Members using LDS Id's to authenticate in meeting houses

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
Post Reply
Aczlan
Member
Posts: 358
Joined: Sun Jun 06, 2010 5:29 pm
Location: Upstate, NY, USA

#21

Post by Aczlan »

dfdavis wrote:Question.... what will the actual benefit be of members logging in with their LDS username and password as opposed to the way things are now?
In a word, accountability.
Now there is no way to trace who is viewing what at the building. Once you have to login, your traffic can be traced back to you. Theoretically, traffic could also be prioritized based on your login and what is happening, but I don't know if that is in the works.

Aaron Z
User avatar
rbeede
Member
Posts: 205
Joined: Sat Apr 02, 2011 1:33 pm
Contact:

#22

Post by rbeede »

Actually IPv6 autoconfigures the address by communicating with the router. DHCP is optional if you want to force specific subnets, random IPs, specific DNS servers, or auxiliary servers (like WINS).
dfdavis
New Member
Posts: 31
Joined: Tue Nov 03, 2009 1:41 pm
Location: USA

#23

Post by dfdavis »

rbeede wrote:Currently the wireless password is the same in all buildings. When members have an individual login it will limit access to actual members of the Church instead of anybody who happened to learn the shared login.

Somebody help me out here.... I still don't see how there is any benefit here at all.... none of my problems have ever been related to non-members using my system. My problems have always been way too many actual church member users logged on at one time. Look around next Sunday am during sacrament meeting...see what you see.
If we go to this LDS password program... then everyone (members) can log in with info they do know. I think there may still be a few people who don't actually know the info for ldsaccess. Do you have or allow non members to use your church internet? What am I missing here???? The only thing I see here is a way around the wishes of the Stake President.
The only way I can see things ever getting a handle on this situation is... hardwire all our buildings and shutdown LDSaccess. At least then we Stake IT people know up front what the number of allowed maximum connections are and are finally able to fulfill our callings in regards to the security of our building systems. Maybe that issue is not a big concern as I think it should be....
Donald F. Davis Jr.
Stake IT
Bloomington Indiana :)
Aczlan
Member
Posts: 358
Joined: Sun Jun 06, 2010 5:29 pm
Location: Upstate, NY, USA

#24

Post by Aczlan »

dfdavis wrote:Somebody help me out here.... I still don't see how there is any benefit here at all.... none of my problems have ever been related to non-members using my system. My problems have always been way too many actual church member users logged on at one time. Look around next Sunday am during sacrament meeting...see what you see.
But, how many of them are on the wireless vs their providers cell network? Cant shutdown the cell network, so people have to be taught the correct principals and allowed to govern themselves.
dfdavis wrote:If we go to this LDS password program... then everyone (members) can log in with info they do know. I think there may still be a few people who don't actually know the info for ldsaccess. Do you have or allow non members to use your church internet? What am I missing here???? The only thing I see here is a way around the wishes of the Stake President.
The upside to that, is that members can now prepare a lesson using the resources available on LDS.org and show a video (like the YW did last week for the new theme for the year) as part of a lesson.
dfdavis wrote:The only way I can see things ever getting a handle on this situation is... hardwire all our buildings and shutdown LDSaccess. At least then we Stake IT people know up front what the number of allowed maximum connections are and are finally able to fulfill our callings in regards to the security of our building systems. Maybe that issue is not a big concern as I think it should be....
How is the building system security going to be any better with a wired drop in each classroom vs a WLAN that dumps onto the same network?
I would like to see a public/private network split like we have at work (encrypted private WLAN that gives you the same access as plugging in and a open public WLAN that is throttled and blocked from accessing anything on the subnet of the private WLAN) BUT you would still have people who would use the private WLAN for their personal devices.

Aaron Z
User avatar
aebrown
Community Administrator
Posts: 15153
Joined: Tue Nov 27, 2007 8:48 pm
Location: Draper, Utah

#25

Post by aebrown »

dfdavis wrote:Somebody help me out here.... I still don't see how there is any benefit here at all....

One of the features of the new authentication using LDS Account is that stake presidents can designate that three different sets of people (leaders, adults, and youth) will have any of three different levels of access (full filtered access, access to an approved list of LDS and genealogical sites, and none).

One possible configuration would be to disable all access for anyone but leaders. That should greatly reduce the number of users and thus help with bandwidth usage. The problem with this that I can see is that an IP address will have to be issued to any device that attempts to connect, and even if Internet access is denied, the IP address will not be freed up.
Questions that can benefit the larger community should be asked in a public forum, not a private message.
dfdavis
New Member
Posts: 31
Joined: Tue Nov 03, 2009 1:41 pm
Location: USA

#26

Post by dfdavis »

Time will tell I guess...Please.... I have no problems with the church system getting used for anything that is good and positive and will help with that in any way I can! ALL my buildings are all as connected as I can make them and the Wifi is usable in every square inch. I am just amazed that the answer to too many users is to just get things tweaked so as to allow even more users...

As for the features of the new system to come you mention
"One of the features of the new authentication using LDS Account is that stake presidents can designate that three different sets of people (leaders, adults, and youth) will have any of three different levels of access (full filtered access, access to an approved list of LDS and genealogical sites, and none).

