Prince Street School TeacherNet

Over the spring of 2012 the Prince Street Home and School has initiated and is carrying out a project, dubbed TeacherNet, to equip the school with a wireless Internet network targetted at the school's educators.

To enable other schools to carry out similar projects, we are endeavouring to document all aspects of the project, from project planning through to network performance.

The Home and School acknowledges the generous support of Bell Aliant, which has donated 6 months of 20 Mbps Fibre Op high speed Internet to support the pilot project.

Installation of wireless access points was completed on May 5, 2012; after a week of testing, access codes were distributed to teachers and staff on May 11, 2012.

Project Genesis

Cuts to Capital Budget for Education Technology

Peter Rukavina, 2011-2012 President of the Prince Street Home and School, is also the PEI Home and School Federation representative on the Minister's Advisory Committee on CIT, a provincial body that advises the Minister of Education and Early Childhood Development on technology matters.

At the January 2012 meeting of that Committee two items of concern related to this project were on the agenda:

  1. The cut, for the fiscal year 2012-2013, of the capital budget for information technology in education from $500,000 to $0.
  2. The challenges of implementing a pilot project for the Ooka Island literacy application at Prince Street School related to the high cost of installing wired Internet into classrooms.

Discussion of the second item, especially in light of the first, made it clear that although wireless Internet would be a mechanism for avoiding the costly network drops, wireless Internet roll-out in the education system, while being evaluated, was not imminent.

Subsequent to this January meeting, the PEI Home and School Federation had discussions with the PEI Teacher's Federation about the cut to capital spending for education technology, and together we arranged to bring our concerns forward to Premier Robert Ghiz.

Meeting with Premier Robert Ghiz

On February 22, 2012 the PEIHSF and the PEITF met jointly with Premier Ghiz and his Chief of Staff. The clear messages from the Premier were:

  1. The capital budget for education technology would not be restored for 2012-2013.
  2. In lieu of financial investment in technology, there would be need to be an increased reliance on innovation, creativity and thrift in the short term.

Planning a Pilot Project

Following from the January meeting of the Minister's Advisory Committee on CIT and the later meeting with Premier Ghiz, Peter Rukavina prepared a report on the state of the education technology landspace for the board of the PEI Home and School Federation.

During the consideration of this report, we became aware of pilot projects, under the aegis of the French School Board, to install low-cost wireless routers connected to the community office Internet feed, to support both community users and educators in French schools. 

Inspired by the French School Board project, with the Premier's words in mind, and after discussion with educators and Terry MacIsaac, principal at Prince Street School, the notion of a similar wireless "pilot project" to test the viability of a low-cost parallel Internet network at the school was raised by the Prince Street Home and School. The principal encouraged the Home and School to pursue the project, and educators in the school were enthusiastic in their embracing possible uses of such a network in the school, so the decision was made to proceed.

Shape of the Pilot Project

The proposed wireless Internet pilot project that emerged consisted of the following:

  1. Installation of a closed wireless network, for use by educators and staff (but not by students) at Prince Street School.
  2. Using low-cost Open Mesh wireless routers ($79 each), based on positive experiences in the French School Board with the same technology.
  3. Not connected in any way to the existing education computer network: wired workstations would not be connected to the wireless network, and any equipment would be installed in a separate area of the school.
  4. Seek donation, for a trial period, of services from an Internet Service Provider.
  5. Funded and maintained by Home and School.

Because of the educator focus of the network, it was decided to dub it "TeacherNet," with the anticipation that the project, if successful, might be adopted by other schools under the same name.

Consultations and Permissions

With the basic wireless Internet project proposal in mind, informal discussions were conducted with:

Through these discussions several important considerations were raised:

  1. Implementing some sort of content filtering system.
  2. Seeking an exception from IT Shared Services's Government Wireless Network Policy which would otherwise prohibit such a pilot project.

As regards content filtering, using the services of OpenDNS, a DNS and content filtering service based in the USA used by many schools, was proposed.

