Monday, September 7, 2020

Enabling/Disabling AP radios on cue

Hi all,

So I've gotten this strange ask from my users which I don't know how to handle. I manage the network of several schools among other locations, and basically they want to shutdown the wireless at the schools after XX:XX hrs , it varies between schools. The motivations is that basically students hang around the school after hours and basically break sh*t. And for some reason everyone thinks it's because there's free WiFi.

We're a Cisco shop with the following to my disposal:

  • 5520 N+1, Code 8.3.150.0.
  • Cisco Prime 3.7
  • Cisco ISE 2.7
  • All APs run local mode, models 18xx, 28xx mostly

We have the same SSIDs at all schools which are:

  • One "main" SSID for EAP-TLS, PEAP authentication which both students and teachers use. (Machine authentication and AD username/password)
  • One WPA2 SSID where everyone knows the PSK, can't fix this yet, intend to use iPSK when we get to 8.5.
  • Open SSID, splash page to accept EULA only.

Since these SSIDs are published not only at schools I can't simply disable the SSIDs using prime configurations tasks. What I've done so far for some schools already is to create a scheduled configuration task in Prime, which basically disables the radios for all APs at these specific sites at specfic times and then enable them again in the morning.

But now I've been asked if there's a way that teachers/principals could on cue activate the wireless if they wanted to after the specified shutdown hours in the case of special circumstances. This is where my head started to hurt. Is there such a solution? How?

My thinking to fix this long term is to make some changes to our ISE policies, by starting to utilize the cisco av pair attribute and tag student devices as 'STUDENT'. And then in WLC create ACLs per AP-group deny traffic for students after say 19:00 or whatever is requested. This would allow teachers access to wifi on our main SSID and deny students. I think this is possible, am I right?

The second WPA2 SSID I can't really do much about right now. But can probably fix this in a few months.And the open SSID I have to get rid of. Create a different open SSID that's only pusblished at schools and simply disable and enable this using prime at specific times everyday.

If anyone got any ideas I'm all ears. Have you ever had to deal with something similiar?



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)