Members using LDS Id's to authenticate in meeting houses

[sammythesm]

Also the link to technology manager in the email is a broken link.

[Mikerowaved]

Yes - we need much clearer direction here. I've been touting this upcoming feature to our leadership for months now...

Agreed. It would be great to know what the new direction will be.

We have been asked to improve controls over what can be accessed instead of controlling who can access it.

In that case, I suggest they seriously consider giving us the ability to put the admin computers on a different subnet than the general access WiFi devices will have. This is easily done if the admin PC's are hardwired, but still not impossible if they are wireless.

[aebrown]

Also the link to technology manager in the email is a broken link.

Yes, I noticed that too. My guess is that the link was supposed to go to a new article about Technology Manager on the Record Keeping and Technology Support (RKATS) site. I searched that site and could find no article on this topic. So I guess the newsletter got sent out before that article was published.

But if you want to see some hints about what is coming, about 6 weeks ago an article was added to the LDSTech Wiki called Technology Manager. It looks like editing of the wiki article was abandoned before it was completed, since all the documentation efforts of the Meetinghouse Technology team are now focused on the new RKATS site. So I wouldn't assume that content is authoritative, but it does give some clues as to what is planned for the first release and what might be in a future release.

[harddrive]

In that case, I suggest they seriously consider giving us the ability to put the admin computers on a different subnet than the general access WiFi devices will have. This is easily done if the admin PC's are hardwired, but still not impossible if they are wireless.

Then what you need to do is to put the admin computers into the static range. This way they don't have to rely on the DHCP server.

Terry

[Aczlan]

Then what you need to do is to put the admin computers into the static range. This way they don't have to rely on the DHCP server.

Methinks that the issue is more protecting the admin computers from people trying to remotely access them than a lack of IP addresses.

Aaron Z

[Gary_Miller]

Yes - we need much clearer direction here.

How much clearer do you want it?

The Meetinghouse Technology Newsletter that was just sent out says that this whole effort to use LDS Account to authenticate for Internet usage in meetinghouses has been canceled (or at least postponed indefinitely): "We have been asked to improve controls over what can be accessed instead of controlling who can access it. As a result, signing in with an LDS Account will not be required for Internet use."

I've been touting this upcoming feature to our leadership for months now, and now I have a lot of egg on my face if it's not coming.

No egg on your face its just a change in direction. A good change when it comes to the end user.

The shared secret password is silly. It needs to go away.

Correct ether the password needs to be posted so all can use it or there needs to be no password at all.

Shared secrets are as good as open networks in this case.

What would be the problem with an open network, when the intent is for the membership to use the resource?

For a home user, shared secret can work, but not for a huge enterprise like the Church

.

Last I looked the church was not an enterprise.

What's to stop it from getting posted and having every home or apartment building near a church AP to leech the free WiFi?

I don't think the Church leadership is as concerned about this as you are.

A captive portal was the right answer - and having it to drive LDS Account usage and remembrance (can't tell you how many ppl have created LDS Accounts and forgotten their credentials) was an added benefit of this feature.

Its not important to know who has an LDS Account and who does not have an account, let alone who uses it. And its not hard to figure out what your log on credentials are if they are forgotten. In fact the church site is easier than most sites.

It also gives us a possible audit trail of who is on the WiFi and what they accessed, something my stake president was keen on when I told him we would be expanding WiFi access.

Again its not important to know WHO accessed what as it is to know WHAT is being accessed. If you know what is being accessed then you can focus resources on to the most important areas.

If the WiFi is not to be restricted (as the message indicated), then even things like the default IP addressing of the routers needs to be addressed. I have had to bother the GSC 3 times for 5 different buildings to expand the number of available IP addresses to accommodate all the users of our stake. We just keep running out, and I have confirmed it's because we have over 200 devices in the building at a time that are getting IP addresses.

Availability is the most important feature that needs to be addressed. This includes local leaders not restricting access by not giving the password out to all the members in there units.

[johnshaw]

I would disagree Gary, it is true the church is an enterprise - when speaking in IT terms, this is referring to a LARGE organization that has centralized administration and does things at a much higher scale that a small-large size business... or at least that is how I read it. In Availability - I agree - it is the most important feature (according to the Brethren apparently).

Where I believe we need MUCH CLEARER DIRECTION - is the result or ramification of the decision to control WHAT rather than WHO. There are only a couple of broad categories for why Stakes are choosing to control access. The largest of these is the lack of Bandwidth.

What were the assumptions the Brethren came to the table with when they made this decision? Were they under the assumption that the MAJORITY of meetinghouses have implemented the 2011-2013 project (or will complete by end of 2013), have the 881W, with Wireless in the buildings and ethernet run to designated large rooms and static equipment. Do they believe that the MAJORITY of meetinghouses have a 10U/1D plan (based on several pre-negotiated rates that someone believes would cover a 'MAJORITY' of meetinghouses). If they made a decision with these assumptions, then many of us are left out in the cold, rain-soaked, having left our house key at work, and the family on vacation... basically we're freezing, cold, wet and miserable.

