Students now authenticating with their own iPad - need advice on authenticating.

  • 2
  • Question
  • Updated 2 years ago
We have tried different ways to authenticate to our network, PPSK worked, but it's too time consuming to set up. I'm sure the students were forgetting their credentials intentionally. The issue we have now is students are showing up with their own iPads and passing them off as school iPads. I'm looking for an easy solution on how to authenticate to the Wifi, for our devices only. I am using JAMF as my mdm, which is fairly powerful. Thanks.
Photo of James Watson

James Watson

  • 16 Posts
  • 3 Reply Likes

Posted 3 years ago

  • 2
Photo of Sjoerd de Jong

Sjoerd de Jong, Employee

  • 97 Posts
  • 20 Reply Likes
If the students are registered in Active Directory (AD), you can authenticatie them using their school username/password. You can use AD directly, or a Radius server in between (i prefer that method).

You can also connect your MDM solution to your AD and Certificate Authority (CA) so it can request device certificates from your CA and push them to the devices so they can log on using EAP TLS (authentication based on user/device certificates).
Photo of Kenta Ito

Kenta Ito

  • 3 Posts
  • 0 Reply Likes
Can you use aerohive as a CA? how would I go about doing this?
Photo of James Watson

James Watson

  • 16 Posts
  • 3 Reply Likes
No Active Directory I am afraid, plus we would like other devices to join the network so can't use mdm this way.
Photo of Donald Bauch

Donald Bauch

  • 1 Post
  • 0 Reply Likes

We use PPSK at our school and have their key as their "Username-Password" so it is a unique key that is easy to remember. We limit them to two devices per key, one for their phone the other for their BYOD device. Yes, if they share their info that other person now also has their wifi key, but most won't because it will take away their access to the wifi. If they do it goes to Discipline.

Is using their own device against school policy?
Is using the PSK wifi key against school policy? 

If it against school policy it is a Discipline issue, not a Tech issue. 

Really Quick, requires Discipline Dept:
Look at the DHCP and tell who is not a school iPad by their IP address. Use Aerohive to track them down and hand the issue over to your Discipline department. We use Aerohive all the time when students lose phones, someone is stupid enough to steal a device, or we have a rogue device we want to match to a name. We do a Report on the client and export the info into excel. We have WAPs in each classroom, use the room numbers and look at the roster. Use the rosters for each period and see which name is on each of them.

Quick, Dirty, Cheap doesn't require Discipline Dept: 
I would recover all of my iPads after school/Saturday. We use Windows server for DHCP. I would delete all the leases and join each iPads so they get new sequential leases. Either set the lease to about 3 months AND/OR right click each entry and have it "Add to Reservation" (much faster and easier than manually entering in reservations). With an IP range you can set your Firewall to only allow your devices. If you get new devices, clear the non-school devices, add the new ones, set the reservations, and expand the firewall IP range.

They will stop using the key, problem is they will start using their own Hotspots which is a different problem, BUT it is a Discipline problem. Even if you don't have much backing from the administration, admins really don't like when they have wifi problems, just explain that Hotspots make their wifi less reliable.
Photo of Aaron Storey

Aaron Storey

  • 32 Posts
  • 8 Reply Likes
You can push the network and password out from the MDM and don't have to give it to them. It does require a bit of SDID shuffle in order to change a network password and push it out but it's possible. Since they are all ready authenticating to one SSID then create a new SSID with an unknown password. Push that out through MDM. Once you think enough time has passed and all devices got the profile update with the new password you can delete the old SSID or change the password to that one and then push it out. Then get rid of the secondary one .
Photo of Kevin Whelan

Kevin Whelan

  • 53 Posts
  • 2 Reply Likes
you can authenticate by mac address list,so only your machines can join