Running out of IP addresses - BYOD

SN1
Conversationalist

Running out of IP addresses - BYOD

Hi

 

Hope the below makes sense,

 

A bit of background first:

 

I work in large school with a differing range of needs for our wireless. Firstly, we have to ensure our students are not able to access certain websites, so by default all Internet access is filtered at a 'student' level. Our school also hosts regular conferences and has a number of guest speakers. We use radius authentication for our domain joined devices which filters the web level access based on the user account

 

i.e. student level access = no social media etc.

Staff and Visitor level access allows access to social media, personal email etc.

 

One problem we've been having is providing the right level of filtering to our guests and staff with BYOD. As silly as it sounds, a lot of our visitors expect access to sites that are blocked for students. We've set it up so that if a visitor joins a specific SSID, they will connect to a Vlan that has its IP address range set to allow staff/visitor level web access. We've done this using Bridge Mode and Vlan tagging within Meraki. It really seems to work

 

The problem we're having:

 

We're running out of IP addresses as our students try to join the various SSIDs that are being displayed via their mobile phones. By doing this, although can't can't access the Internet on their phones as they don't have the relevant credentials, they are still taking an IP address form the dhcp pool of the Vlan the SSID is configured to connect to. So we have guests turn up for a conference and we have to quickly try and make space. It can be a losing battle as it seems some have set their phone to auto connect it.

 

Joining the Meraki dhcp works, but it means we can't filter the meraki dhcp range and hence our visitors would have student level access, which is the default filtering setting. Obtaining additional IP addresses isn't going to be an option for us for another year or so.

 

Has anyone experienced this type of scenario? For lack of a technical term, is it possible to configure some kind of 'staging' area the clients can join and then be passed to the relevant Vlan after authentication?

 

 

8 REPLIES 8
NolanHerring
Kind of a big deal

What size scope are you using for the staff/visitor SSID?
Where is the DHCP server living? (assuming on an actual windows server)
What lease timers do you have configured?
Nolan Herring | nolanwifi.com
TwitterLinkedIn
SN1
Conversationalist

Hi

 

Thank you for responding.

 

The number of addresses available for the guest Vlan is 411 with the lease time of 5 hours.

 

Dhcp role is on local domain controller (virtual server)

 

 

NolanHerring
Kind of a big deal

Ok so the easy fix here is to just make the scope larger. Use a /21 or /18 for example. You mentioned you can't but didn't specify the why, so I'm curious 😃

You can also try decreasing the lease timer to say 1 hour.

Keep in mind the 'half-life' issue.

So you have your timer above set for 5 hours. At 2.5 hour mark (or really any time during the 5 hour window) if the client reaches back out 'hey can i or do i still have this ip' if the server says yes, it basically resets the cool down.

So in theory, if a client is there for 4 hours, his lease might still be taken for another 5 after he has left (9 hours in this example).
Nolan Herring | nolanwifi.com
TwitterLinkedIn

@NolanHerring's advice is correct, that should improve things a lot.

 

There is a second option. You could use NAT mode, this way each AP will have it's own private L3 domain and it will not even use any addresses from your DHCP ranges for the clients. For your filtering you can then no longer rely on VLANs, but you could use two separate SSIDs, one for visitors and one for students and filter per SSID in the Firewall & Traffic Shaping in the Wireless section.

 

There are some disadvantages to this:

  • Clients can't communicate among each other.
  • No incoming connections to the clients are possible.
  • Moving between APs in NAT mode will cause the connection to break when moving AP to AP. Applications requiring continuous traffic streams such as VoIP, VPN or media streams will be disrupted during roaming between APs. 
  • You need an extra SSID which causes extra overhead due to the additional SSID advertisements.
BlakeRichardson
Kind of a big deal
Kind of a big deal

If possible setup a L3 network, have seperate subnets for servers, printers, staff devices, student deivces, network switches. If you only have a small amount of staff then most of the networks can be class C. As suggested for your students pick a different network type, remeber most students these days with BYOD have a laptop of some kind and a phone so you might need to time the number of students you have by 3 just to be safe. 

PhilipDAth
Kind of a big deal
Kind of a big deal

For the scopes to be running out of IP addresses that means the students have managed to associate with the SSID, which tells me you are probably using open authentication and splash pages.

 

What about having a PSK on the splash page SSID.  You can freely share it with guests, and sure some students will attach to it, but it will prevent the bulk of students attaching to it randomly.

 

Another option is to use a third party solution like Splash Access.  It can rotate the PSK on an SSID every 24 hours.  It then displays a QR code on a screen that guests can scan to attach to the WiFi.

https://www.splashaccess.com/secure-wpa-2-guest-wifi-dashboard-cisco-meraki/

Bossnine
Building a reputation

In my network I simply have a unique SSID for guests who come in for whatever reason (conference, parents, etc)   We are a large school corporation as well and have tons of true guests all the time.  By separating this from staff or student access it means that SSID is only for guests.   Technically anyone could join it but there would be no point as it is limited to discourage its use by school owned devices.

SN1
Conversationalist

Thank you everyone for replying - all suggestions have given me something to work with

 

Yes @PhilipDAth I really should have mentioned that we're using splash pages here for our guests, ideally I'd like to  use prepaid cards as a method of connection (again uses a splash page) which would be ideal for our not so tech friendly guests, last minute guests and convenient for our reception team to hand out a code to guests attending a one off conference.

 

I've set up the prepaid cards and it works, its just the students like to try and see if they can join the guest SSID to try and get web access and in the process taking an IP address (student byod is not allowed at present)

 

 

In the short term I will look at reducing the dhcp lease time further (thanks @NolanHerring ) to see if that makes a difference and will also see if If I can think of a better may to manage the admin side of using a PSK as this could again free up IP addresses (problem being that the key often seems to get out!)

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels