[SOLVED] Create My Own Access Point With Unchanging Subnet

[Appellus]

I currently am attending University and living in residence, where they have a WPA2-Enterprise network that uses our uni email/password to validate, as well as a WPA2 PSK for non-enterprise devices. To connect to the non-enterprise network, you need to register the device's MAC address, then it assigns you a random password to login to the SSID. When I first tried to hook up my Google Home and Chromecast to the non-Enterprise network, I found myself usually unable to even get past set-up and when I did (rarely), my phones/tablets were unable to see them while on said non-enterprise network.

After some troubleshooting and asking around, I finally got a straight answer from the IT admin that it has to do with the fact the non-enterprise network utilizes a changing subnet. I'm not super literate on network lingo so I wasn't totally sure what that meant. I've looked around and it seems a possible solution would be to register my own router as an access point to the non-enterprise SSID and assign it a non-changing subnet, passing all the traffic through there and making it appear to the uni router that it is just traffic from one device. There's no housing rules against me setting this up and I would have it locked down so that only I would be able to attach devices to the ad-hoc router. Asking them to change their entire network strategy is a little out of the question given how large the campus is. Would this be possible/how would one even go about doing it? Apologies for the intro level post.

 

[kanewolf]

I currently am attending University and living in residence, where they have a WPA2-Enterprise network that uses our uni email/password to validate, as well as a WPA2 PSK for non-enterprise devices. To connect to the non-enterprise network, you need to register the device's MAC address, then it assigns you a random password to login to the SSID. When I first tried to hook up my Google Home and Chromecast to the non-Enterprise network, I found myself usually unable to even get past set-up and when I did (rarely), my phones/tablets were unable to see them while on said non-enterprise network.

After some troubleshooting and asking around, I finally got a straight answer from the IT admin that it has to do with the fact the non-enterprise network utilizes a changing subnet. I'm not super literate on network lingo so I wasn't totally sure what that meant. I've looked around and it seems a possible solution would be to register my own router as an access point to the non-enterprise SSID and assign it a non-changing subnet, passing all the traffic through there and making it appear to the uni router that it is just traffic from one device. There's no rules against me setting this up and I would have it locked down so that only I would be able to attach devices to the ad-hoc router. Asking them to change their entire network strategy is a little out of the question given how large the campus is. Would this be possible/how would one even go about doing it? Apologies for the intro level post.

You need to check your housing rules first. Most places frown on independent WIFI sources because they are weaknesses in the network.

 

[bill001g]

I would be surprised when they have something as secure as they do setup that they would let you hook up other stuff.

Enterprise mode is actually designed to prevent you from doing exactly what you are proposing so you are somewhat lucky that they have the other system. I am going to bet the problem is not different subnets, you can easily see the ip addresses and tell. I bet they have the feature called wireless isolation turned on that prevent wifi clients from talking to each other. This is to protect machines from being hacked by other machines. So even though it prevents your devices from seeing each other it also prevent other people from seeing your devices also.

You need to do some more research it is not a AP that you need to run and they may have other setting that will make this challenge.

Still lets say the idiot down the hall does the same thing but he is really stupid. He hooks it up and then leaves wifi completely open and unprotected. Now anyone sitting in the parking lot can get into the network and attempt to hack on both the college network as well as hack on any of your machines that they can see.

So their security now becomes only as good as some idiot who blindly followed a youtube.

This tends to be why even where it is technically possible they have rules that do not allow it. They can go to 100% enterprise mode and then it becomes almost impossible but as they have found out they have to trade off security for usability.

If I was them I would allow it only if you sign a paper that says that if what you put in compromises security they can kick you out of school and sue you for all damages. Most people are not that confident on their skills on wifi setup to take that risk. They know the mac address that all the bad stuff is coming from so it is not like you will not get found out.

 

[Appellus]

I would be surprised when they have something as secure as they do setup that they would let you hook up other stuff.

Enterprise mode is actually designed to prevent you from doing exactly what you are proposing so you are somewhat lucky that they have the other system. I am going to bet the problem is not different subnets, you can easily see the ip addresses and tell. I bet they have the feature called wireless isolation turned on that prevent wifi clients from talking to each other. This is to protect machines from being hacked by other machines. So even though it prevents your devices from seeing each other it also prevent other people from seeing your devices also.

You need to do some more research it is not a AP that you need to run and they may have other setting that will make this challenge.

Still lets say the idiot down the hall does the same thing but he is really stupid. He hooks it up and then leaves wifi completely open and unprotected. Now anyone sitting in the parking lot can get into the network and attempt to hack on both the college network as well as hack on any of your machines that they can see.

So their security now becomes only as good as some idiot who blindly followed a youtube.

This tends to be why even where it is technically possible they have rules that do not allow it. They can go to 100% enterprise mode and then it becomes almost impossible but as they have found out they have to trade off security for usability.

If I was them I would allow it only if you sign a paper that says that if what you put in compromises security they can kick you out of school and sue you for all damages. Most people are not that confident on their skills on wifi setup to take that risk. They know the mac address that all the bad stuff is coming from so it is not like you will not get found out.

How would I go about checking if it is this "wireless isolation"? I have had success in the past where I have seen my ChromeCast/Google Home on a network and been able to cast to it, but it was spotty at best. Most of the time, the device gets set up and then I can no longer "see" it on my phones Google app.

 

[bill001g]

It is pretty easy to check wireless isolation. Can you ping between the ping addresses.

Chromecast likely has other issues running on a network like that. It uses multicast and UPnP. Not sure if that is your issue and what it uses these for. You are likely never going to get them to enable multicast and UPnP many times is not enabled on a university because you can use it for denial of service attacks against other users.

Things like chromecast are designed to run in someone house. Even if you were to get it to work you likely take the risk that someone can hack your equipment. It is not designed to protect you from other people you live with, and in your case it is lots of people you do not actually know.