K-12 Education: Secure WiFi Access in Schools and Educational Institutions

The accelerated use of technology in the educational system has driven a widespread deployment of WiFi networks. The increased availability of network access in schools poses a unique set of access security challenges; WiFi networks must:

  • Secure institutionally owned tablets and devices
  • Host and secure student, faculty and guest “bring your own device” (BYOD) notebooks and phones
  • Limit access to authorized users
  • Protect user credentials
  • Control access to network resources
  • Manage bandwidth

In particular, a comprehensive WiFi infrastructure must satisfy the following requirements:

  • Credentials must be validated for each user or device that attempts to connect to the network, against the institution’s centralized store of usernames and passwords (e.g., Active Directory)
  • The appropriate level of authorization must be allocated for each user; for example, while teachers need immediate access to all network resources, it may be desirable to limit students’ ability to access the internet
  • A combination of network access methods may be required; for example some users should be required to connect via secure 802.1X/WPA2, while guests and other visitors may be able to connect via an internet portal
  • Students, faculty, staff, and visitors each have different requirements and limitations, and each group should be prioritized based on the needs of the institution

A robust, easy-to-implement WiFi infrastructure for educational institutions comprises the following elements:

  • Access points enabled with screen redirect / captive portal support such as those from Meraki, Cisco, Ruckus, Aruba, and Motorola
  • Captive Portal web server, either built-in or external, which provides the portal interface, user sign-on, and content delivery mechanisms
  • Back-end data store against which the portal will authenticate users, such as Active Directory, Google Apps, or SQL
  • Cloud-hosted RADIUS server, such as Cloudessa RADIUS, which handles customer authentication, service level configuration, and usage tracking

Cloudessa RADIUS

The RADIUS server is a key component of the WiFi infrastructure, providing a multi-layer authentication service that lets educational institutions control who gets on their network and what they are able to do; it also provides comprehensive user and usage insight and data.

Cloudessa RADIUS is a low-cost, scalable cloud-based RADIUS solution, ideal for school districts and universities with varied existing infrastructures. It provides the following major benefits:

  • Cloudessa is simple to configure and administer. The interface is accessible and intuitive. There is no hardware or software cost, and no installation requirements. A simple interface, configuration wizards, complete documentation and expert support enable you to implement access security with a minimal investment of time and resources.
  • Cloudessa can leverage your existing authentication infrastructure. For example, if you have existing user data in Active Directory, LDAP, SQL, or Google Apps, you can re-use these resources for network access security without duplicating user information. Sensitive user information remains under IT control.
  • Cloudessa supports both industry standard WPA2 802.1X based security, as well as Captive Portal browser-based authentication.
  • Cloudessa is built on the FreeRADIUS code base. FreeRADIUS provides a proven market solution that is deployed in thousands of educational networks, including some of the largest Universities in the world.
  • Cloudessa RADIUS is a subscription-based service that eliminates the cost and complexity of deploying a local RADIUS server. Cloudessa enables IT administrators to secure the WiFi network without capital expense: reducing cost, effort and time.
  • Cloudessa RADIUS is not just for WiFi. It can also authenticate users accessing the network from VPNs, firewalls and other access gateways in addition to WiFi APs. The RADIUS server can return user specific and session specific authorization attributes, including VLAN assignment and bandwidth allocation. For example, network traffic for faculty and staff can be prioritized over student activity to Facebook or Twitter.