Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Highlighted
Regular Contributor I

Network Access in Dorms

What do you guys do for network access in your dorms?

 

What restrictions do you have?

Do you use the same SSID as Campus?

Do you provide ethernet ports?

How do you handle consoles (xbox, wii, play station)?

What bandwidth do you provide your users with?

How do you handle NATing for dorms?

 

Sorry for all the questions, just wondering what the normal practices are. 

31 REPLIES
Guru Elite

Re: Network Access in Dorms

(These are answers from my former position)

 

- No restrictions

- sames SSIDs (eduroam and an open guest/dumb device network)

- No ethernet ports provided

- "Dumb" devices including game consoles and media players connect to the open/guest network

- No bandwidth shaping

- Public addressing, no NAT.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Network Access in Dorms

What restrictions do you have?

     - Only restricting access to fac/staff and server subnets.

 

Do you use the same SSID as Campus?

     -Yes, we use clearpass with role derivation to drop them into their proper subnets

 

Do you provide ethernet ports?

     -Yes, when we implemented the s3500's, we right sized the network and only allow for one port per room now.

 

How do you handle consoles (xbox, wii, play station)?

     -They are user registered via a Clearpass portal.  They must also be auto-profiled correctly for this to work.

 

What bandwidth do you provide your users with?

     -we don't restrict bandwidth at this time

 

How do you handle NATing for dorms?

     -All traffic on campus is natted, the student subnets have a small number of IP's that ALL their traffic is natted out from.

 

Scott Wolke

Network Engineer

The University of Findlay

Regular Contributor I

Re: Network Access in Dorms

How big are your schools? How many Dorm users to you generally see?

 

 

We have about 50 users to our on campus dorms. We are quite small.

 

However, we are a primarily Computer Science school, so the majority of our users have 3 or more devices. 

Occasional Contributor II

Re: Network Access in Dorms

We have a very similar configuration as cappalli described. 

We have ~26,000 students of which ~7k live on campus. On an average day we have about 9k devices conncurently connected in housing and peak at about 12k at night.  

 

Regular Contributor I

Re: Network Access in Dorms

Tim, I know you're the one to normally answer my Clearpass questions, and it's in reference to this post even. 

 

With Clearpass, is it possible to use it to Fingerprint Game Consoles, that way we can drop them specifically into a VLAN without Captive Portal, while having computers in another VLAN with captive portal? 

 

So say X device connects to our wireless. I know Clearpass should be able to tell that X device is a game console (it already classifies some endpoints as Game Consoles, Sony and Nintendo). Can we then use that information to put them in a different role assigned to a different VLAN?

 

Any idea on how to get Xbox's to show under Game Consoles as well?

 

I know the typical setup is Mac Auth, but if Clearpass is able to determine what is a game console, It feels like that would be even easier on the end user. 

MVP

Re: Network Access in Dorms

Perhaps I’m oversimplifying, but the endpoint record in ClearPass should have accurate device category (e.g., computer, smart device, game console, etc) as well as detailed information (e.g., Xbox). You can write your enforcement policy to use the Endpoint Database as an authorization source. Doing so, you can have your enforcement policy say “IF game console > role = “game console”. Then, on your controller, your “game console” role can be configured NOT to have a captive portal profile as well as map to whatever vlan(s) you’d like.
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Regular Contributor I

Re: Network Access in Dorms

Thanks for the quick response. This is in line with what I was thinking. There will be some testing, but I think this may be the approach I take. 

 

 

Thanks again!

Guru Elite

Re: Network Access in Dorms

What Ryan said :)

 

You'll just need to ensure profiling is enabled on your service so that new devices that aren't profiled will be bumped and re-auth when they're detected as game consoles.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: Network Access in Dorms

My understanding is the Xbox can be tricky because it just like a Windows 8 machine (in terms of DHCP fingerprint).

 

If it helps at all, my current setup to skip captive portal for the Xbox's on campus:

 

(Authorization:[Endpoints Repository]:Category EQUALS Game Console) 'Role Name' = Gaming Console
(Authorization:[Endpoints Repository]:Category EQUALS Computer)
AND (Authorization:[Endpoints Repository]:Hostname CONTAINS xbox) 'Role Name' = Gaming Console
(Endpoint:Enabled Reason CONTAINS Xbox) 'Role Name' = Gaming Console

 

The first mapping seems to catch about a third of the Xbox's (would have to check my numbers).  It catches most of the Wii's, PS's, etc...

The second mapping definitely leaves a spot where you could name your computer xbox* and skip captive portal; however they would have to know that, and I would always be dumping them on the more restricted network anyway which has a 'gaming' firewall profile. (I believe I can also add the OS Family has to be Microsoft). The third mapping is for any that still somehow need a manual setting to be picked up correctly (a very small amount seem to slip through - not sure how).

 

Of course 'Gaming Console' needs and enforcement profile:

(for example) Enforcement Profile:
Radius:Aruba Aruba-User-Role = Guest-Gaming

And the Service needs to have an Enforcement Policy that uses them:

(Tips:Role EQUALS Gaming Console) = Guest MAC Caching, Guest Gaming Device

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: