Our campus has a limited access network. All the clients connecting to the campus network are known. We have limited public access in the library, but patrons must provide an identity and register. We have limited public access in the student center, but again, participants have to register for an event hosted in the center. We do not provide open, unauthenticated, public access. This is due to several requirements for identification, such as limiting access to a limited resource to those actually paying for the resource or having some connection with the university (like students). We also have determined how we want to respond to DMCA complaints and other legal documents requiring that we identify who is on the network.
When I go to our golf center, there are three constituent groups requesting wireless network access:
- University employees conducting university business activities.
- Event guests who are visiting for a defined event hosted under the terms of a contract.
- Pass-through guests, those dropping in for a round of golf and staying for a visit to the clubhouse.
University employees want to use the wireless network to access university services. Access is protected by authentication and authorized use of services. We try to make that network more secure by make sure that that devices are properly updated with anti-virus services and operating system patches. This is a closed and controlled environment.
Event guests are represented by an event organizer. The event organizer consolidates requirements into a statement of work associated with an agreement. The agreement will provide for a certain level of guaranteed access with a service level agreement; specifics are provided in the contract. We are hosting a state PGA event, for example, and they have specific requirements for network provisioning. When we hosted the national Republican presidential debate event last fall, the Republican organization planning the debate had very specific requirements. This technical requirements are covered in the event hosting agreement. When we sign agreements, we have to fulfill the services described in those agreements. We may need to segregate a service for an event, with a separate SSID and password (like the Educause conference). There can be a login storm at the start of the event or during schedule breaks.
Pass-through guests expect network access without authentication. We may just present a basic terms of service splash screen, and limit the network operation to general port 80 traffic. These folks are generally checking communications channels (email and social media). Their access typically does not roam. There's no formal service level agreement. They may congregate in specific areas, so there needs to be higher density of access points in some places (like food service areas). We have determined we do not need to know who is on the network.
On the main campus, our students, faculty and staff access the network through a centralized authentication service. We need to know who is on the network. Students and faculty tend to login once and roam the campus. The area they roam tends to be larger than those attending an event. There isn't a single event organizer with whom we work to meet requirements. We decide the services in central IT and deliver those services broadly. We do see the same density issues in food service areas, but there's no service level defined in a contract. We try to meet service expectations, not contractual terms.
That's probably a start of what I've learned, but I would appreciate questions and comments about what I've missed.