So, here is the situation - I am a network admin at a mid-size municipal ISP.  We are almost entirely a FTTH outfit and have a large client base of college students in large apartment complexes.  Our standard deployment is pretty simple - FTTH or FTTB and an ethernet port in each apartment where the customer can plug in their device, get a public IP, and go to the internet unfettered aside from bandwidth limiting.  We track who has what IPs on what ports for the usual CALEA/DMCA stuff.  It all works well and the customers are happy to have zippy fast internet with no data caps.

So far, we do not provide any wireless (wi-fi) service to our end users.  Most folks until now have been content to let the residents get their own WAPs and manage them.  This simplifies our DMCA/CALEA compliance as we can track violators to a port and remediate violations there.  If the WAP gets compromised, it is the customer's problem.

So, here is the fun part - our sales people, without consulting us, put a bid in on a total campus wifi project for an existing customer.  So, I am scrambling to find a suitable wifi system that we can manage and support with a lean staff.

This site has about 50 buildings totaling about 500 apartments.  Right now, each bedroom in the apartments has an ethernet port.  We would add one AP per *apartment* for good coverage.  Total active ethernet ports is around 1500, customer count is ~2500.  Users are almost all 18-25yo college kids using gobs of streaming services.  Current allocated bandwidth is 50Mbps symmetrical, but will get kicked much higher if they go for the new bid.

So, I have been playing with the Ubiquiti Unifi stuff and, yes, I can spin up a bunch of WAPs, switches, and a local controller pretty easily,  With a server on site, I can manage 500+ WAPs no problem.  Problem is that I don't see any way to track users effectively and mitigate abuse efficiently.  I also don't want to have to create user names and passwords in RADIUS every damn semester when 90% of the users change.

My questions to you all:

1. Have any of you admins set up a network similar to this situation?  
2. What products have you used?
3. What authentication model did you use?
4. How did you handle abuse and DMCA/CALEA issues?

Thanks!

So right now you are simply tracking people by what port they plug into and if the IP is in use on port 21 that resides in apartment 3B you know who lives there and they are responsible for whatever infractions.

But you don't have that luxery with wifi unless you provide some sort of authentication.

The easiest solution would be since you want to provide an AP in each unit is to set a unique SSID and password for each AP in each apartment and handle like you do the wired counterpart.

Otherwise you are going to have to setup radius authentication or client certificates.

Let me offer what I do running a university network with housing. 

We use a Cisco Controller in an HA SSO pair. All of the in room AP are 702 we have one AP per room. We also use packet fence for NAC and user device tracking. 

I'm looking at the new Meraki MR30H for the two new buildings we are building at the moment. If they work well with Packetfense I will probably go that route as I'm out of room on my controllers and done want to spend the 80K for new controllers and licenses. There is also the new Cisco 1810W that will work with the controller.

Likely you will need 3 SSID on the network. Authenticated Users 802.1x, Guest Users, MAC Address Auth with known users. The MAC address networks is for the multiple types of devices that don't support 802.1X

The security guys handle the DMCA requests. 

The biggest problem for that type of setup is students with gaming systems. Nat gets funky when you have several hundred devices trying to game from the same IP address. 

As you know you're absolutely going to have to put up some kind of authorization/tracking system. Keep in mind you're going to be called for every single "I can't connect my TV" "My iPad keeps dropping wifi" or "My Xbox is laggy" type call since you own the APs.

Yeah, you are 100% correct, but that becomes a nightmare for me pretty quickly.  

My next idea is to set up a TR-069 ACS server and auto-config a WAP/router per apartment.  Each apartment would get a unique SSID, key, and static IP.  Easy to track a violation to a port and turn it off or punt them to our remediation system.

You'll find an AP per apartment model will quickly eat up all of the available spectrum (shame on your sales reps). Optimize the apartment APs to provide maximum coverage on the minimum amount of APs since loading will be 30 clients or so per AP and optimize common areas and lecture halls for loading.

When I was on campus of my university, the dorms didn't have APs covering the rooms for management purposes. A MAC registration set you up. Of course, personal APs were not allowed…but that didn't stop me from setting it up a bridged AP.