With regards to the IT Shared Services policy, an exception was requested to the policy through the principal.

On April 5, 2012, the school principal received an IT Shared Service Exception document providing the go-ahead for the project, signed by representatives from IT Shared Services, the Department of Education and Early Childhood Development and the Eastern School District.

IT Shared Services Standard Exception

This is text of a "IT Shared Service Standard Exception" received for a Wireless Internet Pilot Project at Prince Street School, received in April 2012.

High Level Facility Overview

  1. Home & School wants to sponsor a wireless pilot project at Prince Street School, in conjunction with Bell Aliant, which does not meet current government standards.
  2. ITSS does support the concept of the pilot as documented. It is recommended that a set of evaluation criteria be developed and an evaluation be carried out based on the criteria at the end of the pilot.
  3. Capital and ongoing costs will be funded by the Home & School.

Exception Request

  1. Use OpenMesh wireless routers in the school that will give wireless connection throughout the school.
  2. Use several routers in different classrooms and/or offices in order to provide coverage for the entire school.
  3. External wire connection to one central location in the school so all OpenMesh routers will communicate. Supplier of choice for this service is Bell Aliant.
  4. Pilot is for teachers only.
  5. Access to the wireless network would be closed and the only way to gain access is through a voucher or numeric coupon code, which would be issued by school secretary or some other responsible person.
  6. The pilot scope does not include access to any Corporate or Government applications other than those available for access over the internet.
  7. ITSS will be invited to review the evaluation results at the end of the 6 month pilot to determine feasibility for other sites.
  8. Government laptops will be physically disconnected from the government network before accessing the proposed wireless network.

Technical Implications to Exception

  1. ITSS has had no opportunity to research the technology proposed and can provide no information with respect to:
    1. reliability - cost to maintain after the trial.
    2. security
    3. performance
    4. end user support requirements
    5. availability of tools for filtering network access
    6. availability of log files to monitor network use
  2. Potential health risks.
  3. Impact on or feasibility of proposed system in schools where there is an existing government installed wireless base.

Financial Implications to Exception

  1. One of the objectives of the Connect PEI Initiative is to reduce the costs of leased lined through the rural broadband Initiative. This proposal, if feasible, may defeat this objective whereby a leased line would be required.

Security Implications to the Exception

  1. Availability for tools for filtering network access. The school will implement content filtering using OpenDNS Enterprise.
  2. Outside Interference from local residences.

Signed

  • Ricky Hood, Superintendent, Eastern School District
  • Alex Sandy MacDonald, Deputy Minister, Department of Education and Early Childhood Development
  • Elizabeth (Beth) Gaudet, COO, IT Shared Services
  • Ed Malone, Director, BIS, IT Shared Services
AttachmentSize
PrinceStreetWirelessException_1.pdf46.46 KB

Bell Aliant Fiber Op

In early March, 2012, a request was made to Bell Aliant to provide bandwidth to the pilot project at no cost for an initial period. Bell Aliant agreed quickly to provide its 20 Mbps Fibre Op service for 6 months.

Paul Murray, Bell Aliant Sales Manager for Prince Edward Island turned this request around in less than 48 hours, and the company's quick and enthusiastic early participation was a signficant contributor to pushing the project forward.

On April 19, 2012 a project manager and a technician from Bell Aliant visited the school to survey it for the Fibre Op installation. A plan was developed to run fibre across Upper Prince Street, into the existing conduit running into the school that terminates in the first level electrical room, and then, switching to "inside fibre", running through the ceiling to the boiler room, through the floor to the upper level mechanical room where the fibre transceiver and modem will be wall-mounted and our wireless infrastructure will take over.

Installation took place on April 26, 2012.

The Fibre Op equipment on-site consists of:

  1. Fibre transceiver: the fibre cable runs into this, and this connects to the router via Ethernet cable.
  2. Power supply for fibre transceiver: this is the largest piece of equipment on-site; it provides battery-backed-up power to the fiber transceiver.
  3. Router: a wireless-capable 4-port router connected to the fibre transceiver via Ethernet.

All of the above were mounted in the upper level mechanical room at the school on a pre-existing piece of plywood on the wall that otherwise holds the HVAC control system.

Initial Site Survey

Peter Rukavina, President at Prince Street School, and Ken Williams, a volunteer from Ellerslie Elementary with wireless hardware expertise, agreed to form the volunteer "technical team" for the pilot project.

On April 10, 2012 Peter and Ken conduction an initial site survey of Prince Street School  with the vice-principal, Colleen Mullen-Doyle, and the following was noted:

  1. There was broad interest, from grades K through 6, in use of a wireless network: every teacher we asked during our survey was enthusiastic about the possibility of having wireless access in their classrooms.
  2. On the 2nd level of the school the classrooms are concentrated on the middle and far wings, and include grade 4, 5 and 6 classes. There are two classrooms, one grade 4 and one grade 6, with "Smart Boards" on the 2nd level.
  3. On the 1st level the classrooms are concentrated in the same middle and far wings of the school, with the exception of the 3 kindergarten classrooms which are in the near wing.
  4. It is possible to pass Ethernet cable between classrooms above the drop-ceiling, as the cinder block walls leave a 4-5" gap at the top of the wall.
  5. It may be possible to bridge the 1st level-2nd level through a hole in the mechanical room.
  6. Using a test Open Mesh OM2P some initial testing was done on the ability of the wireless signal to penetrate walls and floors and it appeared, at the very least, that one unit can serve two and possibly three classrooms.

Following from the site survey, a map of planned wifi coverage areas was prepared (note that the school inspections conducted in 2011 and posted online each appear to contain a detailed map of the school in question; we extracted the Prince Street School map for our purposes).

 

 

AttachmentSize
Map of Prince Street School annotated with proposed wireless coverage area773.95 KB

Wireless Hardware Installation

On May 5, 2012 (a Saturday), following from the successful Bell Aliant Fibre Op installation one week previous, installation of the wireless access points was carried out by Ken Williams and Peter Rukavina under the guidance of Principal Terry MacIsaac.

Installation commenced at 9:00 a.m. and continued to approximately 2:30 p.m., with a break for lunch. Ken Williams did the bulk of the hardware installation and Peter Rukavina did network testing, cable cleanup and cloud network setup.

Seven Open-Mesh OM2P were obtained for the project. Two were donated to the Prince Street Home and School and an additional five were loaned for a six month period by Ken Williams.

While the OM2P access points will "mesh" together wirelessly, when they do this each "child" access point provides one half of the full available bandwidth to its clients. To allow the greatest possible bandwidth to each access point, the decision was made to hard-wire as many of the access points to the Bell Aliant Fiber Op as possible. For this purpose, 1000 feet of Cat5e Solid UTP Cable was purchased ($164 from Amazon.ca).

Additional tools and supplies required for the installation:

  1. Ethernet cable cutting/crimping and male cable-ends.
  2. Wire snips (2 pairs).
  3. Homemade "cable pusher" to aid in moving cables above the drop-ceilings; this was approx 10 feet long and was constructed of two interconnected lengths of 1/2 inch PVC pipe.
  4. Ladders (one from the school custodian, one brought by Ken).
  5. Cable ties.

To bridge the two levels of the schools, cable was run through an existing hole in the floor of the HVAC mechanical room on the upper level down into the lower level furnace room.

Power to the OM2P devices was provided in one of two ways:

  1. Direct power supply from ceiling outlets pre-existing for SMART boards.
  2. Power Over Ethernet (POE).

An example of the in-ceiling SMART board outlets (one receptable is used for the SMART board, the other appears generally to be free):

The access points were set above the ceiling tiles in all installed locations, which had the benefit of placing them high up (for better wireless coverage) and keeping the access points and their wiring out of view and not subject to accidental tampering:

Devices were labelled from 01 to 07, with the standard Prince Street School prefix of PRINC-347 used by IT Shared Services.

A small piece of orange tape was placed on the ceiling under the location of the OM2P units to allow for easier identification for maintenance:

Devices were installed as follows:

Device Room No. Grade Connectivity Power
PRINC-347-06 8 2 Cable to router Ceiling plug
PRINC-347-07 10 K Wireless mesh Ceiling plug
PRINC-347-05 Outside 6 2 & 3 Cable to switch in Rm. 8 POE
PRINC-347-04 Outside 9 1 & Resource Cable to switch in Rm. 8 POE
PRINC-347-01 29 6 Cable to router Ceiling plug
PRINC-347-02 25 4 Cable to router Ceiling plug
PRINC-347-03 Outside 33 4 & A+ None None

Technical Issues Encountered

The original plan for the PRINC-347-03 access point was to "daisy chain" it from the PRINC-347-02 unit in Room 25, both for power (via POE) and connectivity. However we learned that this configuration isn't supported by the OM2P firmware at present; from the Open-Mesh support site:

You cannot daisy chain the OM2P node to another OM2P node via an ethernet cable.  This feature will be addressed in a future firmware build.

As a result, this unit was not running after the initial install, although it was left in place in anticipation of an alternative solution.

A similar plan was in place from PRINC-347-07 in the Kindergarten: it was to receive bandwidth daisy-chained from PRINC-347-04. However in this case because local power was available, it was not reliant upon POE, and so, for the time being, we disconnected the cable and allowed the unit to run in wireless "mesh" mode.

AttachmentSize
OM2P Device Installation Map834.75 KB

Wireless Cloud Setup with Cloudtrax

The OM2P wireless access points are administered from the free Cloudtrax.com web-based tool.

Once an account is established, general settings for the entire network are managed from the web tool; changes to settings that affect the OM2P units are pushed to the units through an automatic update process. Initial settings:

When the Cloudtrax settings were configured and we were ready to install the devices, the MAC addresses of each of the OM2P units was registered with the account (the MAC is printed on the device itself), using a map-view of all the nodes to place the approximate physical location of the node on a map of the school:

As each node was registered and installed, the "notes" field was used to record the physical location of the node for ease of reference and maintenance.

Once all nodes were installed, the Cloudtrax "Network Status" page could be used to track the status of each of the OM2P units:

Additionally, the Cloudtrax "Network Diagram" page showed each node and the interconnectivity to other nodes:

Network Filtering via OpenDNS

Despite the network being targetted at educators, not students, a requirement of the IT Shared Services Exception was that some level of DNS-based filtering be applied to the network.

We are currently pursuing a donation of OpenDNS Enterprise for this role; in the interim, we are using the free OpenDNS Family Shield service, which provides basic DNS filtering, advertised as being "pre-configured to block adult websites across your Internet connection."

With a password provided by Bell Aliant we logged into the administrative interface of the Bell Aliant router, (http://192.168.2.1) and changed the DNS settings to the Family Shield values for both primary and secondary DNS server.

Once the change was implemented, testing confirmed that "adult" websites were, in fact blocked, with a redirect to an OpenDNS-hosted explanatory page happening when such sites were visited from a brower connected to the wireless network.

Analyzing Network Coverage

Two methods were used to gauge the coverage of the wireless network once it was installed, the Speedtest.net bandwidth-measuring website and the free Mac OS X wireless survey tool NetSpot.

NetSpot Survey

Two tests were done of the wireless coverage using NetSpot, one on the lower level of the school and one on the upper level. The same maps used for the initial site survey were loaded into NetSpot, a known measurement entered (staff room is 28 feet long), and then scans were done from multiple locations on each level to measure wireless signal strength from every classroom.

Once the walking survey was completed, NetSpot generates a "heat map" showing wireless signal strength over the covered area. The app shows all wireless signals from all networks (there were 33 other wireless networks detected in the neighbourhood by the app). Limiting the heat map to the "TeacherNet" access points, the results are:

Note that these heat maps show only the wireless signal strength, not network throughput. Note as well that on the upper level's heat map you can see the lack of coverage in the lower-left wing because of the issues with "daisy chaining" the OM2P access point in that location, which we hope to address.

