Access to Wireless Network

Discussion in 'Wireless' started by AJ, Jun 15, 2005.

  1. AJ

    AJ 01000001 01100100 01101101 01101001 01101110 Administrator

    6,897
    182
    221
    I need a way to lockdown our wireless network and hope there's someone who can help.

    As some of you know, I work in a school that the majority of kids live-in. I have been installing wireless access points in the boarding houses and managed switches. All areas of the school are split into VLAN's and the wireless networks are the same. This is so that the kids can only "see" their own LAN (including the wireless LAN) and the server VLAN.

    The wireless network is all controlled through a Wireless Access Controler. What this gizmo does is ensures that the kids laptops are properly authenticated to the network and that the proxy settings are in place, can't have the little darling having unresricted internet access. When they fire up a web browser, the access controller will intercept the request. It then installs a certificate on the client and askes for a username and password. This has to be a network U/N and P/W. Once properly logged in, the kids can access thier home folders and the internet.

    What I would like some help with is to lock down the network that are accessing the network. We only want laptops that are properly configured with an antivirus programme and the proper service packs on the networks. This means that they have to come to the IT Dept to be checked over. So with that in mind, how can we stop computers that have not been checked by IT accessing the network. One thing that springs to mind is MAC addresses and a RADIUS server.

    Any suggestions peeps :biggrin
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Breathing in and out, but not out and in, that's just wrong
  2. Mitzs
    Honorary Member

    Mitzs Ducktape Goddess

    3,286
    85
    152
    Aj is this what your looking for? If not I"ll keep looking.

    http://www.networkworld.com/research/2003/1201howtowlan2.html
     
    Certifications: Microcomputers and network specialist.
    WIP: Adobe DW, PS
  3. AJ

    AJ 01000001 01100100 01101101 01101001 01101110 Administrator

    6,897
    182
    221
    Hmm not sure. Was hoping for a Windows solution. Running Windows 2000 and 2003 Active Directory.
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Breathing in and out, but not out and in, that's just wrong
  4. Mitzs
    Honorary Member

    Mitzs Ducktape Goddess

    3,286
    85
    152
    Certifications: Microcomputers and network specialist.
    WIP: Adobe DW, PS
  5. EMacd

    EMacd Bit Poster

    38
    3
    8
    Hi AJ,

    We use MAC address authentication to control access to the wireless nets in our schools. This seems to be OK, but we don't run any checks to see if anyone else is abusing the system. It's a bit of a pain when new PCs are put in. All the MACs are entered by hand to one WP, the config is saved and FTP'd to the others which does save time.
    At the same time, you can block MACs as well. We're probably going to do this after the summer when the teachers bring back their laptops that have had 6 weeks of sitting on broadband with no virus updates! They'll have to plug into the SUS server first and get patched - then they'll be allowed on.

    Cheers

    Euan
     
  6. AJ

    AJ 01000001 01100100 01101101 01101001 01101110 Administrator

    6,897
    182
    221
    Hi Euan

    That seems to be a lot of work esp if you've got a lot of Access Points. We have at least a couple of dozen and more to put in over the next few months :blink.

    Thanks a lot for your help m8 much appriciated :biggrin
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Breathing in and out, but not out and in, that's just wrong
  7. AJ

    AJ 01000001 01100100 01101101 01101001 01101110 Administrator

    6,897
    182
    221
    THanks for the links Mitzs, looks like I've got a bit of reading to do :dry
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Breathing in and out, but not out and in, that's just wrong
  8. EMacd

    EMacd Bit Poster

    38
    3
    8
    I forgot to mention that we use 3COM points and a network supervisor program supplied by 3COM. (Excellent program - it gives a visual map of the network that lists IPs and MACs.) This allows us to FTP out the config to all of the other access points in one go. I'm not sure if CISCO has anything like this, but it wouldn't surprise me if they do.

    For info:

    http://www.3com.com/products/en_US/detail.jsp?tab=features&pathtype=purchase&sku=3C15100E

    Cheers

    Euan
     
  9. Modey

    Modey Terabyte Poster

    2,397
    99
    154
    Did you ever get this problem cracked AJ?

    I have been configuring a new Enterasys Access Point today and one of it's option is to authenticate MAC addresses via a RADIUS server.

    I would rather do that than add a great big list of MAC's into the access point. There appear to be a couple of linux solutions that can do this, but our network is Win2k server & Win2k3 server like yours. We do have a linux box for our email and web filtering but it's a custom job that was setup by external contractor, so probably best not to fiddle with it too much. :)
     
    Certifications: A+, N+, MCP, MCDST, MCSA 2K3, MCTS, MOS, MTA, MCT, MCITP:EDST7, MCSA W7, Citrix CCA, ITIL Foundation
    WIP: Nada
  10. AJ

    AJ 01000001 01100100 01101101 01101001 01101110 Administrator

    6,897
    182
    221
    Hi Modey

    We bought one of THESE

    This enables us to use Active Directory to authenticate users onto the network. We run the wireless network on a different sub-net and force all traffic that requires access to the network shares or the internet through the proxy server. However before they get here they need to login to the access controller using their AD U/N and P/W. We have found this to be quite secure and easy to set up. I can also add laptops to a deney list stopping them from accessing anything wirelessly.

    No MAC lists needed and the kit really looks after itself.

    If you need anymore info, just shout out :D
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Breathing in and out, but not out and in, that's just wrong
  11. Modey

    Modey Terabyte Poster

    2,397
    99
    154
    Thanks for the info AJ. Looks like a peice of kit the company I used to work for installed in a high school to control authenfication and access to profiles all via wireless. That piece of kit cost an absolute fortune, and I'm guessing the one you have linked ain't cheap either. :)

    We have barely any wireless in our school atm, so we can't warrant buying in specialist kit like that until possibly further down the line when the wireless kit is running reliably.

    I'll persevere with the Radius server for the moment. Haven't got a clue what I'm doing yet, experimenting with Freeradius on Mandriva Linux atm. Unfortunately for me I have NFI about either. Just compiling and making freeradius was a challenge. :)
     
    Certifications: A+, N+, MCP, MCDST, MCSA 2K3, MCTS, MOS, MTA, MCT, MCITP:EDST7, MCSA W7, Citrix CCA, ITIL Foundation
    WIP: Nada
  12. AJ

    AJ 01000001 01100100 01101101 01101001 01101110 Administrator

    6,897
    182
    221
    Why use IAS as your radius server. The recommended method is to make the MAC address a "user" in the domain and also in the radius server.

    Something like that, we couldn't get it to work properly when we where testing :x
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Breathing in and out, but not out and in, that's just wrong
  13. Modey

    Modey Terabyte Poster

    2,397
    99
    154
    Had a very quick fiddle with IAS yesterday and had no idea what I was doing. Then I found a guide to getting mac authentification using freeradius. So I thought, what the hell, how hard can linux be. :)
     
    Certifications: A+, N+, MCP, MCDST, MCSA 2K3, MCTS, MOS, MTA, MCT, MCITP:EDST7, MCSA W7, Citrix CCA, ITIL Foundation
    WIP: Nada

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.