IT Employment

Our forums are currently in maintenance mode and the ability to post is disabled. We will be back up and running as soon as possible. Thanks for your patience!

General discussion


NEW - Using logins, monitor student access

By jefeolson ·
Ok, so my other very popular thread was for the single purpose of trying to find a way to track Internet use only by MAC address. Tough stuff, on purpose, it gave me 10 times the information I would have received than putting an easy thread. Really made some smart people think. Thanks.

The problem in this thread (same general problem) should be much easier to solve.

In the other thread Steve wrote:
When I first arrived in the dorms 2 years ago, the first time I connected my laptop, I was presented with a login screen with the disclaimer, etc. that required I login with my University e-mail account and password. Once this was done, my MAC address was mapped to my username for all access. Same thing happened when I connected a wireless router and when I replaced my laptop mobo.

Also there is a very good example of this actually being used. See the website:

That system applies to both their wired and wireless student clients.

Actually, that is my alma mater. I've tried calling up a few of my old profs from the computer science/networking department, but no luck so far, haven't reached them.

Between the post Steve made, the instruction page at the Boise State website and other general networking experience, I've put together a little presentation of how I think it works, and would like some input on solutions that would allow me to do this, prepare for pictures!

This picture shows my network plan:

For the purposes of this discussion, we aren't worried about the Admin VLAN or the Gateway, lets just limit things to the Student VLAN.

There. Now that that pesky admin side is out of things, we can get a better view of things. Oh and ignore that content filter for now.

1.Student owned machines that want to connect.
2.Authentication server
3.Active Directory server

Think of it this way:

So the solution would ideally integrate with AD so I only store one database of student logins for both network and email.

Any ideas folks?

Ideally no software has to be installed on the student machine, although an authentication server that scans to see if they have AntiVirus, and then denies/permits access on that basis as well is A-okay (With academic liscensing we can give them AntiVirus software)

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Seems like you have it sorted out

by Deadly Ernest In reply to NEW - Using logins, monit ...

Only two items to discuss as I see it.

1. What is the full list of services that will be provided to the students?

2. At first log on an instruction to visit a web page with simple instructions on how to configure their mail client and browser to access their mail and the general Internet.


I would recommend the use of a proxy server as this will assist with scanning and also save you on downloads, and student time, if you have it store the commonly accessed pages. One would expect that researching for assignments the students are going to hit many common pages. You can also use this to locally store the AV, it upgrades, and any other shared software for easy access.


If mail and Internet is the only service they are going to have access to you may find it easier to just scan all incoming and outgoing mail than insist on, and check for, current AV software.


In the intersts of keeping it simple I would suggest that you install an Internet proxy and a server to provide access to shared files and student participation bulletin boards. This could work like a set of Newsgroups (you could even establish some for it) and the students could then discuss assignments etc and share information via this medium. Have all mail in the network go through the AV and content software. This would give them reasonable communications and reduce external traffic a fair bit.

Collapse -

...oh I wish... :-p

by jefeolson In reply to Seems like you have it so ...

I wish it were that simply Ernest, problem is I know what I want on the front end, the logon page when a student first connects, and I know what I want on the backend, Active Directory to authenticated. I just don't know which proxy... or...whatever...will allow me to do this.

I've tried some software packages and can get a proxy that requires login up and running, the problem is I can't find one that does not require login everytime, or that integrates with AD for authentication. The idea behind one (like the system in place at the college I mentioned) is that by holding the MAC and login information on the authentication server (proxy server?) the student only has to type their login information at whatever interval I set (lets say 2 weeks)

Ok, the services students will be provided with:
Internet (duh), web-based email (Exchange Web Access probably), and(notice the A)intranet with services such as a message board, a newsletter, and some class notes.

Basically I'd like it to happen like so:
Student gets a login page when they first try to access IE.
Student types their name and password into this login page.
Login server passes that information on to AD for verification.
After verified the Login server holds that information for X days and then allows the students machine onto the network.

You know...this sounds kinda like RADIUS...maybe...

Collapse -

If the first contact on accessing the network

by Deadly Ernest In reply to ...oh I wish... :-p

is a web page, why not just use cookies. I have a number of web sites, like TR, where the cookies are kept by my PC and next time I hit that page I am automatically loged in via the cookie.

Another option may be to have their computer download a little app or routine that does the same thing and initiates an autologin upon recognition of the network. I have seen some wireless systems do this - don't know how though I have not used wireless, not allowed in the networks I have worked with.

Your idea of RADIUS may work, I'm not familiar enough with it to say yeah or nay - I am more used to using the login everytime variant.

