Re: [WISPA] Ethernet based authentication
They can do either depending on configuration John Richard Munoz wrote: I thought that these switches would deny the Source MAC Address instead of disabling the entire port. -Richard M. A little more info would be good. If they want to authenticate everyone, then 802.1x switches are available-if you don't authenticate, your port turns off. If they just want to limit Internet access, Websense or St. Bernard make products to do that. John -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.13.10/189 - Release Date: 11/30/2005 -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Ethernet based authentication
I thought that these switches would deny the Source MAC Address instead of disabling the entire port. -Richard M. A little more info would be good. If they want to authenticate everyone, then 802.1x switches are available-if you don't authenticate, your port turns off. If they just want to limit Internet access, Websense or St. Bernard make products to do that. John -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.13.10/189 - Release Date: 11/30/2005 -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Ethernet based authentication
On Wed, 30 Nov 2005, Lonnie Nunweiler wrote: doing anything. HotSpot and PPPoE require that you have a radius server. Not necessarily. Some implementations, this is true, but not all. (FWIW, the radius server DOES make management easier.) -- Butch Evans BPS Networks http://www.bpsnetworks.com/ Bernie, MO Mikrotik Certified Consultant (http://www.mikrotik.com/consultants.html) -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Ethernet based authentication
On Wed, 30 Nov 2005, John Scrivner wrote: complete report on the incident and a plan for how I will prevent people from doing this in the future at all locations. I am thinking we can use PPPoE to force all users even on the hardwired network to authenticate in order to get on the Internet. What are your thoughts? What will this break on an internal network that may You may want to look at hotspot as a solution, too. The main advantage here is that it can be made fairly easy (depending on the hotspot controller) for them to manage. PPPoE is a good solution, but in some cases, requires them to change settings on the local machine (or worse...install a client) in order to access the internet. If the network behind the hotspot is flat, the hotspot will not break anything (nor will PPPoE). -- Butch Evans BPS Networks http://www.bpsnetworks.com/ Bernie, MO Mikrotik Certified Consultant (http://www.mikrotik.com/consultants.html) -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Ethernet based authentication
John, The concern for PPPOE is wether client sessions will re-establish automatically after disconnects of the link. For example, if a Pre-n BElkin router is used for a end user link, and I did connect there service, for example by rebooting a trango AP at the cell site or from significant packet loss causing the link to degrade for too long a period, the Belkin will NOT try to re-establish the PPPOE connection unitl the Belkin router is physycally rebooted. This was a problem for us, because it generated support calls to get users backup after a reboot of our APs, and oftenm customers would experience much longer outages before they realized they jsut needed to reboot their own in house Belkin router. We also ran into this with several Netgear router models. What you want is a router that tries to login automatically continuously if it losses connection. Our linksys routers work great, and auto-reconnect with no problems. So PPPOE had created an issue where we had to dictate what equipment an end user could use on our network, if we set them up as PPPOE. PPPOE is a tunnel client to server protocol so both a server and client need to be aware of wether a session is connected or disconnected, and can be disconnected from either side. This timeout for disconnect can be set on the server side. For example, if you set a disconnect time of 5 second at the server, if there is some packet loss, the server might terminate a session prematurely waiting for communication that it never receives from teh CPE at that time, and then the client router does not know that the connection is terminated and doesn't know to try to re-stablish a connection because it does not know its down, or atleast not for a period of time. So you don't want the timeout at the server to be to small. Now if you make the time out large, let say1 minute. IF their is packet loss, and the client thinks the connection has been terminated because its inability to get o the server for a short period, it will disconnect and try to re-establish a connection, however it wil not be able to for 1 minute. This is because the server things the original session is still active and will not clear the original session to allow the next session to reconnect, and two session are not allowed at the same time. This can cause outages longer than normal, where a 5 second outage turns into a 1 minutes outage. Not a big deal for residential, but for business where the links may be monitored by third parties, it can be an added pain in the neck. The problem can be solved by allow multiple connection of a PPPOE login, but then there is a security issue where two people can connect at the same time with the same password. These problems are not a big deal to deal with, you just need to be aware of them, for designing your PPPOE system. When PPPOE is established, you can not access the client via an Arpping, because the protocol does not support that. I forget the exact technical explanation, but its sometthing like it does support broadcasts because its not using tcpip at that point its using its own protocol at layer two for communication. So to tell if a client is up, you do it by monitoring the session logs at the server. We do the PPPOE server apps at the first hop. We do the authentication at the cell router with our own implementation that integrates to our router provisioning system, but most people have it relay to a remote authentication system centrally such as a radius server. PPPOE now means every client needs either a PPPOE router or software load ed that supprots PPPOE. Many represent that XP's built in PPPOE support works well, but we don't use it yet. PPPOE does reduce the packet size, so it is no longer a full 1500 bytes. So end users sometimes need to