Campus WiFi: a “Tragedy of the Commons”

This Fall at Drury University, we’ve made a substantial number of investments in our Springfield campus networking infrastructure, as well as introducing long-awaited improvements to our day school user experiences:

  • We’ve upgraded our internet connection, from 400Mbits to 1Gbit;
  • We’ve replaced our campus core appliances, tripling our backbone throughput;
  • We’ve upgraded the first of our main campus residence halls to multigigabit ethernet (with plans to augment three additional academic buildings before the end of the current term);
  • Finally – just this week – we’ve rolled out wireless printing to our students.

An auspicious start.

We have much, yet, to do.

For example, an early set of discoveries I made, when I came aboard as CIO, was that:

  1. We used WPA2 Enterprise Authentication for our WiFi (good), but did not have a mechanism for allowing consumer student network devices (Rokus, Smart TVs, game boxes, etc.) to securely connect to our network, without a separate, student purchased wireless router attached to our network (super bad); and,
  2. We allowed students to attach their own wireless routers to our wired infrastructure (super duper bad).

Clearly, we didn’t want to relax our WPA2 Enterprise Authentication, already in place, just to accommodate consumer wireless devices.

Our compromise solution: MAC Authentication. MAC Authentication is used to authenticate devices, based on their physical MAC addresses.

It’s not the way you’d want to generally secure your entire network, but it does provide an easy enough authentication methodology for consumer devices to use, with a modicum amount of oversight for our Technology Services team to manage who – and what – connects to our network.

Allowing these types of devices to connect to our network (somewhat) securely, fixes only part of the problem; we still have a large number of “outboard” wireless routers attached to our network; some more open than others.

All insecure as all get out.

In order to secure our network and reduce the interference that these devices are causing in our dorm spaces, we need to shut all of these devices off. Permanently.

But – to abruptly disable all external routers, without a sufficient grace period to move student devices to the new (approved) way of connecting to our network, will only make students angry, and extremely disgruntled.

The situation is made even more complicated, because we had created de facto a campus wifi equivalent of the Tragedy of the Commons. The Tragedy of the Commons is an economic theory of a situation within a shared-resource system, where individual users acting independently according to their own self-interest behave contrary to the common good of all users, by depleting that resource through their collective action.

How so?

Well, we have a communal resource (our campus wired network) that is freely available to all students. Our WiFi network was heretofore not up to snuff, in being able to handle the number and variety of wireless devices our students were bringing to campus. They could attach their own routers and attach them to our wired network – solving their problem of poor access to our wireless network, and allowing their wireless devices to connect reliably – but interfering with the common campus WiFi network, or perhaps even their neighbor’s router next door, operating on the same channel.

Install your own external router, and your problem is solved.

Your neighbor trying to use the free campus WiFi, however, is screwed.

As I said, our very own Tragedy of the Commons.

The challenge, then, is to inform and influence our students that it is ultimately in everyone’s best interest if they don’t act in their own individual best interest; a problem that is as much cultural and political, as it is technical.

And another reason why I love working as a CIO in higher ed – where one can apply politics, economic theory, and technical chops, to improve student learning and outcomes.

As I said: an auspicious start.

We have much – very much – yet to do.