IOS Authentication Proxy
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||
|
Posted by Anwar Mahmood on May 27, 2008, 4:00 pm
Please log in for more thread options Wonder if anyone can help with a networking design issue. I work at a University and we're looking to provide connectivity for student's own laptops, as well as our own. I'm considering a couple of ideas. There will be a set of wired network outlets. Our laptops may be set up by us how we want, for example Windows XP, Office 2003, Internet Explorer, domain membership, and so on. Students won't have administrative rights, only limited rights. They can be "trusted". Student's own laptops could be literally anything - any make and model, any operating system, and likely to be infected with malware. However we'd like to provide basic connectivity anyway. We have HP ProCurve at the edge, with Cisco at the perimeter. To my mind the ideal scenario works as follows (but I'm open to suggestions!); - configure the ProCurve switches with MAC address authentication. - "our" laptops are registered in a MAC address database - authenticated laptops get access to a VLAN with access to domain controllers, etc. Call it "trusted client VLAN" - Windows connects to the domain, and users login with their domain credentials - student's own laptops won't be in the MAC address database, so they connect to a completely separate VLAN - call it "untrusted client VLAN" - put a Cisco IOS device as the router for this "untrusted client VLAN" - configured with "authentication proxy" over HTTPS Hence, when students connect their own laptops, they join the "untrusted client VLAN". As soon as they try to browse, they are prompted to authenticate at a web page. Once authenticated, they can access whatever we allow them to access. Hopefully, this combination of ProCurve MAC address authentication and Cisco authentication proxy means that - when University laptops are plugged in, they connect to the network and students can login to the domain - when student's own laptops are plugged in to the same network outlet, they are connected to the separate untrusted client VLAN and users have to authenticate at a web page before they can, for example, access the Internet. I don't really know much about Cisco IOS. Really looking for second opinions on this approach, and implementation questions; - Is the authentication proxy feature universal to IOS, on both Catalyst switches and routers, or part of the firewall feature set on routers only? (a basic question no doubt, but I've found no guidance on Cisco's web site!) - Will this authentication proxy feature scale to, say 50-75 laptops connected at 10Mbps? Thanks in advance for any help. Kindest regards, Anwar | ||||||||||
| Similar Threads | Posted |
| IOS Authentication Proxy | May 27, 2008, 4:00 pm |
| Authentication Proxy | July 27, 2008, 8:49 am |
| Proxy with PIX | January 10, 2006, 8:42 am |
| 2 to 1 Proxy | August 28, 2006, 3:40 pm |
| PIX 501 as a DHCP proxy | December 20, 2005, 6:00 am |
| Router as DNS proxy. | February 24, 2006, 7:49 pm |
| Cisco 837 - how to set up DNS proxy? Bug in IOS? | May 27, 2006, 5:01 am |
| proxy arp vs vlan | June 12, 2006, 2:42 pm |
| proxy arp question | July 7, 2006, 6:28 pm |
| Re: Cisco NAT / Proxy | July 31, 2006, 11:13 pm |
| IGMP Proxy | August 9, 2006, 2:07 pm |
| Proxy and CBAC. | August 28, 2006, 6:03 am |
| Proxy Service on Pix | June 29, 2005, 7:55 am |
| proxy bypass | January 5, 2007, 9:09 am |
| Transparent Proxy | April 21, 2008, 9:55 pm |