Hope the below makes sense,
A bit of background first:
I work in large school with a differing range of needs for our wireless. Firstly, we have to ensure our students are not able to access certain websites, so by default all Internet access is filtered at a 'student' level. Our school also hosts regular conferences and has a number of guest speakers. We use radius authentication for our domain joined devices which filters the web level access based on the user account
i.e. student level access = no social media etc.
Staff and Visitor level access allows access to social media, personal email etc.
One problem we've been having is providing the right level of filtering to our guests and staff with BYOD. As silly as it sounds, a lot of our visitors expect access to sites that are blocked for students. We've set it up so that if a visitor joins a specific SSID, they will connect to a Vlan that has its IP address range set to allow staff/visitor level web access. We've done this using Bridge Mode and Vlan tagging within Meraki. It really seems to work
The problem we're having:
We're running out of IP addresses as our students try to join the various SSIDs that are being displayed via their mobile phones. By doing this, although can't can't access the Internet on their phones as they don't have the relevant credentials, they are still taking an IP address form the dhcp pool of the Vlan the SSID is configured to connect to. So we have guests turn up for a conference and we have to quickly try and make space. It can be a losing battle as it seems some have set their phone to auto connect it.
Joining the Meraki dhcp works, but it means we can't filter the meraki dhcp range and hence our visitors would have student level access, which is the default filtering setting. Obtaining additional IP addresses isn't going to be an option for us for another year or so.
Has anyone experienced this type of scenario? For lack of a technical term, is it possible to configure some kind of 'staging' area the clients can join and then be passed to the relevant Vlan after authentication?
Thank you for responding.
The number of addresses available for the guest Vlan is 411 with the lease time of 5 hours.
Dhcp role is on local domain controller (virtual server)
@NolanHerring's advice is correct, that should improve things a lot.
There is a second option. You could use NAT mode, this way each AP will have it's own private L3 domain and it will not even use any addresses from your DHCP ranges for the clients. For your filtering you can then no longer rely on VLANs, but you could use two separate SSIDs, one for visitors and one for students and filter per SSID in the Firewall & Traffic Shaping in the Wireless section.
There are some disadvantages to this:
If possible setup a L3 network, have seperate subnets for servers, printers, staff devices, student deivces, network switches. If you only have a small amount of staff then most of the networks can be class C. As suggested for your students pick a different network type, remeber most students these days with BYOD have a laptop of some kind and a phone so you might need to time the number of students you have by 3 just to be safe.
For the scopes to be running out of IP addresses that means the students have managed to associate with the SSID, which tells me you are probably using open authentication and splash pages.
What about having a PSK on the splash page SSID. You can freely share it with guests, and sure some students will attach to it, but it will prevent the bulk of students attaching to it randomly.
Another option is to use a third party solution like Splash Access. It can rotate the PSK on an SSID every 24 hours. It then displays a QR code on a screen that guests can scan to attach to the WiFi.
In my network I simply have a unique SSID for guests who come in for whatever reason (conference, parents, etc) We are a large school corporation as well and have tons of true guests all the time. By separating this from staff or student access it means that SSID is only for guests. Technically anyone could join it but there would be no point as it is limited to discourage its use by school owned devices.
Thank you everyone for replying - all suggestions have given me something to work with
Yes @PhilipDAth I really should have mentioned that we're using splash pages here for our guests, ideally I'd like to use prepaid cards as a method of connection (again uses a splash page) which would be ideal for our not so tech friendly guests, last minute guests and convenient for our reception team to hand out a code to guests attending a one off conference.
I've set up the prepaid cards and it works, its just the students like to try and see if they can join the guest SSID to try and get web access and in the process taking an IP address (student byod is not allowed at present)
In the short term I will look at reducing the dhcp lease time further (thanks @NolanHerring ) to see if that makes a difference and will also see if If I can think of a better may to manage the admin side of using a PSK as this could again free up IP addresses (problem being that the key often seems to get out!)