google/Antivirus sites to the pre-webauth ACL. Cisco WLC's won't let you use DNS names for ACL entries, d'oh! Is there a known list of these hosts somewhere before I go sniffing wireless traffic? Thanks, Britton Britton Anderson<mailto:[email protected]> | Senior Network Communications Specialist | University of Alaska<http://www.alaska.edu/oit> | 907.450.8250 On Thu, Jan 8, 2015 at 4:24 PM, Mike King <[email protected]<mailto:[email protected]>> wrote: Maybe I'm over simplifying this, but for the "average" user, don't those devices have to be activated BEFORE you can see the settings screen? Mike On Thu, Jan 8, 2015 at 6:31 PM, Hunter Fuller <[email protected]<mailto:[email protected]>> wrote: This is what we do. While not authenticated to wireless you can still get to a few places - Microsoft, apple, Google search, antivirus vendors. -- Hunter Fuller OIT Sent from my phone. On Jan 8, 2015 5:11 PM, "Frank Sweetser" <[email protected]<mailto:[email protected]>> wrote: We already have an unencrypted ssid for students to get to our onboarding system (Cloudpath). Our plan for this summer is to poke enough firewall holes for students to also run through the device activation process. If we were to try to impose any kind of device security policies, we would do it in the onboarding process. On January 8, 2015 5:54:01 PM EST, Britton Anderson <[email protected]<mailto:[email protected]>> wrote: I just wanted to ask the question to see what all of you are doing at your institutions to handle users activating new devices. New iOS devices for example have to reach out to iCloud to validate themselves and make sure they're not stolen. Android now with version 5 is very similar, having to reach out to the mothership and join to a Google account. Are any of you doing an "SSID-Activate" WLAN, or requiring clients to bring it by your respective Help Desks for activation? Right now, we are requiring anyone that wants a device activated to have our Desktop techs touch it and give them pointers to secure it. However, we've lost some budget, and some employees, and they can't keep a guy in the office to handle that influx of people anymore. And I don't want the headache of a wide open WLAN everywhere, and none of the devices will allow the webauth transaction to happen before the device ! is activated. Thanks, --Britton Britton Anderson<mailto:[email protected]> | Senior Network Communications Specialist | University of Alaska<http://www.alaska.edu/oit> | 907.450.8250<tel:907.450.8250> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
