This content is part of the Conference Coverage: Interop 2015: Special conference coverage
News Stay informed about the latest enterprise technology news and product updates.

What happens if you remove an acceptable use policy from guest Wi-Fi?

Requiring users on guest Wi-Fi to agree to an acceptable use policy (AUP) keeps lawyers happy, but it's far from user-friendly. Here's what happened when one IT pro removed his.

LAS VEGAS -- One thing stood between George Stefanick and his vision for wireless: an acceptable use policy.

Users know it as the bothersome webpage full of legalese that pops up after logging onto a guest Wi-Fi network, requiring them to click "confirm" to access the network. It's unclear how effective an acceptable use policy (AUP) is in deterring malicious activity, but AUPs certainly make legal departments happy -- and that's what usually keeps them cemented in place.

This is the story of one network engineer who pushed back and succeeded, albeit with some dramatic consequences.

Stefanick, a wireless network architect at Houston Methodist Hospital, believed the AUP page on his guest Wi-Fi was holding back the network's potential.

"Wi-Fi should be free, it should be open, and it should be a courtesy to our customers," said Stefanick during a presentation he gave at the Interop trade show this week in Las Vegas.

The entire Houston Methodist network actually consists of seven hospitals, a research institute and several outpatient facilities. Its largest facility, Texas Medical Center, processes over 300,000 outpatient visits a year, more than 61,000 emergency room visits and over 36,000 admissions, according to the hospital's website.

And yet while about 15,000 clients connected to the hospital's internal wireless LAN on an average day, only 3,000 clients were connecting to the guest Wi-Fi network, Stefanick said.

It was clear to Stefanick the AUP page had become an obstacle with few benefits. He was, after all, securing the guest Wi-Fi with tools that monitored traffic for signs of suspicious behavior. So when a colleague asked Stefanick last December to name the one wireless initiative he would've liked to have accomplished before the end of the year, it didn't take him long to figure out the answer.

"It was a pipe dream, but I said, 'I would really like to have a wide open guest network  --  meaning, no acceptable use page,'"he said. "The acceptable use page was, to me, kind of useless. It brought on more problems than it was worth."

He made the case to the hospital's chief technology officer, who succeeded in getting executive buy-in and approval from the legal department to remove the acceptable use policy in late December. Many employees had taken off from work for the holidays, so it wasn't until a week later that they saw the effect on the guest Wi-Fi.

That's when things got a little crazy.

The number of clients connected to the guest Wi-Fi skyrocketed from 3,000 to 15,000 -- bringing the total load on the hospital's guest and internal wireless networks to 30,000 clients. In the blink of an eye, there were five times as many devices requesting access.

The consequences of rapid growth

The consequences were immediate. The DHCP server ran out of addresses. Stefanick realized his subnets were too small. His firewall could no longer support the number of Address Resolution Protocol (ARP) requests coming from so many devices.

Initially, Stefanick wasn't sure how or why the guest network had grown so much and so fast. "[Users] didn't just discover that we had Wi-Fi overnight -- the Wi-Fi was there," he said.

He deduced that the mobile devices themselves might have something to do with it. Stefanick soon figured out that when users would leave Wi-Fi enabled on their smartphones and tablets, those devices would automatically try to connect to the guest Wi-Fi network whenever they came within range. The device would immediately hit the AUP page and, unless the user noticed and intervened, the device would drop off the network.

Once the guest network was completely open, however, all of those smartphones and tablets connected to the guest Wi-Fi without incident.

The network issues caused by such rapid growth were easy enough to fix, Stefanick said in an interview after the session. He broadened his DHCP scopes, expanded his subnets and updated his firewalls. Additionally, the move didn't create a bandwidth shortage. Stefanick noticed the guest Wi-Fi devices consumed another 50 megabits -- far below what he expected.

"What we can attribute that to is opportunistic updates -- cloud syncing and app updates," he explained.

And while the move to eliminate the AUP page created short-term challenges, Stefanick said he has no regrets when he considers the long-term benefits. During his presentation, he described a 15-year-old patient who was in the hospital for two months awaiting an organ transplant. She entertained herself with her mobile devices -- an iPhone, an iPad and a laptop. Stefanick gave her his personal cell phone number and urged her to call him if she experienced problems with the network.

"Her way out of the [hospital] was the Wi-Fi," he said. "I realized then it's not a wireless guest network anymore. It's a lifeline for a lot of people."

Dig Deeper on Wireless LAN (WLAN)

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Well - that wasn't what I was expecting! I thought surely, a UAP wasn't preventing so many user from connecting that removing it would cause connections to increase fivefold. It makes sense, though, since suddenly all those mobile devices were able to connect automatically. That's interesting. I'm surprised the legal department agreed to remove the UAP, but I think it's a good thing that they did.
Sure, take down the gates and people will come in. Duh! Don't know what that's a surprise. Why Legal ever agreed is the real surprise here, but they did.Thank you, Legal.

Now that everyone's permitted to enter the (relatively) modern era, it's time to improve the security of all the guests, not try to limit their numbers. Of course everyone knows that's not easy, but that's the task.
As they say, information wants to be free. And playgrounds are inherently dangerous. The real job of IT is not as gatekeeper but as security engineer, keeping us all safe and playing well together.

Ncberns the surprise was the fact that we had 3,000 clients on the guest wireless as our daily average for almost 3-4 years. Simply removing the AUP we jumped to 15,000 over night, that was a surprise. 12,000 users didn't suddenly realize we had a guest wifi network.

The surprise and later testing confirmed mobile devices when connected to an open wifi network with an AUP will eventually give up and drop off if the AUP is never confirmed. Either because of idle timers or because of device supplicants. We accounted for 10-15% increase but I was off. I was off a lot !

I have to mention this was a team effort from the top down. Our IT executives, my director and security understand the value of guest access. I'm glad we can deliver this service to our patients.

I understand how the results of such a change could be really difficult to predict. I'm in QA and although I don't work with network/infrastructure changes, sometimes changes to our internal systems and applications can have similar unexpected consequences. 

I always try to think of the big picture and plan for the worst case scenario. There will always be those occasions, though, when you just don't think of something. That's when you make a note for you and your team to consider such issues in the future. Or better yet, write about it. Maybe this article will help someone else's team think about similar issues.