I don't know enough to form an educated guess, and I would have to do major research
to make something like this work for me, but here's my invention exchange.
- You could use group membership to indicate who has returned their forms. When
someone does return the form, you add their user ID to the group that affords them
Internet access.
- You could create a login script that first checks if the user belongs to the
Internet group and then issues an iptables command to grant access to the user's
current IP.
- You could create a logout script that removes their IP when they leave.
- If the logout script doesn't run, maybe when they drop the connection (doesn't it
run anyway?), a cron event could check for stale IPs and purge any from iptables.
What do you think, sirs?
(Joel and the bots)
-----Original Message-----
From: Quentin Hartman
Sent: Tuesday, July 16, 2002 13:41
To: Steven J. Sobol
Subject: Re: Authenticating mixed clients for Internet Access
Steve et al-
It seems I may have been unclear in stating my request, for which
I apologize. We are trying to migrate away from MS server OS's for a
variety of reasons, cost being the most significant. When I stated we have
a mix of NT and Linux servers, I failed to mention that the remaining NT
machine only serves to update our Norton AV corporate edition clients.
There are no other services running on it, nor do we wish there to be any.
My primary stumbling block in this project is finding a
centralized way to control which users are allowed out to the Internet (via
proxy, gateway, what have you) that will work for both Linux and Windows
systems. I believe I have unified user logins across platforms sorted using
Samba and PAM, but it is the Internet access control that is stumping me.
We need to allow / deny Internet access to different users based on whether
or not they have completed their acceptable use forms, and also have the
ability to deny access to those who abuse the system. I am relatively new
to this particular facet of network administration and design, so please
excuse my ignorance on the topic. It seems this should be a common need
with a well-established solution, but I have not found one.
The users move between platforms regularly and I need consistency
across them. I have found software (such as Microsoft's Proxy server, or
Novell's) which works on a per-user basis, but those only run on OS's we do
not use, or work only for Windows clients. It would be simple enough to
block a particular machine using an ACL or similar, but I have not found
anything that will authenticate on a per user basis on a Linux-based
gateway, firewall, or proxy. I need it to work from either Windows Domain
login (processed by a Samba PDC) or Linux terminal logins. I have found
options which require people to SSH into a gateway to open a connection
from the client, but I do not see that as a usable option in a k-12
environment. My users are simply not up to that kind process, especially
not for the younger kids (or older teachers, for that matter). Am I chasing
my tail, or is this sort of thing possible?
<snip from Steve Sobol>
>LDAP might be another potential solution.
<snip>
I have heard of a lot of people using LDAP as an authentication database,
but I have yet to find any good current documentation on how to get such a
beast rolling. I guess I just don't "get it". Such an open-ended and
centralized system would be ideal for the services we want to offer in the
future. I've tried a few times to figure it out on my own with OpenLDAP,
but it seems pretty clunky in the role of an authentication db. What am I
missing? What resources would you suggest?
-Thanks in Advance and Best Regards-
-Quentin Hartman-
Original Post Follows:
Colleagues-
I am working on re-building a network for a k-12 institution, and am trying
to put in some security features that are sorely needed. One of the most
glaringly obvious omission for this environment is that there is no
mechanism in place to authenticate users for internet access. It is a mixed
environment of Linux and Windows 9x workstations and Linux and NT servers.
I would very much like to have centralized user management. The scenario
goals we are trying to achieve are:
1- Unrestricted user logs in. Has access to file / app servers and Internet
2- Semi-restricted user logs in. Has access to file / app servers, but not
internet.
3- restricted user logs in. Has access only to local files and programs.
4- Unauthorized user cannot login.
I imagine a combination of policy files for the 9x clients, samba, pam, and
squid could achieve this, but I would like your feedback on the best way to
proceed to complete this project. Am I on the right track at all?
-Regards-
-Quentin Hartman-