Are we now going to be the building internet police? Trust me....
This won't be well taken by our members.
Donald F. Davis Jr.
Stake IT
Bloomington Indiana :)
russellhltn
Community Administrator
Posts: 34417
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#27

Post by russellhltn »

dfdavis wrote:Are we now going to be the building internet police? Trust me....
This won't be well taken by our members.
Probably not. But it's the Stake President's prerogative. Just as it's currently the Stake President's prerogative as to who is given the password.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
User avatar
Mikerowaved
Community Moderators
Posts: 4734
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

#28

Post by Mikerowaved »

aebrown wrote:The problem with this that I can see is that an IP address will have to be issued to any device that attempts to connect, and even if Internet access is denied, the IP address will not be freed up.
Unless unauthenticated devices are assigned an IP address from a large "guest" pool (with a rather short lease time) that has no Internet access and are only assigned a "real" IP address once they enter their LDS Account credentials. This is a common process for many hotspots that need authentication to use.
So we can better help you, please edit your Profile to include your general location.
sammythesm
Member
Posts: 225
Joined: Tue Jan 05, 2010 2:50 pm
Location: Texas, United States
Contact:

#29

Post by sammythesm »

Are the concerns for having "too many users" on the network base on IP address pool limitations or for bandwidth usage limitations?

For the IP address concern, I'd recommend pushing for 881 upgrades. GSC can then add a whole additional class C subnet to the router, if necessary, to expand the address pool to over 300 IP addresses. As always noted, your mileage with your FM budget may vary, but get your StkPrez on board and you might get it quicker.

For the bandwidth concerns, I'd recommend taking a deep breath and letting the ecosystem figure it out. Most critical Clerk functions (MLS transfers, web browsing, email, etc) are very low-bandwidth use. So, the threat to clerk computers' exclusive use of the connection is low. Even if there is a lot of traffic from other users, those packets will surely slip through relatively easily, people will learn/be taught to be sensible and judicious in their usage, and to be a good neighbor to the wireless users around them.

To me, there is a valid security concern with having wireless devices on the same VLAN as clerk/administrative computers - not because of inherent Windows insecurity - but more because there are lots of folks who create insecurity in their Windows setup - sharing folders, enabling remote desktop, etc. Adding a layer of network isolation would add a bit more security (and might also have other side-benefits discussed elsewhere in this forum (disabling of wireless traffic during broadcasts, artificially throttling bandwidth available to the wifi, giving priority/QoS to the right traffic, etc)

That said, I'm really looking forward to the new authentication scheme. To address dfdavis' concerns: I've basically given up on being selective about Internet usage at church. Our stake took a 'limited' approach to the WiFi password for years, as we've had a building with WiFi for several years now. Over time, with the turnover in callings and the password never changing, pretty much everyone has access who wants it. And mostly for good reason - indexing activities, church callings, etc, have necessitated passing it around and letting the connection be used. I can see great utility in having broad, church-member (and non-members who are willing to create LDS Accounts) access. This new authentication scheme delivers that in a great user experience to the user (just associate to the network and authenticate using a known credential). It will also drive people to creating and remembering their LDS Account credentials, which can only be a good thing given all the other uses it has. I see only upside to this change.
Aczlan
Member
Posts: 358
Joined: Sun Jun 06, 2010 5:29 pm
Location: Upstate, NY, USA

#30

Post by Aczlan »

sammythesm wrote:Are the concerns for having "too many users" on the network base on IP address pool limitations or for bandwidth usage limitations?
For the IP address concern, I'd recommend pushing for 881 upgrades. GSC can then add a whole additional class C subnet to the router, if necessary, to expand the address pool to over 300 IP addresses. As always noted, your mileage with your FM budget may vary, but get your StkPrez on board and you might get it quicker.
Good to know
sammythesm wrote:For the bandwidth concerns, I'd recommend taking a deep breath and letting the ecosystem figure it out. Most critical Clerk functions (MLS transfers, web browsing, email, etc) are very low-bandwidth use. So, the threat to clerk computers' exclusive use of the connection is low. Even if there is a lot of traffic from other users, those packets will surely slip through relatively easily, people will learn/be taught to be sensible and judicious in their usage, and to be a good neighbor to the wireless users around them.
The only time that I worry about bandwidth is when running a webcast. Otherwise, it is catch as can.
sammythesm wrote:To me, there is a valid security concern with having wireless devices on the same VLAN as clerk/administrative computers - not because of inherent Windows insecurity - but more because there are lots of folks who create insecurity in their Windows setup - sharing folders, enabling remote desktop, etc. Adding a layer of network isolation would add a bit more security (and might also have other side-benefits discussed elsewhere in this forum (disabling of wireless traffic during broadcasts, artificially throttling bandwidth available to the wifi, giving priority/QoS to the right traffic, etc)
The benefit I see to not splitting the network is that I can log on to the network and print to the networked printer in the Stake Clerks office. The downside is that anyone could do the same.
I really like the idea of a public open network and a private encrypted network. Kill 2 birds with one stone that way.
sammythesm wrote:That said, I'm really looking forward to the new authentication scheme. To address dfdavis' concerns: I've basically given up on being selective about Internet usage at church. Our stake took a 'limited' approach to the WiFi password for years, as we've had a building with WiFi for several years now. Over time, with the turnover in callings and the password never changing, pretty much everyone has access who wants it. And mostly for good reason - indexing activities, church callings, etc, have necessitated passing it around and letting the connection be used. I can see great utility in having broad, church-member (and non-members who are willing to create LDS Accounts) access. This new authentication scheme delivers that in a great user experience to the user (just associate to the network and authenticate using a known credential). It will also drive people to creating and remembering their LDS Account credentials, which can only be a good thing given all the other uses it has. I see only upside to this change.
We have had similar experiences. As of now, most every adult who wants to can get on. Most of the youth are still locked out though. Being able to go to any building (that has internet) and get online would be a big plus for me...

Aaron Z
Post Reply

Return to “Meetinghouse Internet”