[afnog] Network Authentication

Chris Wilson chris+afnog at aptivate.org
Fri Aug 5 10:09:02 UTC 2011


Hi Kasonda,

On Thu, 4 Aug 2011, Phil Regnauld wrote:

> > I would like to implement a Network Authentication solution at 
> > our university campus, which has about 1000 active users at any given time.
> > This includes students and staff. The network architecture is fine and is based
> > on VLANS architecture. Students access internet through wireless, while members
> > of staff access through the LAN (DHCP)in offices.
> > 
> > The purpose of my writing is to seek advice on the best but simple Network 
> > Authentication strategy we can implement. We are trying to avoid a situation
> > where anyone can plug in their laptops or computer to the network and access
> > internet and other services without being prompted for login details.
> 
> I would definitely look at 802.1x based solution, including EAP/TLS for 
> wireless - most modern switches and Access Points support it.

I agree with Phil that this is the most professional or "good practice" 
solution that would be used by enterprises in the UK. However do note that 
all of your ethernet switches (whose ports are accessible to the public) 
must support it. That may mean a serious and expensive hardware upgrade.

A slightly cheaper option might be locking MAC addresses to certain ports, 
since some slightly cheaper switches support this.

A much cheaper option would be MAC authentication on your firewall, 
running the equivalent of a wifi hotspot on a wired network. A user can 
plug into the LAN and access other hosts on the LAN without 
authentication, but they cannot access the Internet without logging in to 
a portal running on the firewall/router/gateway.

It would be great to have a howto guide for these options. I might write 
up a blog or wiki post if such a guide doesn't exist already and we can 
collect some info.

Cheers, Chris.
-- 
Aptivate | http://www.aptivate.org | Phone: +44 1223 760887
The Humanitarian Centre, Fenner's, Gresham Road, Cambridge CB1 2ES

Aptivate is a not-for-profit company registered in England and Wales
with company number 04980791.



More information about the afnog mailing list