How to block a wifi signal

[mdntblu]

I have 40 MacBooks in a small private High School. The High School is on a church campus. The school has 4 Airport Extreme's with an SSID of CCHS. On the same campus there are 2 other public WiFi networks. What I want to figure out without having to worry about blocking the Mac Addresses on 2 different routers everytime a new High School MacBook is being used it to setup on the MacBook so it won't connect to those WiFi signals. We use Apple Remote Desktop to monitor the MacBooks and sometimes the students are connected to other network and we can't see their laptops.

We have an Xserve server that all the MacBook's are bound to and can make changes to the MCX records but need to know what I can do in order to make it so they can't connect to these 2 other networks.

Any help would be appreciated.

Thanks,
Brad

 

[topmounter]

Can't you set the laptop to "Require administrator password to:" ... "Change Networks"? Assuming of course you aren't giving the kids admin accounts.

Also, is there not a way in OS X to restrict connections to unsecured wireless networks?

 

[mdntblu]

Can't you set the laptop to "Require administrator password to:" ... "Change Networks"? Assuming of course you aren't giving the kids admin accounts.

Also, is there not a way in OS X to restrict connections to unsecured wireless networks?

I can't block it so they can't change networks. What happens if they go to Starbucks and want to get online?

 

[peetah]

This isn't the answer you want to hear, but why not scrap your current solution and go for wifi base stations that are managed from a centralized console?

You're using consumer grade products for an enterprise wide purpose that require enterprise capabilities and management.

 

[The General]

I'm not sure I understand the problem. They are allowed to use their own wifi and public wifi such as AT&T at Starbucks, but they can't use the public wifi near your school? Why?

Because you need to monitor their computer usage? Then why are they allowed to take the computers home and use them on their own network or other public wifi?

I supposed you could build a lead box around your school, that would block the wifi signals.

 

[peetah]

He has 3 SSIDs on his campus.

1 -- for student use only
2 -- for anyone except students

Block all students from the public SSIDs but not configure the laptop to block prevent them from changing SSIDs for other access points they have access to (such as home or the coffee shop).

Using airport extremes is just not practical in this case. He needs to use a bunch of wifi antennas hooked up to a wifi controller that allow multiple SSIDs and has centralized management capabilities. This way, he can lock out certain MAC addresses from certain SSIDs (and certain access points -- effectively creating a wifi "wall" within a small part of the campus).

 

[brbubba]

This isn't the answer you want to hear, but why not scrap your current solution and go for wifi base stations that are managed from a centralized console?

You're using consumer grade products for an enterprise wide purpose that require enterprise capabilities and management.

There are 40 kids, they aren't going to have the budget for that. Although if you are savvy enough you can get enterprise grade equipment and software for next to nothing or very cheap.

Does OP have control of these other two access points? Nevermind it looks like he does. If you had a centralized firewall/dhcp server you could probably update that MAC access list fairly easily. I'm sure something like pfsense is more than capable of doing this if you have the time and expertise. Here's a virtually identical problem scenario in the pfsense forums, http://forum.pfsense.org/index.php/topic,14892.0.html. btw, pfsense is $0 and will run on dirt cheap hardware incredibly well.

 

[mdntblu]

Yes I have control to these other access points. The school is just starting this year with 9th grade, will expand each year until 12th. New students each year will get laptops so potentially there could be 100-200 laptops in 3 more years. I don't want to have to block the macbooks on the other 2 free wifi access points.
I see some of your points from the above posters.
@peetah you are correct. The CCHS SSID's are for the students and the other 2 are for guests on the church/college campus.
Yes they are allowed to take their laptops home and use other public wifi access points but when they are at school we monitor them to make sure they are doing their work and not playing on youtube or other places. And sometimes we use youtube to show videos in class for specific purposes so we can't block youtube. Besides it's not just websites they are going to it's playing games, or using other applications when they are supposed to be writing a paper, etc.
I just wish there was a way to make it so my main image (that I put on all the laptops) could be setup so that they can't join (londen & Thirdplace) these wifi ssid's. Is there a setting I can do on the server to push the info to the computers when they log into the xserve?

Thanks,
Brad

There are 40 kids, they aren't going to have the budget for that. Although if you are savvy enough you can get enterprise grade equipment and software for next to nothing or very cheap.

