Q&A: How do the Internet Rules and WiFI access work together in ucs@school?

Question

How do the Internet Rules and WiFI access work together in ucs@school?

Answer

There are several implications active so we have to split up the question:

WiFi (WLAN)

An Internet rule with the checkbox on “WiFi” allowed through Radius is important here. WiFi is independent of the Internet rules above.

To verify if WiFi access is enabled for a user, use univention-radius-check-access:

root@luiseedu:~# univention-radius-check-access --username r.riskierenl
     DEBUG: [user=r.riskierenl; mac=None] Given username: "r.riskierenl"
     DEBUG: [user=r.riskierenl; mac=None] Given stationId: "None"
     DEBUG: [user=r.riskierenl; mac=None] Loading proxy rules from UCR
     DEBUG: [user=r.riskierenl; mac=None] Loaded user_to_group {'e.einzaeunen': 
[...]
     DEBUG: [user=r.riskierenl; mac=None] Checking UCR proxy rules for user
     DEBUG: [user=r.riskierenl; mac=None] DENY: WLAN is not enabled in any group with highest priority (maxPriorityGroups={'SchuleLuise-1D': (5, False)})
      INFO: [user=r.riskierenl; mac=None] Login attempt denied by UCR proxy rules
     DEBUG: [user=r.riskierenl; mac=None] Checking LDAP settings for user
     DEBUG: [user=r.riskierenl; mac=None] DENY 'uid=r.riskierenl,cn=schueler,cn=users,ou=SchuleLuise,dc=schulen,dc=ucs'
     DEBUG: [user=r.riskierenl; mac=None] -> DENY 'cn=schueler-schuleluise,cn=groups,ou=SchuleLuise,dc=schulen,dc=ucs'
     DEBUG: [user=r.riskierenl; mac=None] -> DENY 'cn=SchuleLuise-1D,cn=klassen,cn=schueler,cn=groups,ou=SchuleLuise,dc=schulen,dc=ucs'
     DEBUG: [user=r.riskierenl; mac=None] -> DENY 'cn=Domain Users SchuleLuise,cn=groups,ou=SchuleLuise,dc=schulen,dc=ucs'
      INFO: [user=r.riskierenl; mac=None] Login attempt denied by LDAP settings
     DEBUG: [user=r.riskierenl; mac=None] User is not allowed to authenticate via RADIUS
     DEBUG: [user=r.riskierenl; mac=None] --- Thus access is DENIED.

Internet through proxy

To have the Internet rules take action your school das to be configured to use a proxy. Otherwise no filter rules apply!
Once created you can assign Internet rules to classes. Even when you deny all sites the above tool will still report “access ALLOWED” as it only covers WiFi access.
To check if the rules apply you have to logon as a user and try to access Internet. so you can check if the rules apply.

Classroom and Internetaccess

A classroom can be configured to apply Internetrules which have been defined before. In this case, the WiFi checkbox does not apply at all. Instead the IPs of the computers assigned to the classrom are used to configure Internet access. In this case it is independend of the username as it takes the IP addresses of the assigned computers into account.

When you do not have a proxy configured, you can not filter your Internet access.

See also: How does "define internet rules" work in school

/CV

Mastodon