Keeping student personal devices from getting an IP address on our wireless network

  • 1
  • Question
  • Updated 1 year ago
I have an SSID on my network that presently allows anyone with a network username and password to log on to our wireless network.  The problem is that our students are using up all our DHCP issued IP addresses with their cell phones not to mention using our bandwidth.  Is there an easy way to allow our school devices to log on to the wireless and receive DHCP addresses as long as the individual has a valid username and password from AD but keep them from using the same procedure to log on with their personal devices?  Any help is appreciated.
Photo of Dave Imbrogno

Dave Imbrogno

  • 3 Posts
  • 0 Reply Likes

Posted 1 year ago

  • 1
Photo of Dianne Dunlap

Dianne Dunlap

  • 75 Posts
  • 15 Reply Likes
Assuming the school devices are Microsoft, you could do something like 802.1x machine authentication which the cell phones would not support.  Or mac authentication (listing each mac in AD).
Photo of Dave Imbrogno

Dave Imbrogno

  • 3 Posts
  • 0 Reply Likes
Thanks for the answer. Could you tell me how to enable those types of authentication on my SSID's or point me to a link that would explain the process. Thanks!
Photo of Rob Pritchard

Rob Pritchard

  • 86 Posts
  • 8 Reply Likes
Dave,

My district had the exact same issue about 4 years ago where one of our schools ran out of IP addresses because students were authenticating their personal devices on our wireless network.  As Diane suggested, you can modify your setup (I'm not an AD expert so I don't know how to do this, we have an AD administrator who did this for us) so that only domain devices can authenticate by device name and you could also allow staff to authenticate with their username and password, but not students (I do know that our staff and student user accounts are in separate OUs for each school).  For our non-Windows devices (Mac computers, iPads, Chromebooks, etc.), we have a generic user account that is like a staff user account to authenticate those devices to our wireless network since they are not on the domain.  We configure those devices before they get to the schools so we just use the generic account to authenticate that device to the wireless network.
Photo of Aaron Valente

Aaron Valente

  • 42 Posts
  • 3 Reply Likes
Or blacklisting mac addresses for personal devices on the aerohive management side. But that is more reactive...
Photo of Dianne Dunlap

Dianne Dunlap

  • 75 Posts
  • 15 Reply Likes
Mac authentication is the easiest to set up and there's a thread on it here:
https://community.aerohive.com/aerohive/topics/troubleshooting-nps-for-basic-mac-authentication
You should plan on doing a test SSID and making sure the format the APs are sending agrees with NPS username format (AA:BB:CC:DD:11:22 vs. aabb.ccdd.1122, etc.).  You can also use Freeradius or non-NPS server but you will have to list/enter the legitimate mac addresses whatever server  you use.

Machine authentication and/or eap-tls have the same Aerohive configuration as your common peap but with those, each machine has a unique cert (machine authentication) and/or user cert (eap-tls).  Those are more complicated to set up than common peap.  This shows machine authentication setup:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-server-windows/43486-acs-pe...

Mac authentication (easy) is not the same as machine authentication (complex).
Photo of Dave Imbrogno

Dave Imbrogno

  • 3 Posts
  • 0 Reply Likes
Thanks to all for your help. I will try the Mac authentication when I get some time here. Again, I appreciate all your help!
Photo of Kevin Kolb

Kevin Kolb

  • 1 Post
  • 0 Reply Likes
Another way to help in the future, is to not broadcast your SSID. It would help prevent any new devices from joining.
Photo of mr bee

mr bee

  • 77 Posts
  • 0 Reply Likes
you can also lower the lease time of the dhcp scope