Howdy folks,
Need to pick your collective brains on a project one of my clients has tasked me with, trying to sort out an option that can hopefully hit that golden zone of being easy to run, cheap to implement, and reliable.
So to put a face on this project, its for a small rural summer bible camp. So we aren’t talking about a camp with big church bank accounts behind it.
They have a pretty simple network:
- ISP (Just got them going with Starlink)
- Starlink router
- an old Belkin router (getting swapped out for an 8 port switch)
- 2 outdoor APs (broadcasting 4 SSIDs)
Now the camp staff have outlined that they want a wifi for adult staff, one youth staff, and a hidden one for a camper that has a wifi enabled medical device. I know I mentioned 4 SSIDs but more on that later.
So far, the adult staff have followed the rules and haven’t shared their wifi credentials for their wifi. However the youth/student staff have it figured out that they can share the wifi connection to the campers, either looking at the credentials or QR code. So they are having a heck of a time keeping these kids off of their mobile devices and keeping with the camp routine. They are trying to avoid letting youth staff go because they aren’t following rules, so I don’t believe they want to go the hard stance route.
So I’m looking for device suggestions that will be easy for the camp admin office staff to use so that they can keep the devices on the network on a short leash. I’m thinking its going to be some sort of username password set up or maybe it needs to be based on the MAC address of the device connecting.
I will post the model numbers of the APs later but they are from Engenius
11 Spice ups
There are two ways I can think of to do something like is through MAC filtering, or by using a certificate to authenticate.
5 Spice ups
Rod-IT
(Rod-IT)
3
I would say you need to look at a captive portal, this wont stop anyone using the Wi-Fi, but you can limit each ‘token’ ‘key’ ‘code’ to 1 session, so each user must get their own.
From here, you can also block devices.
Captive Portal | Cloud User Manual
16 Spice ups
MAC filtering is not something I would consider. It is impossible to maintain, and its effectiveness is about the same as closing your car door but leaving the window all the way open: it only keeps the honest people out.
Perhaps a RADIUS type solution? The initial setup would be a bit of work, but once configured the maintenance on it would be limited to managing user accounts in some way.
4 Spice ups
mike00
(mike00)
6
I don’t think Radius or MAC filtering is really feasible to upkeep long term. Especially on modern phones which now randomize the MAC address on each connect.
@Rod-IT’s suggestion seems to be the best. A captive portal that then limits the connection to a single device per token.
Another simpler option would be to have a unique PPSK per person. This does not prevent sharing, but it does allow you to figure out which person is sharing their key, or sharing the wifi connection.
4 Spice ups
chivo243
(chivo243)
7
Limit the DHCP scope addressing for the youth staff to the amount of youth staff? One device per staff member? When the pool is empty, no internet for you!
8 Spice ups
This is the best solution, assuming the AP controller has the ability to do that, but that would have had to been done before camp started…camps are usually a week, two at most so being this far into the thing with only a short while to go, best bet is something like I mentioned…quick n dirty, drop speeds on a schedule to bare minimums then kick known campers off the AP’s when able, blame it on instability. Next year, however, start with a more advanced portal option that prevents it from the get-go.
1 Spice up
Rod-IT
(Rod-IT)
9
Especially with private addressing or randomize mac.
Which, in themselves also create nightmares for APs.
2 Spice ups
mike00
(mike00)
10
A big problem we aren’t considering though is with many premium Android devices you can act as a WiFi repeater. So you stay connected to the WiFi, and then broadcast your own SSID that pumps the data through that same WiFi. In this case you will never see the other devices on DHCP, they don’t get forced to the captive portal, etc. Everything is NAT’d behind your Android. Not sure if you want to plan for this circumstance, but something to consider.
6 Spice ups
Again, drop the SSID speed to useless levels…someone using a phone as a repeater will themselves be frustrated at the speeds they’re getting and be unable to connect anyone else to it anyway.
4 Spice ups
Rod-IT
(Rod-IT)
12
True as this is, this is outside of the scope of what we’ve been asked. It’s also hard, if not impossible to dictate what others do with their devices.
Given why one might need to use campus Wi-Fi, as noted by @Jay-Updegrove combine the portal with a rate limit, if the users are generally surfing, Facebook, emails etc. Then 1Mbit per user should be plenty, better yet 512Kb. Speed shouldn’t be too important, but perhaps the users can pay a small premium to get a faster speed - this may also stop them sharing if they have to pay.
