How to authenticate and protect students on their own devices with 802.1x and transparent filtering – Recreational web filtering in a boarding school environment
Allowing students to connect their own smartphones, tabletsand laptops to the school wireless network isbecoming commonplace acrosssecondary and tertiary education.
This is particularly relevant to boarding schools who have a need toprovide recreational Internet access out of school hours.
Students’ own devices still need to be authenticated and filtered – so that we know who is using which device and to apply appropriate filtering.The combination of two key technologies within Smoothwall Filter makes this possible – transparent filtering and 802.1x BYOD authentication.
Transparent filtering means that there isminimalconfiguration required on each device to speak to the filter – all network traffic that passes across the Smoothwall Filter is automaticallyfiltered, and after installation of the HTTPS filtering certificate, the secure traffic can be inspected.
802.1x BYOD authentication is an advanced form of network-level authentication. It is possible with Smoothwall Filter to implement authentication likea hotel or conferenceWiFi– where the user’s details are input to a web page when they connect to the wireless.
However,this can be frustrating for users that connect daily to the network – frequently having to re-enter their credentials.
802.1x on Smoothwall Filter works in combination with an enterprisewirelessnetwork to authenticate the user when they connect (often using WPA2-Enterprise security) and store these credentials on the device. The device will then automatically reconnect to the wireless when in range and provide the credentialswithout any action needed bythe user.
Step 1– Student connects to the wireless network
Step 2– Wireless network sends back authentication request and the client provides username/password
Step 3 – Wireless network validates credentials withadirectoryservice(e.g. Active Directory)using the RADIUS protocol andreceives an acceptance message from the directory server indicating the credentials are correct
Step 4 – The wireless access point allows the device to connect to the network, an IP address is assigned to the device, and Smoothwall is informed of this new connection
Step 5 – As the user browses the internet, traffic traverses the Smoothwall Filter andthe filter knows which filtering policies to apply and who to associate the traffic with, based on the IP address equalling a specific username
Step 6 – Periodically, the wireless network automatically sends anupdate to the filter, to let it know that the user is still connected
Step 7 – When the user disconnects, the wireless network sends a stop message to the filter, so that it knows to no longer associate that IP address with the student
802.1x BYOD filtering is supportedby mostenterprise wireless systemswhich areintegrated with directory services. They also need tosupport RADIUS Accounting with Framed-IP-Addresses. Popular systems include those by Cisco/Meraki,HP/Aruba, Ruckus, Aerohive,and Ubiquiti.
If you have a question or would like to learn more about the UK’s No.1 Web Filter, please get in touch. We’d be delighted to help.
The 7 Imperatives to Web Filtering in Independent Schools
A free whitepaper to guide IT Leaders through the 7 key imperatives they need to know when choosing a web filter suitable for an Independent school environment.