configurare their VPN software if using one, to adjust for that situation, and added headache. However, most VPNs we tested pass through PPPOE OK. PPPOE also does have significant overhead. You could limit the total number of connections you can support, because of the badnwdith that is wasted for the tunneling protool. However I do not remember what that limit is, we have not hit it yet. But that is why we operate the PPPOE server at the first hop, to reduce the PPPOE server traffic/over head accross the network, it also makes it more reliable for session management. The more links, and packet loss possible end to end increases the change of session disconnects. The fact that many hops may be needed to get to the authenticatioion system (radious) really doesn't matter because its not part of the client server session end to end. We have chosen not to use PPPOE because of these issues, exept for some residential customers that are required to use Linksys routers. However, I'm aware of some ISPs that have successfully used PPPOE as a protocol for EVERY customer as a requirement. They generally do it to ease their manage
Re: [WISPA] Ethernet based authentication
John Scrivner wrote: Anyone out there have experience with PPPoE?. I have a client who is a local government entity. They have people who have abused their Internet connection in the past. They restrict who has Internet access and when it can be used. One of our techs unknowingly circumvented protocol by helping an employee learn how to connect his personal laptop to the hardwired Ethernet network. Now the government entity is highly peeved at me. They want a complete report on the incident and a plan for how I will prevent people from doing this in the future at all locations. I am thinking we can use PPPoE to force all users even on the hardwired network to authenticate in order to get on the Internet. What are your thoughts? What will this break on an internal network that may be doing other things? Could an internal Windows network still function normally while the computer is not authenticated for Internet access? I have never done PPPoE and need a little guidance from those of you who have. Many thanks, Scriv A little more info would be good. If they want to authenticate everyone, then 802.1x switches are available-if you don't authenticate, your port turns off. If they just want to limit Internet access, Websense or St. Bernard make products to do that. John -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Ethernet based authentication
Is this an all Windows network? If so, the way to do this is to use the windows VPN setup, so that all your access to the 'net is through the VPN, not across the open ethernet. The reason I suggest this, is that if they have a Windows based network in place now, everything is already there, and just needs configuring. North East Oregon Fastnet, LLC 509-593-4061 personal correspondence to: mark at neofast dot net sales inquiries to: purchasing at neofast dot net Fast Internet, NO WIRES! - - Original Message - From: "John Scrivner" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 30, 2005 7:54 AM Subject: [WISPA] Ethernet based authentication > Anyone out there have experience with PPPoE?. I have a client who is a > local government entity. They have people who have abused their Internet > connection in the past. They restrict who has Internet access and when > it can be used. One of our techs unknowingly circumvented protocol by > helping an employee learn how to connect his personal laptop to the > hardwired Ethernet network. Now the government entity is highly peeved > at me. They want a complete report on the incident and a plan for how I > will prevent people from doing this in the future at all locations. I am > thinking we can use PPPoE to force all users even on the hardwired > network to authenticate in order to get on the Internet. What are your > thoughts? What will this break on an internal network that may be doing > other things? Could an internal Windows network still function normally > while the computer is not authenticated for Internet access? I have > never done PPPoE and need a little guidance from those of you who have. > Many thanks, > Scriv > -- > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Ethernet based authentication
John Scrivner wrote: Anyone out there have experience with PPPoE?. [ snip ] Based on the scenario you've described, PPPoE may not be the best solution. It'll probably break a lot of Windows-specific stuff (printer and file sharing leap to mind). Those could be worked around with a sufficiently complex firewall setup, but it might be more trouble than it's worth. A few other ideas pop into mind right off: * Many higher-end managed switches can be set up to only allow specified MAC addresses network access. You could do a network audit, get a list of all the allowed MACs in a location, and tell the switch to drop other traffic. Think "wireless MAC authentication" only with wires. :) * Put all the "important" stuff in a separate subnet and require VPN logins to access it. Configure the firewall to only allow access from IPs allocated to the VPN subnet. This won't keep someone from bringing in their own laptop and connecting to the VPN, but at least you'll know who did it. You could do this with StarOS, RouterOS, or even Windows/Active Directory if you're brave enough. * Fear and paranoia. Spread the word that the network is regularly monitored for unauthorized access, and that unauthorized MACs being seen from your port on the switch could be a write-up/lose-your-job offense. Use a managed switch that can record MAC-to-physical-port associations, and dump the logs somewhere. If you're really ambitious, actually review the logs on occasion and follow up on those threats :D David Smith MVN.net -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Ethernet based authentication
