[ale] Authentication for network access

Luis lgonzal at mindspring.com
Thu Nov 30 11:40:41 EST 2000


I'm not sure if PPPoE would fit your needs either, as it uses PAP through 
aradius server which then allows network access. But yes, there is software 
for Win2k and Mac OS. All that software does is allow them to authenticate 
through PAP (Password Authentication Protocol).

But what you're asking is probably dealing more with implementation of an 
authentication scheme, rather than access. There's PAP, CHAP, ACAP which 
are different methods of authentication, and I'm sure tons more but I'm not 
an expert on the subject.

With DHCP, you could have a pool of IPs which are only given out when 
access is needed. But same thing, with DHCP, it can also implement PAP and 
CHAP.

But any way you go, more than likely, your authentication will be handled 
by the server, not the client.

Authentication doesn't have much to do with the NICs unless you manually 
record the MAC addresses, and allow network access that way.


 - gonzo


On Wednesday, November 29, 2000 12:58 PM, Chris Ricker [SMTP:chris.ricke  
r at genetics.utah.edu] wrote:
> On Wed, 29 Nov 2000, Dan Newcombe wrote:
>
> >
> > Here is one I'm stumped on.
> >
> > Is it possible to somehow have a person/machine authenticate itself 
before
> > gaining network access?
> >
> > The options I've gone through in my mind:
> > 	DHCP - you can limit what NIC's can get an IP, however, that
> > 		requires magical knowledge of the NIC's before hand.  With
> > 		4500 student notebooks, that is a lot of magic, but
> > 		possibly not a bad price to pay for network access.
> >
> > 	PPPoE - thanks to peoples DSL trouble, I learned about this.
> > 		While it sounds like PPP over an Ethernet wire, I am
> > 		unsure what effect this would have on someone connecting
> > 		to other networks - do drivers need to be loaded on a 9x
> > 		machine to use this?  Is there support for Mac's and
> > 		NT/2000?
> >
> > Are there any other options?  One off-the-wall idea I had was some 
scheme
> > where they would get an IP, but only be able to get to one location - a
> > web server on which they would have to authenticate themselves, which
> > would then adjust some routing tables to allow that IP address to have
> > full access, but that just seems a bit iffy to me.
>
> Here at the University of Utah, they use ACAP (as in the mail protocol
> stuff) to do exactly what you want (people with laptops log in using 
their
> email username and password, that gets authenticated, and then the router 
is
> given the green light to start sending them packets).  It works exactly 
like
> the off-the-wall scheme you describe, too ;-).  For example, whenever I 
go
> to the library, I plug in my laptop.  Packets at that point can only go
> between my laptop and www.laptop.lib.utah.edu (you'll get a different 
view
> of it than I will, since they play the outside / inside domain shell game
> with that URL).  I go there and log in, and then the switch gets told 
that
> I'm okay, and packets then can flow anywhere.
>
> Unfortunately, I think it's an in-house project which Cisco (?) is taking
> commercial, so I'm not sure how much they'll share at this point, but the
> idea definitely does work.  Search Utah's web pages for ACAP or ANA 
(Utah's
> name for the setup) and you might be able to hunt up more info.
>
> later,
> chris
>
> --
> Chris Ricker 
                                              kaboom at gatech.edu
> 
                                              chris.ricker at genetics.utah  
.edu
>
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message 
body.


--------------------------------
http://www.thisrules.com
It's easy to sit there and say you'd like to have more money. And I guess 
that's what I like about it. It's easy. Just sitting there, rocking back 
and forth, wanting that money.
--------------------------------

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list