3 Spice ups
Given the available hardware your options are severely limited. If I were managing the camp and had no more control of the situation than this, I’d seriously consider adopting a “no WiFi for you” rule.
Have a sitdown with all student/youth staffers. Communicate that this is a problem, the why behind it (goals of the camp, limited tech), and advise that the password is being changed. The very next time it’s shared all WiFi to student/youth staffers will be turned off for everyone.
Granted, one person screws it up for everyone but that’s how it goes sometimes. If communication is required between staffers and management get some inexpensive FRS radios with encryption.
5 Spice ups
But this is already 2020 and there is literally 99% data coverage as long as you have mobile coverage…so is WIFI still required for mobile devices ?
Then the concept of WIFI is for “entertainment purposes” if to released for users ?
The issue is that users may not understand that the “600MBps WIFI” is going to be shared between 10s or 100s of people…not mainly for admins and/or emergency cases ?
I also do not understand why MAC address is a bad idea ?
It can be a one-time pain as admins & adults need to link their phones once, then admin sets to allow these devices, then its good to go ?
Then for the youth staff, give them each a different ID (with password) to another SSID. Then see which ID have multiple logins…warn these staff and tell them about why not to share with campers and worse is to block them as well if they do not heed warnings ?
2 Spice ups
Rod-IT
(Rod-IT)
15
Just because mobile data is everywhere, doesn’t mean Wi-Fi should be discarded. It’s cheaper for 50 people to share a Wi-Fi connection with one subscription than 50 people paying for their own data plan, no matter how small.
If Wi-Fi was as bad as you are painting it, no businesses would use it, including Hotels, trains and other public transport.
I already posted a reason why, private addressing and random mac addressing (IOS and Windows/Android), not to mention it’s easily spoofed, including by the examples just mentioned.
2 Spice ups
But it is a camp which differs from trains or planes etc where this case was to discourage campers from using Wifi for “entertainment” ?
For a bible or church camp ? If its an IT or tech camp…maybe “easy” to spoof…
Then “cost” is always an issue for setting up stringent or strict Wifi usage.
All they probably want is the wifi for the admin staff and “camp leaders”…but the “camp leaders” are giving out the wifi access credentials ?
2 Spice ups
Andrew_F
(Andrew_F)
17
You haven’t said how many legitimate client devices there are.
If IT was administering it - then MAC address would be a cheap way of restricting initially - hadn’t thought of MAC address radomising. The problem is when non-IT people are administering it - you’re going to end up giving admin access to devices so they can maintain it, but will it be understood and clear as to what is needed - and as others have said - pretty easy to bypass once you know how it’s restricted.
The problem is really, using IT solutions to enforce “the rules”. I do a bit of cycle coaching and I have 1 rule - Smile and have fun - that’s it. OK, advantage is that the kids are on their bikes, but if they’re not enjoying it then something needs to change otherwise they disengage and it’s pointless any of us being there.
Ideally, you should be able to have open WiFi (assuming no usable mobile signal) and trust that nobody is abusing it. If they are using their devices rather than engaging in other activities then perhaps the focus of the other activities needs to be addressed to make them more attractive.
This is a camp where people attend voluntarily isn’t it - it’s not something where they’re forced to attend to de-tox. Putting rules in place and telling people what they can’t do is not necessarily the way to get their attention. It’s ok having routine and etiquette, you’re more likely to get cooperation and adhesion to the routine if the participants feel trusted.
Perhaps the simplest way to achieve their goal is to ask the participants to hand in their devices to start with.
4 Spice ups
That could be one of the easiest methods…keep phones from 7am-8pm (like before brekkie and return after dinner)…
Or like I mentioned to just enforce rules to the “camp leaders” not to share the Wifi credentials ?
But as like many Organizations (Business or otherwise), people do not want to be the “bad cop” so they assign the tasks to IT ?
2 Spice ups
Rod-IT
(Rod-IT)
19
So, what you are saying is, religious people either don’t do bad things or don’t know enough technically to be able to do or want to do this?
It’s often those in plain-sight that are missed, remember most hacks come from internal one way or another. But you go with your gut, if you have a different view, that’s fine.
I’ve given my view on how to handle this, it’s the OPs decision if this is viable or not.
I’m not getting in to a debate about telling the patrons to use their own devices data plan or not to use their devices at all, nor am I here to argue about the ability of people based on assumption.
Good luck to the op.
3 Spice ups
These “church” camps are often in areas of spotty to no cell service. Very often describing them as “rural” would be generous as they’re miles from the nearest town.
5 Spice ups
