We are a school and today I was informed that our kids are connecting to our staff SSID which requires authentication to Active Directory by using a VPN on their phone. My ? is why is it allowing the traffic to flow without a password. Any ideas
My question would be is why your APs are broadcasting the SSID anyway. check to make sure you're hitting your Radius server properly. also, you should have a Guest WiFi set up for the kids gives you total control to what they look up.
If students log in to laptops on a pupil SSID then what is it that stops them using other SSIDs with those accounts?
On school devices you have made them users and locked down with group policy, but on their phones they'll be admins.
Or they have compromised a staff account (either observing or guessing or cracking a password).
Ideally find a kid and let them show off how easy it is to do and let them show you their technique. In my experience they love showing off to a techie.
If the SSID needs a logon, then you see the username in the device list.
Find devices that are not supposed to be on the staff net and see what accounts they are using.
