How to block a wifi signal

Can't you set the laptop to "Require administrator password to:" ... "Change Networks"? Assuming of course you aren't giving the kids admin accounts.

Also, is there not a way in OS X to restrict connections to unsecured wireless networks?

 

This isn't the answer you want to hear, but why not scrap your current solution and go for wifi base stations that are managed from a centralized console?

You're using consumer grade products for an enterprise wide purpose that require enterprise capabilities and management.

 

I'm not sure I understand the problem. They are allowed to use their own wifi and public wifi such as AT&T at Starbucks, but they can't use the public wifi near your school? Why?

Because you need to monitor their computer usage? Then why are they allowed to take the computers home and use them on their own network or other public wifi?

I supposed you could build a lead box around your school, that would block the wifi signals.

 

He has 3 SSIDs on his campus.

1 -- for student use only
2 -- for anyone except students

Block all students from the public SSIDs but not configure the laptop to block prevent them from changing SSIDs for other access points they have access to (such as home or the coffee shop).

Using airport extremes is just not practical in this case. He needs to use a bunch of wifi antennas hooked up to a wifi controller that allow multiple SSIDs and has centralized management capabilities. This way, he can lock out certain MAC addresses from certain SSIDs (and certain access points -- effectively creating a wifi "wall" within a small part of the campus).

 

There are 40 kids, they aren't going to have the budget for that. Although if you are savvy enough you can get enterprise grade equipment and software for next to nothing or very cheap.

Does OP have control of these other two access points? Nevermind it looks like he does. If you had a centralized firewall/dhcp server you could probably update that MAC access list fairly easily. I'm sure something like pfsense is more than capable of doing this if you have the time and expertise. Here's a virtually identical problem scenario in the pfsense forums, http://forum.pfsense.org/index.php/topic,14892.0.html. btw, pfsense is $0 and will run on dirt cheap hardware incredibly well.

 

I found myself in a similar situation to yours two years ago -- just volunteered at a non-profit org that provided technology education to women victims of domestic violence. Some knew a lot of the web and infected every other Windows computer in the building, others had no clue at all.

The first thing I needed to do was to restrict their access to the net but with a near zero budget found paid solutions out of reach until I found OpenDNS. We use it to restrict people from certain categories on the web. Check it out! The price is right for us (we use the free solution).

As for managing users connecting to access points, ChilliSpot running on a small Linux server which authenticates through Active Directory. All access points are WAP54G from Linksys.

Hopes this helps push you in the right direction.

Feel free to PM me if you have any questions.

 

FYI, If you use ChilliSpot, you'll need to enable Kerberos authentication on the Xserve (if it isn't already) so that students can authenticate to it.

 

Airport Utility can manage more that one Airport Extreme so you already have centralized management.

How close are the different networks? Have you tried turning down the transmit power of the airport extremes so that the range of the public networks do not reach the classroom?

Sometimes this type of network management is a lot of work. Maybe enough work to have a dedicated employee for the task?

Edit: WPA2 the non-student networks and release a new password for them each day 5 min after class starts. Post passwords on sign in the area of the wifi access points for non-students. This will also reduce leechers from easily chronically using the service from off site if in range.

 

OpenDNS is great for filtering Internet access . . . That's one problem.

How about a simple solution for the wifi access? Apply WPA security on the other two networks that you don't want the students on?

 

I would look into a router with DD-WRT it is highly customizable and may serve your purposes - cost is not expensive and has many capabilities that more expensive routers have

 

You wouldn't be able to do anything with a DD-WRT that you couldn't with an airport extreme. The most effective solution would be manual Mac address filtering but the OP already stated that they would prefer a less labor intensive approach.