[ale] OT: laptops on a network, security

Chris Ricker kaboom at gatech.edu
Wed May 28 23:56:04 EDT 2003 

On Wed, 28 May 2003, J.M. Taylor wrote:

> Hypothetical situation: you are a fair-to-middlin' sized university, and
> people (students, faculty, staff, spouses, riff-raff) want to bring their
> laptops in and plug in to your network.  Your draconian laws prohibit this
> but it's becoming increasingly obvious that people are doing it anyway,
> and you can't hide from the issue forever.
> 
> What do you do?  Could something like RADIUS be used to authenticate
> mobile users and only grant those with valid accounts an IP address?  What
> about people who just assign themselves an IP? How does one stop that?
> 
> I know there are a ton of security issues involved here, and of course I'm
> looking for a solution that protects both our network and our mobile
> users. One of my biggest concerns is that these are machines completely
> out of our control, how do I mitigate the potential horrible evil of that?
> 
> I'm fishing here, would be especially interested to know what GA Tech,
> Emory,  Kennesaw, and others are doing because as a school we're going to
> have to follow different rules than a corporation, but I'm interested to
> hear from anybody with experience doing this kind of thing.

If I remember the implementation right, what the University of Utah (~30,000
students, public 10/100 ports all over campus) is something like this:

* all ports are locked down on the switch. DHCP requests are assigned a
  random non-routed address in its own VLAN. Only HTTP GET is processed, and
  it always returns a web-based RADIUS login page
* When you plug into a port, you get a DHCP lease, then fire up your web
  browser and log in on that web page with your campus-wide account
* once authenticated, the ACLs on the port you're using on the switch get
  changed. You get a new DHCP lease, this time for a random IP address in a
  routed VLAN. When you unplug from the port, the switch resets to the
  locked-down ACLs....

Their particular implementation is fairly dependent upon their switch
vendor's (Cisco) feature set, but similar things are possible with many
higher-end switches.

later,
chris
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list