Re: [WISPA] Ethernet based authentication
They can do either depending on configuration John Richard Munoz wrote: I thought that these switches would deny the Source MAC Address instead of disabling the entire port. -Richard M. A little more info would be good. If they want to authenticate everyone, then 802.1x switches are available-if you don't authenticate, your port turns off. If they just want to limit Internet access, Websense or St. Bernard make products to do that. John -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.13.10/189 - Release Date: 11/30/2005 -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Ethernet based authentication
their management. You no longer need to be aware of the path a customer takes to connct to the network because the routes will be auto created where ever the customer connects from. For example if you have a three sector cell site, clients could connect from any sector without your reconfiguraton of teh PPPOE for the client, so redundancy could be built in very easilly. Where as with a routed connection to a client from a specific sector, if they change secotrs , I need toc hange my routing for them. The trade off, is when I manually route, I am always aware of what path the custoemr travels so I can monitor their link path for reliabilty, with PPPOE if they complain about performance I really don't know what path an end user took after a session gets disconencted. I do not have a recommendation on wether PPPOE should or shouldn't be used for your implementation, but those are some things for you to consider when making the determination. Tom DeReggi RapidDSL Wireless, Inc IntAirNet- Fixed Wireless Broadband - Original Message - From: John Scrivner [EMAIL PROTECTED] To: wireless@wispa.org Sent: Wednesday, November 30, 2005 10:54 AM Subject: [WISPA] Ethernet based authentication Anyone out there have experience with PPPoE?. I have a client who is a local government entity. They have people who have abused their Internet connection in the past. They restrict who has Internet access and when it can be used. One of our techs unknowingly circumvented protocol by helping an employee learn how to connect his personal laptop to the hardwired Ethernet network. Now the government entity is highly peeved at me. They want a complete report on the incident and a plan for how I will prevent people from doing this in the future at all locations. I am thinking we can use PPPoE to force all users even on the hardwired network to authenticate in order to get on the Internet. What are your thoughts? What will this break on an internal network that may be doing other things? Could an internal Windows network still function normally while the computer is not authenticated for Internet access? I have never done PPPoE and need a little guidance from those of you who have. Many thanks, Scriv -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.13.10/189 - Release Date: 11/30/2005 -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Ethernet based authentication
On Wed, 30 Nov 2005, John Scrivner wrote: complete report on the incident and a plan for how I will prevent people from doing this in the future at all locations. I am thinking we can use PPPoE to force all users even on the hardwired network to authenticate in order to get on the Internet. What are your thoughts? What will this break on an internal network that may You may want to look at hotspot as a solution, too. The main advantage here is that it can be made fairly easy (depending on the hotspot controller) for them to manage. PPPoE is a good solution, but in some cases, requires them to change settings on the local machine (or worse...install a client) in order to access the internet. If the network behind the hotspot is flat, the hotspot will not break anything (nor will PPPoE). -- Butch Evans BPS Networks http://www.bpsnetworks.com/ Bernie, MO Mikrotik Certified Consultant (http://www.mikrotik.com/consultants.html) -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Ethernet based authentication
On Wed, 30 Nov 2005, Lonnie Nunweiler wrote: doing anything. HotSpot and PPPoE require that you have a radius server. Not necessarily. Some implementations, this is true, but not all. (FWIW, the radius server DOES make management easier.) -- Butch Evans BPS Networks http://www.bpsnetworks.com/ Bernie, MO Mikrotik Certified Consultant (http://www.mikrotik.com/consultants.html) -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Ethernet based authentication
I thought that these switches would deny the Source MAC Address instead of disabling the entire port. -Richard M. A little more info would be good. If they want to authenticate everyone, then 802.1x switches are available-if you don't authenticate, your port turns off. If they just want to limit Internet access, Websense or St. Bernard make products to do that. John -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.13.10/189 - Release Date: 11/30/2005 -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Ethernet based authentication
How did connecting a laptop circumvent how they access the Internet? Sounds to me like the government entity does not restrict access to the Internet, they restrict what a PC can get to on the PC. Seems like a bad approach. How about a good ole proxy server that requires authentication to get out to the Net? Or did I just plain miss something? Scott Reed Owner NewWays Wireless Networking Network Design, Installation and Administration www.nwwnet.net -- Original Message --- From: John Scrivner [EMAIL PROTECTED] To: wireless@wispa.org Sent: Wed, 30 Nov 2005 09:54:46 -0600 Subject: [WISPA] Ethernet based authentication Anyone out there have experience with PPPoE?. I have a client who is a local government entity. They have people who have abused their Internet connection in the past. They restrict who has Internet access and when it can be used. One of our techs unknowingly circumvented protocol by helping an employee learn how to connect his personal laptop to the hardwired Ethernet network. Now the government entity is highly peeved at me. They want a complete report on the incident and a plan for how I will prevent people from doing this in the future at all locations. I am thinking we can use PPPoE to force all users even on the hardwired network to authenticate in order to get on the Internet. What are your thoughts? What will this break on an internal network that may be doing other things? Could an internal Windows network still function normally while the computer is not authenticated for Internet access? I have never done PPPoE and need a little guidance from those of you who have. Many thanks, Scriv -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ --- End of Original Message --- -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Ethernet based authentication