Collapse -

Insert title here. (seriously, why?)

by jefeolson In reply to If the first contact on a ...

Good news on my whole problem here. I've managed to get in contact with someone who set up the whole neteork for another Bible college in the state nextdoor to mine. So hopefully I'll be able to get some help there.

On other to other topics...
Yeah I've got no idea about RADIUS either.

Collapse -

That is good news - please remember to

by Deadly Ernest In reply to Insert title here. (serio ...

come back and tell us all how it's done. :-)

Collapse -


by jefeolson In reply to That is good news - pleas ... the short conversation we had over the phone today there was talk about making all the student computers join a umm...yeah didn't someone like you have that as the primary idea. You win.

I basically got told "You're a blathering moron." in a very very nice way that made it look like I had come to that realization all on my own.

I like the guy already.

I'll have neat technical drawings and all that type of stuff, I'm a very visual person. In the week and 3 days since I've started the job, I still don't have a phone, computer or desk and the current administration building is at or over capacitiy with all the growth and some planned expansion is stalled in red tape with the local city government...well actually one city ok's us, but the other doesn't...we actually fall in two justisdictions for part of the construction...anyway... I did however take control of a whiteboard and markers. But enough about the wacky side of things for now.

On the technical side of things the college network I was refering to must be using some type of point-to-point over ethernet...but that's another tangent...

Collapse -

Short suggestion maybe?

by lscott In reply to Well...

"On the technical side of things the college network I was refering to must be using some type of point-to-point over ethernet...but that's another tangent..."

Here is a little ditty that might help you out in the intrim of getting things going with P2P.

I have used it and it works extremely well.
The program is Hamachi. A secure P2P VPN with some stuff that is really sweet. This would work great if you are going between two routers or servers or whatever. Also you can tie in to a network you create and all points are treated as P2P. Check it out, I think you will be very happy with it. is url.

Being a neophyte myself, (resently released from my last job as an IT Tech for stepping on boss's toes with sledgehammers) I found out about this from Security Now podcast with Steve Gibson and Leo Leporte on Itunes. (Please don't stone me with dropped packets!)

Hope this helps out on that part of the equation.

Collapse -

Believe I'm able to help.

by stand fast In reply to NEW - Using logins, monit ...

After reading through you posts in this thread and previous thread, I am a little confused to what you are really trying to get at the end of the day. I guess my confussion starts with understanding your if you biggest problem is intergrating your network with the iPrisim appliance so to monitor user activity the way you would like.

I don't see a problem with you using AD to store your one database for the logins as long as your content filter and monitoring appliance intergrate correctly with AD and can do a mass import at beginging of year from AD to create profiles to then monitor activity.

The other choices would be to authenticate internally to have the student login and go from there or put the content filter into a transparent position and then get a monitoring appliance that will track everything from AD having students logging in with AD also.

I guess the best question is how are you authenticating now? I guess AD with Windows server and how many pc/users do you have at this time or future capacity will you need? This helps factor choices with affordable expenditure.

From what I have read so far your problem is not really that difficult to overcome its just how much do you want to spend and be wise with God's money at the same time. As I said I believe I can help. Or if you like you can call me direct. Ask for Sean @ 800-890-6471.

Collapse -

MAC Attack...

by lscott In reply to NEW - Using logins, monit ...

"Ok, so my other very popular thread was for the single purpose of trying to find a way to track Internet use only by MAC address."

"Once this was done, my MAC address was mapped to my username for all access. Same thing happened when I connected a wireless router and when I replaced my laptop mobo."

"That system applies to both their wired and wireless student clients"

The only real flaw that I can see is this... MAC spoofing. How would you overcome someone cloning or spoofing someone elses info and causing havoc that way. It sounds like it would be an extremely simple process to Ehtereal the wifi wait till a BC and reply then just start a bruteforce or dicionary attack against the password. This of course would then render your whole student network as useless and set up your admin side vunerable to attack.

OR being the neophyte, am I missing the point altogether??

Oh, this is but one of the reasons I received termination papers from my last job. Trying to exploit our security flaws.

Collapse -

nope, not missing anything...

by jefeolson In reply to MAC Attack...

Yeah MAC spoofing was discussed as well, and the idea was dropped altogether in favor of a straight domain.

Student PC will have to join the domain to get internet access and access to other network resources. They will have to login everytime they want to use their PC on the domain.

We're also going with the sort of "non-standard" IP of 172.0.x.x That way all the 192.168.0.x and 10.0.0.x addresses we find will be students using WiFi routers and devices they are not supposed to...

Related Discussions

Related Forums