I'm a little late to the party, but as Bruce alluded to I'm not certain what wireless solution you're using. But in our case, we have a similar setup with different security rules in our student network. We actually carve off their network in a separate VRF and control their traffic routes. To make that work on wireless, we've done two things. In the larger dorms where they're routing at the building, we put their APs in FlexConnect mode and drop their wireless traffic into the building network. For the smaller dorms where routing isn't present, we have a separate network presented to our production controllers inside the Student VRF and broadcast the same SSID's tied to this network via AP groups only containing APs in those residence hall spaces.
This gets a little weird sometimes with some dorms being physically close to staff spaces. But we work with those on a case by case basis. Most of our buildings are concrete, so that doesn't happen often... Britton Anderson <[email protected]> | Senior Network Communications Specialist | University of Alaska <http://www.alaska.edu/oit> | 907.450.8250 On Thu, Mar 12, 2015 at 4:41 AM, Osborne, Bruce W (Network Services) < [email protected]> wrote: > Hector, > > > > You do not say what wireless solution you are using. Let me assume a Cisco > or Aruba controller based solution. You can have vlans from your controller > tunnel to an anchor controller in a DMZ. Use 802.1X authentication based > on AD groups. > > > > This solution permits controlled internal access and, if you desire, > unfiltered Internet access. Until recently, we did something similar with > our open Guest wireless network on our Aruba system. We now use a different > solution for this. > > > > The anchor controller idea was based on Cisco wireless training several > years ago. At that time, it was their recommended guest solution. > > > > *Bruce Osborne* > > *Wireless Engineer* > > *IT Infrastructure & Media Solutions* > > > > *(434) 592-4229 <%28434%29%20592-4229>* > > > > *LIBERTY UNIVERSITY* > > *Training Champions for Christ since 1971* > > > > *From:* Hector J Rios [mailto:[email protected]] > *Sent:* Wednesday, March 11, 2015 9:48 AM > *Subject:* ResHall Wireless > > > > I’m wondering how many of you treat the wireless in the ResHalls > differently from the wireless on the rest of your campus. In terms of > geography, we have 21 ResHalls that are in the perimeter of our campus. > Some of these buildings are next to academic or administrative buildings. > Eduroam is our main SSID. So, for the longest time it has only made sense > to broadcast eduroam everywhere. Now, on the wired side of the house, our > ResHalls have a dedicated connection that gives them direct, non-firewall > access to the internet (for access to campus resources, a student must > VPN). This came about as a request from the students to have more freedom > in their residence. Makes sense. But wireless is different as it goes > through our campus core, traverses our perimeter firewall, and goes out our > main internet connection. > > > > I’ve struggled to find an alternative solution to this. We recognize that > students in ResHalls are different in the sense that they pay for a place > to live and should get an internet service that is similar to their home > service. However, any alternatives that we have considered (separate SSID, > dynamic VLAN assignment, user groups) just seem to complicate the setup. > > > > Any good ideas out there or creative ways in which you have tackled this > challenge? > > > > Thanks, > > > > Hector Rios, CCNP, CCA > > Assistant Director, Network Engineering > > Dept. of Networking and Infrastructure > > Information Technology Services > > Louisiana State University > > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