Our local school uses something that does what you are asking for the kids. Check with your school. If that doesn't work I can get you the name and number for who to ask here. I'm pretty sure it's done via some kind of security server. Nothing so complicated as pppoe. BTW, I think that if the city doesn't want their own people on the network they should make sure you know that before you do any work for them. How are you possibly supposed to assume that an employee isn't allowed access And they ARE securing all of the drives and servers so that they aren't shared with everyone right? good luck! Marlon (509) 982-2181 Equipment sales (408) 907-6910 (Vonage)Consulting services 42846865 (icq)And I run my own wisp! 64.146.146.12 (net meeting) www.odessaoffice.com/wireless www.odessaoffice.com/marlon/cam - Original Message - From: John Scrivner [EMAIL PROTECTED] To: wireless@wispa.org Sent: Wednesday, November 30, 2005 7:54 AM Subject: [WISPA] Ethernet based authentication Anyone out there have experience with PPPoE?. I have a client who is a local government entity. They have people who have abused their Internet connection in the past. They restrict who has Internet access and when it can be used. One of our techs unknowingly circumvented protocol by helping an employee learn how to connect his personal laptop to the hardwired Ethernet network. Now the government entity is highly peeved at me. They want a complete report on the incident and a plan for how I will prevent people from doing this in the future at all locations. I am thinking we can use PPPoE to force all users even on the hardwired network to authenticate in order to get on the Internet. What are your thoughts? What will this break on an internal network that may be doing other things? Could an internal Windows network still function normally while the computer is not authenticated for Internet access? I have never done PPPoE and need a little guidance from those of you who have. Many thanks, Scriv -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Ethernet based authentication
PPPoE will break things like printers. I would use a HotSpot style authentication and enable only the known machines. All other machines are sent to a login page or are simply firewalled and prevented from doing anything. HotSpot and PPPoE require that you have a radius server. Lonnie On 11/30/05, John Scrivner [EMAIL PROTECTED] wrote: Anyone out there have experience with PPPoE?. I have a client who is a local government entity. They have people who have abused their Internet connection in the past. They restrict who has Internet access and when it can be used. One of our techs unknowingly circumvented protocol by helping an employee learn how to connect his personal laptop to the hardwired Ethernet network. Now the government entity is highly peeved at me. They want a complete report on the incident and a plan for how I will prevent people from doing this in the future at all locations. I am thinking we can use PPPoE to force all users even on the hardwired network to authenticate in order to get on the Internet. What are your thoughts? What will this break on an internal network that may be doing other things? Could an internal Windows network still function normally while the computer is not authenticated for Internet access? I have never done PPPoE and need a little guidance from those of you who have. Many thanks, Scriv -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- Lonnie Nunweiler Valemount Networks Corporation http://www.star-os.com/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Ethernet based authentication
I do not really understand what you are trying to accomplish but I do PPPoE for my network. I have used it in a few other cases. It is fairly easy to setup and should not limit anything on a windows network. Call me if I can be of help Jory Privett WCCS 940.683.5797 - Original Message - From: John Scrivner [EMAIL PROTECTED] To: wireless@wispa.org Sent: Wednesday, November 30, 2005 9:54 AM Subject: [WISPA] Ethernet based authentication Anyone out there have experience with PPPoE?. I have a client who is a local government entity. They have people who have abused their Internet connection in the past. They restrict who has Internet access and when it can be used. One of our techs unknowingly circumvented protocol by helping an employee learn how to connect his personal laptop to the hardwired Ethernet network. Now the government entity is highly peeved at me. They want a complete report on the incident and a plan for how I will prevent people from doing this in the future at all locations. I am thinking we can use PPPoE to force all users even on the hardwired network to authenticate in order to get on the Internet. What are your thoughts? What will this break on an internal network that may be doing other things? Could an internal Windows network still function normally while the computer is not authenticated for Internet access? I have never done PPPoE and need a little guidance from those of you who have. Many thanks, Scriv -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Ethernet based authentication
John Scrivner wrote: Anyone out there have experience with PPPoE?. [ snip ] Based on the scenario you've described, PPPoE may not be the best solution. It'll probably break a lot of Windows-specific stuff (printer and file sharing leap to mind). Those could be worked around with a sufficiently complex firewall setup, but it might be more trouble than it's worth. A few other ideas pop into mind right off: * Many higher-end managed switches can be set up to only allow specified MAC addresses network access. You could do a network audit, get a list of all the allowed MACs in a location, and tell the switch to drop other traffic. Think wireless MAC authentication only with wires. :) * Put all the important stuff in a separate subnet and require VPN logins to access it. Configure the firewall to only allow access from IPs allocated to the VPN subnet. This won't keep someone from bringing in their own laptop and connecting to the VPN, but at least you'll know who did it. You could do this with StarOS, RouterOS, or even Windows/Active Directory if you're brave enough. * Fear and paranoia. Spread the word that the network is regularly monitored for unauthorized access, and that unauthorized MACs being seen from your port on the switch could be a write-up/lose-your-job offense. Use a managed switch that can record MAC-to-physical-port associations, and dump the logs somewhere. If you're really ambitious, actually review the logs on occasion and follow up on those threats :D David Smith MVN.net -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Ethernet based authentication
John Scrivner wrote: Anyone out there have experience with PPPoE?. I have a client who is a local government entity. They have people who have abused their Internet connection in the past. They restrict who has Internet access and when it can be used. One of our techs unknowingly circumvented protocol by helping an employee learn how to connect his personal laptop to the hardwired Ethernet network. Now the government entity is highly peeved at me. They want a complete report on the incident and a plan for how I will prevent people from doing this in the future at all locations. I am thinking we can use PPPoE to force all users even on the hardwired network to authenticate in order to get on the Internet. What are your thoughts? What will this break on an internal network that may be doing other things? Could an internal Windows network still function normally while the computer is not authenticated for Internet access? I have never done PPPoE and need a little guidance from those of you who have. Many thanks, Scriv A little more info would be good. If they want to authenticate everyone, then 802.1x switches are available-if you don't authenticate, your port turns off. If they just want to limit Internet access, Websense or St. Bernard make products to do that. John -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