The NetSpot survey files for the lower level and the upper level can be loaded into the application to see more details about the coverage.

SpeedTest.net Bandwidth Tests

For more "real world" testing of connectivity, each classroom was visited with a MacBook Air connected to the TeacherNet network, and the SpeedTest.net bandwidth test was run while sitting at the educator's desk in each room (the likely location from which they would use the network). The result was a downstream and upstream number, in megabits per second, for each classroom, that looked like this:

The class-by-class results of this test were as follows:

The results are available as an Excel spreadsheet.

The diminished bandwidth measured in Room No. 1, the Kindergarten, was because that node is currently operating in wireless "mesh" mode, and, as a child of a first-generation hard-wired node, its bandwidth is half of the maximum.

 

AttachmentSize
NetSpot Survey File, Prince Street Lower Level2.34 MB
NetSpot Survey File, Prince Street Upper Level1.79 MB
SpeedTest.net Results for Classrooms12 KB

Controlling Access with Vouchers

The wireless network created by the Open-Mesh OM2P access points was set to have an SSID of TeacherNet. The network was set up as a closed network, Cloudtrax management site has a facility to issue "vouchers" to allow for access after authenticating from an initial "splash page."

Each educator and staff member in the school was issues a high-bandwidth (4.5 Mbps) long-term (4568 day) voucher, and the school secretary was provided with short-term lower-bandwidth vouchers that can be provided to guests.

Teacher and staff vouchers were created through a custom bulk creation process we created for this purpose; teachers and staff were each provided with an instruction sheet containing their name and access code and access documentation.

There is no provision for student access to the wireless network at all at this stage.

The initial "splash page" has been configured as follows:

AttachmentSize
Instruction Sheet Distributed to Staff with Access Codes and Instructions104.66 KB

Bulk Generation of Cloudtrax.com Vouchers

The CloudTrax.com portal has two mechanisms for generating vouchers.

The regular administrative interface, which allows for the bulk-generation of random vouchers.

The lobby assistant mode, which allows for manual generation of vouchers.

Because we had a list of 50 staff that we wanted to bulk-create non-random vouchers for, we developed an alternative method that uses a PHP script to programmatically create vouchers from the command line use the "lobby assistant" mechanism.

Procedure was as follows:

  1. Obtain the Prince Street School Staff List from the school website; verified with the Principal that the list is up to date.
  2. Paste the list into an ASCII text editor and format it as a tab-delimited ASCII file with two columns, name and classroom/role.
  3. Paste the resulting ASCII data into a Mac Numbers.app spreadsheet and add three additional columns: "access" (Yes or No, as to whether the given staff person needs wifi access), ""random number" (a random number from 100 to 999; entered as =RANDBETWEEN(100,999)) and "voucher code" (the computed voucher code; entered as =CONCATENATE(LOWER(MID(NAME,SEARCH(" ",NAME),99)),RANDOMNUMBER; this took the person's last name and added the random number to it).
  4. Exported the resulting spreadsheet to a CSV file, called users.csv, with the columns name, role, access, random number and voucher code.
  5. Use the PHP script -- available in Github with documentation -- to create vouchers for the users in the CSV file.

The Cloudtrax voucher list, post-bulk-generation, looked like this:

Support and Contact

Technical Support Email

For the purposes of technical support to educators, a free Gmail account, TeacherNetPEI@gmail.com, was established. This account was set to display on the CloudTrax "splash page" as the support contact, and will be listed in all support materials provided to educators.

Educator Training Session

To introduce the school's educators to the network, a training session, to be held at the school after regular school hours, has been proposed; more details will be provided here when and if it is organized.