I do not really understand what you are trying to accomplish but I do PPPoE for my network. I have used it in a few other cases. It is fairly easy to setup and should not limit anything on a windows network. Call me if I can be of help Jory Privett WCCS 940.683.5797 - Original Message - From: "John Scrivner" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 30, 2005 9:54 AM Subject: [WISPA] Ethernet based authentication Anyone out there have experience with PPPoE?. I have a client who is a local government entity. They have people who have abused their Internet connection in the past. They restrict who has Internet access and when it can be used. One of our techs unknowingly circumvented protocol by helping an employee learn how to connect his personal laptop to the hardwired Ethernet network. Now the government entity is highly peeved at me. They want a complete report on the incident and a plan for how I will prevent people from doing this in the future at all locations. I am thinking we can use PPPoE to force all users even on the hardwired network to authenticate in order to get on the Internet. What are your thoughts? What will this break on an internal network that may be doing other things? Could an internal Windows network still function normally while the computer is not authenticated for Internet access? I have never done PPPoE and need a little guidance from those of you who have. Many thanks, Scriv -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Ethernet based authentication
PPPoE will break things like printers. I would use a HotSpot style authentication and enable only the known machines. All other machines are sent to a login page or are simply firewalled and prevented from doing anything. HotSpot and PPPoE require that you have a radius server. Lonnie On 11/30/05, John Scrivner <[EMAIL PROTECTED]> wrote: > Anyone out there have experience with PPPoE?. I have a client who is a > local government entity. They have people who have abused their Internet > connection in the past. They restrict who has Internet access and when > it can be used. One of our techs unknowingly circumvented protocol by > helping an employee learn how to connect his personal laptop to the > hardwired Ethernet network. Now the government entity is highly peeved > at me. They want a complete report on the incident and a plan for how I > will prevent people from doing this in the future at all locations. I am > thinking we can use PPPoE to force all users even on the hardwired > network to authenticate in order to get on the Internet. What are your > thoughts? What will this break on an internal network that may be doing > other things? Could an internal Windows network still function normally > while the computer is not authenticated for Internet access? I have > never done PPPoE and need a little guidance from those of you who have. > Many thanks, > Scriv > -- > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > -- Lonnie Nunweiler Valemount Networks Corporation http://www.star-os.com/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Ethernet based authentication
Our local school uses something that does what you are asking for the kids. Check with your school. If that doesn't work I can get you the name and number for who to ask here. I'm pretty sure it's done via some kind of security server. Nothing so complicated as pppoe. BTW, I think that if the city doesn't want their own people on the network they should make sure you know that before you do any work for them. How are you possibly supposed to assume that an employee isn't allowed access And they ARE securing all of the drives and servers so that they aren't shared with everyone right? good luck! Marlon (509) 982-2181 Equipment sales (408) 907-6910 (Vonage)Consulting services 42846865 (icq)And I run my own wisp! 64.146.146.12 (net meeting) www.odessaoffice.com/wireless www.odessaoffice.com/marlon/cam - Original Message - From: "John Scrivner" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 30, 2005 7:54 AM Subject: [WISPA] Ethernet based authentication Anyone out there have experience with PPPoE?. I have a client who is a local government entity. They have people who have abused their Internet connection in the past. They restrict who has Internet access and when it can be used. One of our techs unknowingly circumvented protocol by helping an employee learn how to connect his personal laptop to the hardwired Ethernet network. Now the government entity is highly peeved at me. They want a complete report on the incident and a plan for how I will prevent people from doing this in the future at all locations. I am thinking we can use PPPoE to force all users even on the hardwired network to authenticate in order to get on the Internet. What are your thoughts? What will this break on an internal network that may be doing other things? Could an internal Windows network still function normally while the computer is not authenticated for Internet access? I have never done PPPoE and need a little guidance from those of you who have. Many thanks, Scriv -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Ethernet based authentication
How did connecting a laptop circumvent how they access the Internet? Sounds to me like the government entity does not restrict access to the Internet, they restrict what a PC can get to on the PC. Seems like a bad approach. How about a good ole proxy server that requires authentication to get out to the Net? Or did I just plain miss something? Scott Reed Owner NewWays Wireless Networking Network Design, Installation and Administration www.nwwnet.net -- Original Message --- From: John Scrivner <[EMAIL PROTECTED]> To: wireless@wispa.org Sent: Wed, 30 Nov 2005 09:54:46 -0600 Subject: [WISPA] Ethernet based authentication > Anyone out there have experience with PPPoE?. I have a client who is a > local government entity. They have people who have abused their Internet > connection in the past. They restrict who has Internet access and when > it can be used. One of our techs unknowingly circumvented protocol by > helping an employee learn how to connect his personal laptop to the > hardwired Ethernet network. Now the government entity is highly peeved > at me. They want a complete report on the incident and a plan for how I > will prevent people from doing this in the future at all locations. I am > thinking we can use PPPoE to force all users even on the hardwired > network to authenticate in order to get on the Internet. What are your > thoughts? What will this break on an internal network that may be doing > other things? Could an internal Windows network still function normally > while the computer is not authenticated for Internet access? I have > never done PPPoE and need a little guidance from those of you who have. > Many thanks, > Scriv > -- > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ --- End of Original Message --- -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/