Hi Danielle,

Just chiming in because we use the same solution as Aaron describes.

We don't worry about those that want to sign in a guest. Our guest role has
limited functionality (web only and access to external IPSec services). We
also limit their connection to 9 hours so that it is fairly inconvenient for
those that should be logging in but provides a long enough window for those
that are truly guests. I've attached an image of our guest volume since we
implemented CCA in August. It tends to hover at about 120 users (out of an
average of 5500 daily users). The spikes are attribed to events where
authentication became unstable or the implementation of a ruleset that put a
lot of people in remediation (new windows updates, etc).

When we kick someone off for violations, we actually filter their mac
address to a particular role that usually has no access expect to a web page
telling them why. This MAC address filter kicks in before the user ever sees
the web page to log in as guest and it overrides the guest access via the
desktop agent.

Hope this helps,

Bob

 

> -----Original Message-----
> From: Perfigo SecureSmart and CleanMachines Discussion List 
> [mailto:[log in to unmask]] On Behalf Of Danielle Morse
> Sent: Friday, March 10, 2006 11:00 AM
> To: [log in to unmask]
> Subject: Re: Guest WiFi
> 
> Aaron,
> 
> How do you prevent your students from logging in as guest?  I know it 
> won't be attractive to them since it's limited but students 
> we kick off 
> for violations might start using this to get around fixing their 
> computers for us to give them access again.
> 
> Thanks,
> Dnaielle
> 
> Aaron Havens wrote:
> > We use the guest access provided by the Clean Access login 
> page. Users 
> > logging in with the Guest Access button are limited on what 
> ports they 
> > are allowed to use and blocked from internal ip ranges. 
> Just make sure 
> > to not require the Clean Access agent for this role.
> >