How to authenticate and protect students on their own devices with 802.1x and transparent filtering.
Allowing students to connect their own smartphones, tablets and laptops to the school wireless network is becoming commonplace across secondary and tertiary education.
This is particularly relevant to boarding schools who have a need to provide recreational Internet access out of school hours.
Students’ own devices still need to be authenticated and filtered – so that we know who is using which device and to apply appropriate filtering. The combination of two key technologies within Smoothwall Filter makes this possible – transparent filtering and 802.1x BYOD authentication.
Transparent filtering means that there is minimal configuration required on each device to speak to the filter – all network traffic that passes across the Smoothwall Filter is automatically filtered, and after installation of the HTTPS filtering certificate, the secure traffic can be inspected.
802.1x BYOD authentication is an advanced form of network-level authentication. It is possible with Smoothwall Filter to implement authentication like a hotel or conference WiFi – where the user’s details are input to a web page when they connect to the wireless.
However, this can be frustrating for users that connect daily to the network – frequently having to re-enter their credentials.
802.1x on Smoothwall Filter works in combination with an enterprise wireless network to authenticate the user when they connect (often using WPA2-Enterprise security) and store these credentials on the device. The device will then automatically reconnect to the wireless when in range and provide the credentials without any action needed by the user.
Step 1 – Student connects to the wireless network
Step 2 – Wireless network sends back authentication request and the client provides username/password
Step 3 – Wireless network validates credentials with a directory service (e.g. Active Directory) using the RADIUS protocol and receives an acceptance message from the directory server indicating the credentials are correct
Step 4 – The wireless access point allows the device to connect to the network, an IP address is assigned to the device, and Smoothwall is informed of this new connection
Step 5 – As the user browses the internet, traffic traverses the Smoothwall Filter and the filter knows which filtering policies to apply and who to associate the traffic with, based on the IP address equalling a specific username
Step 6 – Periodically, the wireless network automatically sends an update to the filter, to let it know that the user is still connected
Step 7 – When the user disconnects, the wireless network sends a stop message to the filter, so that it knows to no longer associate that IP address with the student
802.1x BYOD filtering is supported by most enterprise wireless systems which are integrated with directory services. They also need to support RADIUS Accounting with Framed-IP-Addresses. Popular systems include those by Cisco/Meraki, HP/Aruba, Ruckus, Aerohive, and Ubiquiti.
