01-12-2020 08:58 PM
I would ideally like to have 3 SSID's set up. The first will be for all division owned wireless devices, which I would like to have connect automatically, likely by MAC Authentication. The second SSID will be for all AD Users to connect via AD Authentication. The third SSID would be for all school division guests/visitors.
Here are the questions I have.
1 - If I configure MAC Authentication on one SSID, will our division owned wireless devices connect automatically if the SSID is hidden or will some form of user intervention still be required to connect? We have several mobile labs (laptop carts) that we would like to make sure are connected to the network whenever powered on to make sure we can remote into them if necessary, but also want to make sure that any and all updates we push out are being installed. even when not in use.
2 - What would be the most efficient method to allow guests to connect to our network while being able to identify users, monitor and track user network/internet activity? I would like to ensure staff and students are not connecting to this guest SSID so access will be limited to guests only. One method I considered is creating local AD users, where these usernames and passwords are left with the secretary in each school for convenience purposes, but I am wondering if there is a better way. My understanding is I can set it up so that a staff member has to "sponsor" a user to connect, but I am not sure how secure this is as I believe there are some staff members who would allow students to use their email addresses for this. Some staff members have already given out the current password to students. This is one of the reasons why we are looking to switch to a more secure network configuration.
Thank you for any assistance with this.
01-13-2020 04:20 PM
For your division owned devices, I think MAC auth is still the way to go, you would just need to connect them for the first time. After that, unless they are manually changed to a different network, they should automatically connect to the SSID when it's available. I think you'd need to use windows groups to manage the updates, that isn't something we'd configure on the Aerohive side of things. This would only get tricky if the division owned devices left the network at night and then returned, in that case the users would have to manually choose to connect to the original SSID again.
For self registration, the user will register themselves and receive a password right away. That password won't be good until the user is approved though, so the employee that you've set up as an approver will still need to approve the user but they won't have to manage passwords.
01-13-2020 04:05 PM
Thank you for this info. Now I guess I am wondering if there might be a better way to approach this.
Ideally, I would like to have all division owned wireless devices connect automatically, so as to be able to download and install Windows and other updates automatically through our Windows Server Update Service (WSUS) over night without user intervention. However, we would want to prevent users from gaining access to the wireless password and therefore prevent BYOD devices from connecting to the SSID. What would be the best method to approach this?
As for the Employee Approval with Self Registration, my understanding is that when a user enters a staff members email address, the staff sponsor will be emailed the password that can then be forwarded to the end user. Is this correct? This might be a good option for guests as we can add school secretaries to the sub-domain and therefore be our "Guest Approvers" as all guests must enter and register at the school office upon arrival to any of our schools.
As for any student and staff BYOD devices, I am confident the AD Authentication process will work best for this.
01-13-2020 03:36 PM
For the MAC authentication SSID, users would still need to tell their devices to connect to the SSID. Then their devices would submit their MAC addresses as credentials, but not before the device attempts to connect to the SSID so some manual intervention is required, at least for the initial connection.
For making sure only guests are on the guest SSID, you can set up employee approval self registration for the guest SSID. The problem would be that anyone in your domain can approve requests, so you would run in to issues where teachers had the ability to approve students so long as they are in the same domain. However, they won't get the requests directly unless you enter their email address in as an approver in the ExtremeCloud QI set up, so they'd have to know that they could do this and the student would have to enter that teachers email directly rather than just a general registration, so that may not come up very much. Alternatively if you can create a sub-domain for your guest approvers to use, then only they would have access to approve guest SSID requests.
This guide reviews how to set up Employee Approval in ExtremeCloud IQ: https://thehivecommunity.aerohive.com/s/article/Employee-Approval-with-Self-Registration-SSID-in-NG