Project Costs

A summary of project costs incurred to date is as follows:

Item Cost Source
5 Open-Mesh OM2P Wireless Access Points $395 Loan from Ken Williams
2 Open-Mesh OM2P Wireless Access Points $158 Donation from Peter Rukavina
1000 ft. of Cat5e Ethernet Cable $164 Prince Street Home and School
Ethernet cable ends, cable ties, etc. $50 Donation from Ken Williams
5-port Ethernet Switch $100 Loan from Ken Williams
6 Months 20 Mbps Fibre Op Internet ? Donation from Bell Aliant

Out-of-pocket costs for the Prince Street Home and School were $164.

As the project progresses we hope to develop a budget for the continued operation of the project as a planning aid to determine if the network should be maintained after the 6-month project, and as a guide to other schools.

Bandwidth Costs after Pilot Project

Bell Aliant, through Sales Manager, PEI, Paul Murray, had offered special pricing for other schools that want to engage in their own wireless projects:

  • 20 Mbps down / 15 Mbps up FiberOP
  • $49.95 for first 6 months for each location within current fibre op serving areas
  • $79.95 per month after that.
  • 12 month commitment is asked for each location.
  • Installation fees waived.
  • All access to the buildings is the responsibility of the schools, so a review for each location will be required and signed off between the two parties involved.

Interested schools can contact Paul directly at (902) 566-0294.

Open House

On Monday, November 19, 2012, we held an "open house" in a Charlene Rogers' kindergarten classroom at Prince Street School for principals, teachers, parents, students, administrators and others interested in our project.

Approximately 25 people attended the open house, which consisted of an overview of the project, a brief tour of the infrastructure, and a discussion led by Charlene Rogers (kindergarten) and Eileen Higginbotham (resource) about how they are using the network in their teaching.

There was a healthy discussion following the formal proceedings about educational technology in general, and 45 minutes of additional informal conversation between attendees afterwards.

Questions

Questions received by email after the event:

Who manages the system if there is an outage?

The system is maintained by volunteers from the home and school. There has been one outage to date (ironically, in the 2 days before the open house), and we weren't alerted until the outage was over, so we need to do a better job at alerting staff as to how to get support.

Who promised the $$ at the end for another 6 months from his department?

Paul Murray from Bell Aliant.

Video

A (low-quality) video of the proceedings is also available (with apologies for the advertising, which couldn't be avoided as we're using the free version of UStream):


Video streaming by Ustream

AttachmentSize
Slides from TeacherNet Open House2.74 MB

Traffic and Analytics

Below you will find graphs from Cloudtrax.com (downloaded using code available here) showing usage (in Kb/s) and number of active users over the last hour, 8 hours, day, week and month. These graphs are updated hourly.

Last Hour

Last 8 Hours

Last Day

Last Week

Last Month

Unauthorized Access to Network

Summary

A bug in the Cloudtrax voucher system we use to manage teacher access to TeacherNet enabled the voucher code "123" to be used to connect to the network. Students at the school discovered this, and used the code to connect to the network and use its wifi.

Other than students being able to access the Internet from their own devices, there was no other impact: no other systems were affected, no teacher access was affected, no other voucher codes were affected.

We were able to identify the source of the issue quickly, and put systems in place to prevent continued use of the voucher code.

Detailed Description of Events

On Monday, May 13, 2013 we received word from a teacher at the school:

So I am not sure what is going on but, as of today, my TeacherNet password will not work at all BUT the password 123 will work. I watched [name redacted] use it today and get on when I couldn't, from the same laptop! 

We checked the following in Cloudtrax:

  1. Confirmed that the teacher in question had an expired voucher, which explained the "my TeacherNet password will not work at all" issue.
  2. Confirmed that there was no voucher code 123 (there was a voucher code containing 123 which we disabled, just to be sure).
  3. Found the setting of "Vouchers work on all networks" was on (we had deliberately set it to that value thinking that "voucher portability" was a good idea); although there was no other voucher on any other network under the TeacherNet master account with voucher 123, we unchecked this option just to be sure.
  4. Under the Advanced Settings tab we found the setting of "Disable Automatic Upgrades" was on, which meant that the nodes on the network would not receive any automatic firmware upgrades; if the issue is old firmware with a loophole in it allowing the 123 voucher, this setting would prevent an automatic upgrade, so we unchecked the setting. Before unchecking this the firmware versions on the nodes were:

    PRINC-347-07
    fw-ng-r376
    batman-adv

    PRINC-347-08
    fw-ng-r397
    batman-adv

    PRINC-347-04
    fw-ng-r376
    batman-adv

    PRINC-347-01
    fw-ng-r376
    batman-adv

    PRINC-347-02
    fw-ng-r376
    batman-adv

    PRINC-347-05
    fw-ng-r376
    batman-adv

It's difficult to test definitively whether the 123 voucher no longer works because it's difficult to definitively "logout" of TeacherNet (although, in theory, http://logout should work), but it appears that the voucher has been disabled by one of the above actions.

Mitigating the Issue

To doubly-insure that the 123 access code would no longer work, I turned on the "WPA Password" option in the Cloudtrax dashboard to enforce the need to an additional shared WPA password before access to the network was permitted; I provided this password to the principal for circulation to staff.

I visited the school the same day and confirmed that this was working as expected.

I further confirmed that all Open Mesh Access points had automatically upgraded themselves to new firmware, fw-ng-r453.

Getting to the Bottom

To get to the bottom of the issue, I filed a support ticket with Open Mesh, the maker of the wireless access points and the maintainer of the Cloudtrax system:

We run a voucher-based Open Mesh system in an elementary school, network name "prince street school".

I received a report today that students were accessing the network using voucher code '123' and I was able to confirm that this did, indeed, work.

However, there is no such voucher for our network.

If I to CREATE a voucher 123 in Lobby Assistant I cannot -- a random voucher is created instead.

Please advise as to how I can remove the possibility of a login via '123'.

And the followed up with:

Some follow-up: attempting to use the voucher code '123' from a brand new device results in error message that the voucher is not enabled for this network if I uncheck "Vouchers work on all networks".

If I check " Vouchers work on all networks" then the voucher error is that the maximum number of devices for the voucher has been reached.

I have checked all of the other networks associated with our master login and cannot find a voucher code 123 in any.

And finally, after some additional research by Ken Williams:

Another follow-up: even though voucher code 123 does not appear in our voucher list in Lobby Assistant, I have found the I *can* see such a voucher with:

https://lobby.cloudtrax.com/vouchers/vouchers2.php?v=123

Why would this voucher not appear in the list? How can we delete it?

Open Mesh support was helpfully quick to reply:

I've passed this onto our dev team as a bug. This shouldn't be a valid voucher to use if it doesn't exist in your network.

I would reboot your AP's to erase any saved authentication information so your currently authenticated students are no longer authenticated. I've removed it.

The effect of unchecking the "Disable Automatic Upgrades" box earlier in my investigation had the effect of making each of the nodes in our network reboot, and so any "saved authentication information" was erased as part of that process.

I sent a further follow-up to Open Mesh:

Do we have any way of telling how the voucher got there in the first place?

And do we have any way of knowing why changing the "vouchers work on all networks" setting affected this voucher?

Finally, will a firmware upgrade (which we completed last night) have the effect of removing authentication data cached in the nodes?

To which they replied:

I believe it may be a voucher created a while ago by another user that was not in your master account. This is a glitch in the system.

Yes the firmware upgrade should reboot the nodes and erase that auth information.

At this point I closed the ticket.

Lessons Learned

  1. Using a managed third-party authentication platform has risks associated with it.
  2. My longstanding assumption that Cloudtrax and Open Mesh had "no support" was wrong: their support was quick and helpful, and addressed the issues.
  3. We were able to respond quickly to the issue using only volunteer support.
  4. We learned that authentication information for Cloudtrax vouchers is cached inside individual access points, meaning that if the vouchers are later deleted those holding the vouchers will still have access under the access points are rebooted. This is important to know when we consider how to manage vouchers.