- Dec 4, 2013
- 13
- 0
- 10,510
I'm the I.T. Director and I work for a school (7th-12th grade) in Mexico (read as "little to no budget") When I was hired in they had;
150 students and about 50 staff member in the school, all use the Wi-Fi network. The students and/or staff bring their own laptop, Kindle, Macintosh, IPAD, Cell phones (or whatever they have) to use on the network. On these devices for O.S.'s we have Win XP, Vista, Win 7, Win 8, Win 8.1, Macintosh (four flavors) They had 4 servers for administrative needs set up with DHCP (not served out statically) no one could find the servers so they stopped using them. (no possibility of running a true domain on the network)
They had two Telmex (DLS modems) running DHCP with the same gateway (172.168.1.254 YUP!) plugged into the network both running DHCP and serving out the same IP pool range. from 172.168.1.100 to 172.168.1.250. (150 IP's served out with a 4 day lease time)
Each student and teacher/staff had at least one laptop one cell phone and a few had an IPAD also. So when I come they had approximately 450 to 480 devices on this network fighting for the 150 IP's with a 4 day lease. Needless to say this did not work well and they had been dealing with it over 3 years.
It was a flat network with 9 A.P.'s for all connections with the exception of 24 wired connections for administrative needs.
24 wired connections to one 24 port unmanaged switch. 10/100/Gig
6 A.P.'s on a 16 port unmanaged switch. 10/100/Gig
3 A.P.'s on another 16 port unmanaged switch. 10/100
All of this was set up by a "network architect" from Guadalajara Mexico and I inherited the network this way.) I was given no password for any device or server as the school did not keep the records very well.
I reset and reconfigured all A.P.'s and reloaded the servers and gained access to all. I set the IP's on the A.P.'s and server in the range of 172.168.1.2 to 172.168.1.30 I hard coded the IP's in the servers and mapped network drives on admin computers.
I installed a "TP Link TL-R470Tt+" Load balancing DSL firewall, router, Gateway to get rid of the two Gateways and double the internet download speeds (I did shut of the DHCP on this device).
I installed "OpenDHCP" on one server to serve out IP's by MAC to IP to User. This way I can see what student is causing problems in the logs.
The servers and administration personnel are on the 172.168.1.X network
The students are on the 172.168.2.X network
The teacher/administration Cell Phone are on the 172.168.3.X network
Here is what the config looks like:
Domain=172.168.1.0
Mask=255.255.0.0
#Admin/Staff
DHCP Range =172.168.1.30 - 172.168.1.250
#Students
DHCP Range =172.168.2.1 - 172.168.2.250
#Cell Phones
DHCP Range =172.168.3.1 - 172.168.3.250
[01-23-45-67-89-ab]
IP=172.168.1.24
HostName=John Walker
#Entries without IP and HostName will not receive an IP to stop unauthorized computers.
[04-23-44-67-19-ac]
I added all known unauthorized MAC's. Now it's over 200 unauthorized MAC's on this list.
With OPENDHCP the logs shows the Mac to IP to User Name. (this is very helpful)
Authentication is done on the A.P.'s (EAP300 Engenius) with the same key for staff and students. (at one time it was separate keys but within one week the teachers would give the password to the students so I gave up. No support from Admin)
This worked fine until the students found out all the have to do is hard code the IP into their unauthorized computer or phone and now they get on the network. So I started blocking unwanted MAC addresses on each A.P. Then the students started spoofing the Mac addresses. I have a limit of 32 Mac's that I can block or allow on the A.P. (I've reach well over the limit of 32) I can't use the "allow Mac's" on the A.P. because I have over 32 that need to access each A.P. at any given time.
So now I'm seeking advice! Will something like FreeRADIUS work for Authenticating the Wi-Fi users or will I need to install something on the client side also? (in that I can't do.) Does anyone have anything they can suggest for me to do?
150 students and about 50 staff member in the school, all use the Wi-Fi network. The students and/or staff bring their own laptop, Kindle, Macintosh, IPAD, Cell phones (or whatever they have) to use on the network. On these devices for O.S.'s we have Win XP, Vista, Win 7, Win 8, Win 8.1, Macintosh (four flavors) They had 4 servers for administrative needs set up with DHCP (not served out statically) no one could find the servers so they stopped using them. (no possibility of running a true domain on the network)
They had two Telmex (DLS modems) running DHCP with the same gateway (172.168.1.254 YUP!) plugged into the network both running DHCP and serving out the same IP pool range. from 172.168.1.100 to 172.168.1.250. (150 IP's served out with a 4 day lease time)
Each student and teacher/staff had at least one laptop one cell phone and a few had an IPAD also. So when I come they had approximately 450 to 480 devices on this network fighting for the 150 IP's with a 4 day lease. Needless to say this did not work well and they had been dealing with it over 3 years.
It was a flat network with 9 A.P.'s for all connections with the exception of 24 wired connections for administrative needs.
24 wired connections to one 24 port unmanaged switch. 10/100/Gig
6 A.P.'s on a 16 port unmanaged switch. 10/100/Gig
3 A.P.'s on another 16 port unmanaged switch. 10/100
All of this was set up by a "network architect" from Guadalajara Mexico and I inherited the network this way.) I was given no password for any device or server as the school did not keep the records very well.
I reset and reconfigured all A.P.'s and reloaded the servers and gained access to all. I set the IP's on the A.P.'s and server in the range of 172.168.1.2 to 172.168.1.30 I hard coded the IP's in the servers and mapped network drives on admin computers.
I installed a "TP Link TL-R470Tt+" Load balancing DSL firewall, router, Gateway to get rid of the two Gateways and double the internet download speeds (I did shut of the DHCP on this device).
I installed "OpenDHCP" on one server to serve out IP's by MAC to IP to User. This way I can see what student is causing problems in the logs.
The servers and administration personnel are on the 172.168.1.X network
The students are on the 172.168.2.X network
The teacher/administration Cell Phone are on the 172.168.3.X network
Here is what the config looks like:
Domain=172.168.1.0
Mask=255.255.0.0
#Admin/Staff
DHCP Range =172.168.1.30 - 172.168.1.250
#Students
DHCP Range =172.168.2.1 - 172.168.2.250
#Cell Phones
DHCP Range =172.168.3.1 - 172.168.3.250
[01-23-45-67-89-ab]
IP=172.168.1.24
HostName=John Walker
#Entries without IP and HostName will not receive an IP to stop unauthorized computers.
[04-23-44-67-19-ac]
I added all known unauthorized MAC's. Now it's over 200 unauthorized MAC's on this list.
With OPENDHCP the logs shows the Mac to IP to User Name. (this is very helpful)
Authentication is done on the A.P.'s (EAP300 Engenius) with the same key for staff and students. (at one time it was separate keys but within one week the teachers would give the password to the students so I gave up. No support from Admin)
This worked fine until the students found out all the have to do is hard code the IP into their unauthorized computer or phone and now they get on the network. So I started blocking unwanted MAC addresses on each A.P. Then the students started spoofing the Mac addresses. I have a limit of 32 Mac's that I can block or allow on the A.P. (I've reach well over the limit of 32) I can't use the "allow Mac's" on the A.P. because I have over 32 that need to access each A.P. at any given time.
So now I'm seeking advice! Will something like FreeRADIUS work for Authenticating the Wi-Fi users or will I need to install something on the client side also? (in that I can't do.) Does anyone have anything they can suggest for me to do?
Facebook
Twitter
Instagram