Members using LDS Id's to authenticate in meeting houses

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
User avatar
Mikerowaved
Community Moderators
Posts: 4404
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

#11

Post by Mikerowaved »

Let me preface this by saying I'm not a church employee, nor a volunteer on the WiFi development team. The views below are just my own opinion on how I perceive the typical LDS building WiFi system MIGHT eventually be configured.

If the church configures this as other establishments do (hotels, hotspots, etc.), church meetinghouses will eventually have 2 "virtual" WiFi networks running. User devices will first be assigned an IP address from a large "guest" pool. Let's just assume these will be in the range of 192.168.x.x. Devices with this IP address will not be able to access the Internet. They will ONLY be able to access a login page where they can enter their LDS Account credentials.

If someone DOES wish access to the Internet, they must first enter their LDS Access information. Once authenticated, they will be reassigned to the 10.x.x.x IP range, where they will then be presented with the same (filtered) Internet access we enjoy now.

I believe right now, we are caught in the middle of the development phase, where the initial "guest" step is missing, so every device with the proper WiFi key gets an "authenticated" IP address, of which there are only about 50 or so per building.

It's my opinion that the situation we are currently in is NOT permanent, but rather a development step. That doesn't belittle the fact that many buildings are experiencing problems, such as running out of IP addresses. In fact, I just spent some time this week installing a router in our stake family history library to put them on a different subnet so they will not have to fight for IP addresses each time they power up a PC there. I'm also looking at putting each of the clerk PC's on a fixed IP address, but you have to be careful doing that. You must ONLY assign fixed IP addresses that you KNOW are not in the DHCP pool. You may have to work with the Global Service people to configure your church firewall accordingly. Fixing an IP address blindly could lead to an IP conflict with one the DHCP server issues.
So we can better help you, please edit your Profile to include your general location.
User avatar
rbeede
Member
Posts: 205
Joined: Sat Apr 02, 2011 1:33 pm
Contact:

#12

Post by rbeede »

A DHCP server is suppose to do a ARP check before it hands out an IP address just in-case someone did set it as static or is already using it. Although it may not always catch a machine it works most of the time.
Aczlan
Member
Posts: 358
Joined: Sun Jun 06, 2010 5:29 pm
Location: Upstate, NY, USA

#13

Post by Aczlan »

rbeede wrote:A DHCP server is suppose to do a ARP check before it hands out an IP address just in-case someone did set it as static or is already using it. Although it may not always catch a machine it works most of the time.
A computer with a static address in the dynamic range could have its address given it out if it is off when the address is handed out.

Aaron Z
User avatar
rbeede
Member
Posts: 205
Joined: Sat Apr 02, 2011 1:33 pm
Contact:

#14

Post by rbeede »

Aczlan wrote:A computer with a static address in the dynamic range could have its address given it out if it is off when the address is handed out. Aaron Z

On the plus side Microsoft Windows will detect if duplicate IPs are in use and warn the user.
russellhltn
Community Administrator
Posts: 31344
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#15

Post by russellhltn »

rbeede wrote:On the plus side Microsoft Windows will detect if duplicate IPs are in use and warn the user.

But what is the user to do? The person with the static IP is unlikely to be able to do much. The person with the IP is likely just a church member who wouldn't know what they are supposed to do about it.

The bottom line, anyone who deliberately assigns static IPs in the DHCP range should have their geek credentials revoked. Depending on something else to bail you out as a bad idea.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
User avatar
rbeede
Member
Posts: 205
Joined: Sat Apr 02, 2011 1:33 pm
Contact:

#16

Post by rbeede »

If a user sets a static IP in your DHCP range there isn't much you can do about it other than ask them not to.

Actually you could program your switch/wireless ap to drop the duplicate connection. An invalid client with a static IP would be banned for X minutes (valid static IP could be set in the DHCP server with MAC) and the person with DHCP would just reconnect and get a different address. It just requires extra configuration on the network hardware. Wouldn't be a bad solution for CHQ to research.

Another option hopefully available in 10 years would be IPv6 which doesn't require DHCP.
russellhltn
Community Administrator
Posts: 31344
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#17

Post by russellhltn »

rbeede wrote:If a user sets a static IP in your DHCP range there isn't much you can do about it other than ask them not to.

Yeah, if a user does it. But I believe the direction of the thread was as a "admin" making the change to assure the MLS computers a dedicated IP. A good idea, but just not a static in the DHCP range.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
dfdavis
New Member
Posts: 31
Joined: Tue Nov 03, 2009 1:41 pm
Location: USA

#18

Post by dfdavis »

tomsquatch wrote:I'm a member of our Bishopric and an IT professional by trade. We recently have gone through the process to get internet and wireless in our ward meeting house. We have all the church approved equipment. Upon completion of the project our Stake Tech spec. advised our Stake President only wants members of the Bishopric to have access to the wireless in the building. Our Stake Tech spec. sited examples of abuse stories from our stake and some from church headquarters. So our Stake president decided to make this policy.

My question is to not question my Stake President, as I respect his decision and authority to govern our stake. One item brought up was that in 2012 the church was going to implement the ability for a member to be required to enter their LDS ID to gain access to the internet (wireless) in a meeting house. Does anyone know how far along is this project is and is there an implementation schedule? Also, is there any way we can be put on a list to be a test site this new feature?

Thank you!

Question.... what will the actual benefit be of members logging in with their LDS username and password as opposed to the way things are now?
Donald F. Davis Jr.
Stake IT
Bloomington Indiana :)
harddrive
Senior Member
Posts: 501
Joined: Thu Jan 03, 2008 7:52 pm

#19

Post by harddrive »

rbeede wrote: Another option hopefully available in 10 years would be IPv6 which doesn't require DHCP.

About IPv6, it won't be 10 years to be available. It is available now and there are places that are starting to implement it. The carrier world (AT&T, Verzion, etc) is looking to role it out to the general public around 2020.

However, I would still use DHCP with IPv6, because I don't want to have to manually type the 128bit address into each computer and then the DNS entry and so forth. That is WAY too much work.
User avatar
rbeede
Member
Posts: 205
Joined: Sat Apr 02, 2011 1:33 pm
Contact:

#20

Post by rbeede »

Question.... what will the actual benefit be of members logging in with their LDS username and password as opposed to the way things are now?

Currently the wireless password is the same in all buildings. When members have an individual login it will limit access to actual members of the Church instead of anybody who happened to learn the shared login.
Post Reply

Return to “Meetinghouse Internet”