Does OP have control of these other two access points? Nevermind it looks like he does. If you had a centralized firewall/dhcp server you could probably update that MAC access list fairly easily. I'm sure something like pfsense is more than capable of doing this if you have the time and expertise. Here's a virtually identical problem scenario in the pfsense forums, http://forum.pfsense.org/index.php/topic,14892.0.html. btw, pfsense is $0 and will run on dirt cheap hardware incredibly well.

 

[peetah]

Yes I have control to these other access points. The school is just starting this year with 9th grade, will expand each year until 12th. New students each year will get laptops so potentially there could be 100-200 laptops in 3 more years. I don't want to have to block the macbooks on the other 2 free wifi access points.
I see some of your points from the above posters.
@peetah you are correct. The CCHS SSID's are for the students and the other 2 are for guests on the church/college campus.
Yes they are allowed to take their laptops home and use other public wifi access points but when they are at school we monitor them to make sure they are doing their work and not playing on youtube or other places. And sometimes we use youtube to show videos in class for specific purposes so we can't block youtube. Besides it's not just websites they are going to it's playing games, or using other applications when they are supposed to be writing a paper, etc.
I just wish there was a way to make it so my main image (that I put on all the laptops) could be setup so that they can't join (londen & Thirdplace) these wifi ssid's. Is there a setting I can do on the server to push the info to the computers when they log into the xserve?

Thanks,
Brad

I found myself in a similar situation to yours two years ago -- just volunteered at a non-profit org that provided technology education to women victims of domestic violence. Some knew a lot of the web and infected every other Windows computer in the building, others had no clue at all.

The first thing I needed to do was to restrict their access to the net but with a near zero budget found paid solutions out of reach until I found OpenDNS. We use it to restrict people from certain categories on the web. Check it out! The price is right for us (we use the free solution).

As for managing users connecting to access points, ChilliSpot running on a small Linux server which authenticates through Active Directory. All access points are WAP54G from Linksys.

Hopes this helps push you in the right direction.

Feel free to PM me if you have any questions.

 

[peetah]

FYI, If you use ChilliSpot, you'll need to enable Kerberos authentication on the Xserve (if it isn't already) so that students can authenticate to it.

 

[mdntblu]

I found myself in a similar situation to yours two years ago -- just volunteered at a non-profit org that provided technology education to women victims of domestic violence. Some knew a lot of the web and infected every other Windows computer in the building, others had no clue at all.

The first thing I needed to do was to restrict their access to the net but with a near zero budget found paid solutions out of reach until I found OpenDNS. We use it to restrict people from certain categories on the web. Check it out! The price is right for us (we use the free solution).

As for managing users connecting to access points, ChilliSpot running on a small Linux server which authenticates through Active Directory. All access points are WAP54G from Linksys.

Hopes this helps push you in the right direction.

Feel free to PM me if you have any questions.

We have opendns setup on all the WiFi networks on the campus. That isn't the problem. We're not trying to restrict their access to the web, just keep them on a specific SSID when on campus and not float to other ones.

 

[mdntblu]

FYI, If you use ChilliSpot, you'll need to enable Kerberos authentication on the Xserve (if it isn't already) so that students can authenticate to it.

Also Chilispot won't work either. They can still connect to the other SSID's on the campus.

 

[mdntblu]

Still having problems. I still to this day have not found a solution to this problem other than taking all 40 MacBook mac addresses and rejecting them on the other 2 open wifi networks but next year we're going to add more laptops and it will just be an administration nightmare.
Is there any 3rd party software I can load on the macbooks to give me more control over it?
Thanks

 

[munkery]

Airport Utility can manage more that one Airport Extreme so you already have centralized management.

How close are the different networks? Have you tried turning down the transmit power of the airport extremes so that the range of the public networks do not reach the classroom?

Sometimes this type of network management is a lot of work. Maybe enough work to have a dedicated employee for the task?

Edit: WPA2 the non-student networks and release a new password for them each day 5 min after class starts. Post passwords on sign in the area of the wifi access points for non-students. This will also reduce leechers from easily chronically using the service from off site if in range.

 

[waynep]

OpenDNS is great for filtering Internet access . . . That's one problem.

How about a simple solution for the wifi access? Apply WPA security on the other two networks that you don't want the students on?

 

[AshMan]

I would look into a router with DD-WRT it is highly customizable and may serve your purposes - cost is not expensive and has many capabilities that more expensive routers have

 

[munkery]

You wouldn't be able to do anything with a DD-WRT that you couldn't with an airport extreme. The most effective solution would be manual Mac address filtering but the OP already stated that they would prefer a less labor intensive approach.