Connected Internet into an Active Directory Home Network

By speda07 ·
I hope I can make this short enough but still be clear. A non-profit org wanted to have a network where users have to log in to gain access to resources. Active Directory?easy choice. Next, they obtained Internet connectivity, but wanted the users to have to log into the network to use the internet.

Here is the setup: There is one switch (SW1) and one Domain controller (DC1). DHCP is running on DC1. There is a wireless access point connected to SW1 so users can log in wirelessly. The problem arises when I?m trying to set it up where users MUST log into the domain to gain access to the Internet. If I plug the DSL router directly into the switch, then a user would be able to simply log in locally to the computer instead of the domain and since he has an IP address, gain access to the Internet. As far as I know, I can?t use ICS in an AD environment. I tried putting another NIC in the DC and connecting the DSL router to it, but there was no way I could get the NICs to talk to one another (they were both the same subnet). This seems like (and probably is) as simple solution, but it is escaping me on how to do this. BTW, the DSL router is running NAT and is on the same subnet with the rest of the devices.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -


by CG IT In reply to Connected Internet into a ...
Collapse -

DHCP reservations

by nielsenr In reply to proxy.

Use static IP addresses or DHCP reservations for all known machines with no left over IP addresses for unknown devices. Cons; you have to document all end user devices and guest will have to be configured manually.

Collapse -

Use 2003/2008 if possible

by eugene.haney In reply to Connected Internet into a ...

IAS is your answer, well that and a RADIUS server. Which your DC can do just as well. The access point will probably support WPA Enterprise where you'll need a certificate to certify the server/AP and the clients. They all get that through a policy push. For the wired ethernet systems 802.1x authentication for the network. Clients get a standard IP to get them access to login, then they authenticate to get on to the network. Nobody who doesn't authenticate gets anywhere other than an APIPA address. Depending on the type of switch you can even go as far as segmenting to a VLAN per ADS but that's pretty detailed shtuff.

Related Discussions

Related Forums