Wonder if anyone can help with a networking design issue.
I work at a University and we're looking to provide connectivity for student's own laptops, as well as our own. I'm considering a couple of ideas.
There will be a set of wired network outlets. Our laptops may be set up by us how we want, for example Windows XP, Office 2003, Internet Explorer, domain membership, and so on. Students won't have administrative rights, only limited rights. They can be "trusted".
Student's own laptops could be literally anything - any make and model, any operating system, and likely to be infected with malware. However we'd like to provide basic connectivity anyway.
We have HP ProCurve at the edge, with Cisco at the perimeter.
To my mind the ideal scenario works as follows (but I'm open to suggestions!); - configure the ProCurve switches with MAC address authentication. - "our" laptops are registered in a MAC address database - authenticated laptops get access to a VLAN with access to domain controllers, etc. Call it "trusted client VLAN" - Windows connects to the domain, and users login with their domain credentials - student's own laptops won't be in the MAC address database, so they connect to a completely separate VLAN - call it "untrusted client VLAN" - put a Cisco IOS device as the router for this "untrusted client VLAN" - configured with "authentication proxy" over HTTPS
Hence, when students connect their own laptops, they join the "untrusted client VLAN". As soon as they try to browse, they are prompted to authenticate at a web page. Once authenticated, they can access whatever we allow them to access.
Hopefully, this combination of ProCurve MAC address authentication and Cisco authentication proxy means that - when University laptops are plugged in, they connect to the network and students can login to the domain - when student's own laptops are plugged in to the same network outlet, they are connected to the separate untrusted client VLAN and users have to authenticate at a web page before they can, for example, access the Internet.
I don't really know much about Cisco IOS. Really looking for second opinions on this approach, and implementation questions; - Is the authentication proxy feature universal to IOS, on both Catalyst switches and routers, or part of the firewall feature set on routers only? (a basic question no doubt, but I've found no guidance on Cisco's web site!) - Will this authentication proxy feature scale to, say 50-75 laptops connected at 10Mbps?
Thanks in advance for any help.