If we interpret the decision as logically as we can, then it means the Brethren desire connectivity for our members. Period. They want enough available to take away the need to limit access through a tool or methodology (we're talking reasonable here... we don't expect to host LAN-gaming parties or anything like that).

Does the FMG understand this? I can tell you that mine will not. There is too much nuance in the decision. If everyone involved at the higher level believes the meetinghouse internet plan is being rolled out differently than it is (at least in my neck of the woods) then the decision is really bad for many of us.

If the decision was made, knowing that many will continue to have poor experiences with Internet Services provided by the church (meaning no video conferencing, no real ability to use the online media in teaching and training, do family history, all that other stuff online we do, process church operations, etc...) -- I would eat my hat, I'd clear land from stark wilderness, start raising sheep, grow them to maturity, shear the wool from their backs, process it into wool and make a nice wool hat that I would eat with a smile on my face.

I'm confident in this scenario, I'm confident that it is a 1st world problem as well and that dealing with less-developed parts of the world WILL be different. In my observation of both the online apps development over the last few years and the meetinghouse internet rollout, we're not on the same page yet. I am disappointed with the lethargy with which some of our members approach these issues (Ask FMG for stuff, NO, Ask FMG for stuff NO, becomes - Why bother asking FMG they'll just say NO --> Which turns into FMG delivering a lower performance that is needed, but actually thinking they are delivering high performance because nobody is asking for anything different that what they are delivering.

I'm pretty sure that if the Brethren knew that FMG were rolling out the Firewalls as they implement new Sprinkling systems in meetinghouses (Rather than working with SP on prioritized lists [granted it could include the FMG needs as well]), and that it was the sole determining factor there would be an accounting called.

[msd360]

Do they believe that the MAJORITY of meetinghouses have a 10U/1D plan (based on several pre-negotiated rates that someone believes would cover a 'MAJORITY' of meetinghouses). If they made a decision with these assumptions, then many of us are left out in the cold, rain-soaked, having left our house key at work, and the family on vacation... basically we're freezing, cold, wet and miserable.

This is key. If I understand this correctly, 10U/1D refers to bandwidth on the upstream and downstream, respectively (should be reversed). We are currently fighting this battle with our FMG. Two of our buildings have cable, and two are DSL, both with 7Mbs down, but the up differs from 3Mbs to 896kbps due to distance from DSLAM, and the smaller one is the Stake Center, which includes a FHC. FMG doesn't understand how this could be a problem, and is refusing to convert the stake center to cable.

[msd360]

sammy... it's not simple. My FM will not upgrade my Pix to an 881. I had a failure last night at a General Priesthood meeting because I couldn't get an IP address on a computer due to the IP's being so limited, this has been going on in at least 3 buildings I have and FM says no budget to do it.

That sounds like an issue with your particular FM group.

If FM is not being responsive, I'd inform the Stake President of the situation.

Actually, John may have unknowingly raised another key issue. The issue is less of bandwidth than of addressing. Each 881 is allocated a small set of IP addresses, each of which may be assigned to an individual device such as a clerk computer. If the standard 1041N wireless is deployed, this address space is extended wirelessly to smart phones and tablets in the hands of many members, likely exceeding the small address space, and potentially restricting access to other wired devices. If, as has been previously stated, Internet service is to be extended to whomever desires it, then either this small address space must be substantially increased, or the wireless address space should be different (NAT), which can be accomplished through commodity wireless devices (and the 1041N I assume with proper provisioning).

[johnshaw]

Actually, John may have unknowingly raised another key issue. The issue is less of bandwidth than of addressing. Each 881 is allocated a small set of IP addresses, each of which may be assigned to an individual device such as a clerk computer. If the standard 1041N wireless is deployed, this address space is extended wirelessly to smart phones and tablets in the hands of many members, likely exceeding the small address space, and potentially restricting access to other wired devices. If, as has been previously stated, Internet service is to be extended to whomever desires it, then either this small address space must be substantially increased, or the wireless address space should be different (NAT), which can be accomplished through commodity wireless devices (and the 1041N I assume with proper provisioning).

The issue of having less IP's is as you stated, but it is also a problem with legacy firewalls. In three of my meetinghouses I have PIX 501's still, these are very limited in the amount of IP's the give out, due to licensing restrictions (as told to us by GSC) the only way to add IP's is to upgrade to the 881W.

I have a new stake center, and because we have the stake, and 3 units in the building, all fairly young, and tech-savvy we were running out of IP's for people. Called the GSC and added another range to the scope and all is fine. Doesn't change the fact that my ISP is 1.5M Down and .364 Up.....