Re: [WISPA] Ethernet based authentication

2005-12-03 Thread John Thomas

They can do either depending on configuration


John

Richard Munoz wrote:

I thought that these switches would deny the Source MAC Address 
instead of disabling the entire port.


-Richard M.

A little more info would be good. If they want to authenticate 
everyone, then 802.1x switches are available-if you don't 
authenticate, your port turns off. If they just want to limit 
Internet access, Websense or St. Bernard make products to do that.


John

--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/



--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.13.10/189 - Release Date: 
11/30/2005







--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


Re: [WISPA] Ethernet based authentication

2005-12-01 Thread Tom DeReggi

John,

The concern for PPPOE is wether client sessions will re-establish 
automatically after disconnects of the link.
For example, if a Pre-n BElkin router is used for a end user link, and I did 
connect there service, for example by rebooting a trango AP at the cell site 
or from significant packet loss causing the link to degrade for too long a 
period, the Belkin will NOT try to re-establish the PPPOE connection unitl 
the Belkin router is physycally rebooted. This was a problem for us, because 
it generated support calls to get users backup after a reboot of our APs, 
and oftenm customers would experience much longer outages before they 
realized they jsut needed to reboot their own in house Belkin router.  We 
also ran into this with several Netgear router models.  What you want is a 
router that tries to login automatically continuously if it losses 
connection.  Our linksys routers work great, and auto-reconnect with no 
problems.  So PPPOE had created an issue where we had to dictate what 
equipment an end user could use on our network, if we set them up as PPPOE. 
PPPOE is a tunnel client to server protocol so both a server and client need 
to be aware of wether a session is connected or disconnected, and can be 
disconnected from either side.  This timeout for disconnect can be set on 
the server side.  For example, if you set a disconnect time of 5 second at 
the server, if there is some packet loss, the server might terminate a 
session prematurely waiting for communication that it never receives from 
teh CPE at that time, and then the client router does not know that the 
connection is terminated and doesn't know to try to re-stablish a connection 
because it does not know its down, or atleast not for a period of time. So 
you don't want the timeout at the server to be to small. Now if you make the 
time out large, let say1 minute.  IF their is packet loss, and the client 
thinks the connection has been terminated because its inability to get o the 
server for a short period, it will disconnect and try to re-establish a 
connection, however it wil not be able to for 1 minute. This is because the 
server things the original session is still active and will not clear the 
original session to allow the next session to reconnect, and two session are 
not allowed at the same time.  This can cause outages longer than normal, 
where a 5 second outage turns into a 1 minutes outage. Not a  big deal for 
residential, but for business where the links may be monitored by third 
parties, it can be an added pain in the neck. The problem can be solved by 
allow multiple connection of a PPPOE login, but then there is a security 
issue where two people can connect at the same time with the same password. 
These problems are not a big deal to deal with, you just need to be aware of 
them, for designing your PPPOE system.


When PPPOE is established, you can not access the client via an Arpping, 
because the protocol does not support that. I forget the exact technical 
explanation, but its sometthing like it does support broadcasts because its 
not using tcpip at that point its using its own protocol at layer two for 
communication.  So to tell if a client is up, you do it by monitoring the 
session logs at the server.


We do the PPPOE server apps at the first hop. We do the authentication at 
the cell router with our own implementation that integrates to our router 
provisioning system, but most people have it relay to a remote 
authentication system centrally such as a radius server.


PPPOE now means every client needs either a PPPOE router or software load ed 
that supprots PPPOE. Many represent that XP's built in PPPOE support works 
well, but we don't use it yet.


PPPOE does reduce the packet size, so it is no longer a full 1500 bytes. So 
end users sometimes need to configurare their VPN software if using one, to 
adjust for that situation, and added headache. However, most VPNs we tested 
pass through PPPOE OK.


PPPOE also does have significant overhead. You could limit the total number 
of connections you can support, because of the badnwdith that is wasted for 
the tunneling protool. However I do not remember what that limit is, we have 
not hit it yet. But that is why we operate the PPPOE server at the first 
hop, to reduce the PPPOE server traffic/over head accross the network, it 
also makes it more reliable for session management. The more links, and 
packet loss possible end to end increases the change of session disconnects. 
The fact that many hops may be needed to get to the authenticatioion system 
(radious) really doesn't matter because its not part of the client server 
session end to end.


We have chosen not to use PPPOE because of these issues, exept for some 
residential customers that are required to use Linksys routers.  However, 
I'm aware of some ISPs that have successfully used PPPOE as a protocol for 
EVERY customer as a requirement. They generally do it to ease their 

Re: [WISPA] Ethernet based authentication

2005-12-01 Thread Butch Evans

On Wed, 30 Nov 2005, John Scrivner wrote:

complete report on the incident and a plan for how I will prevent 
people from doing this in the future at all locations. I am 
thinking we can use PPPoE to force all users even on the hardwired 
network to authenticate in order to get on the Internet. What are 
your thoughts? What will this break on an internal network that may


You may want to look at hotspot as a solution, too.  The main 
advantage here is that it can be made fairly easy (depending on the 
hotspot controller) for them to manage.  PPPoE is a good solution, 
but in some cases, requires them to change settings on the local 
machine (or worse...install a client) in order to access the 
internet.  If the network behind the hotspot is flat, the hotspot 
will not break anything (nor will PPPoE).


--
Butch Evans
BPS Networks  http://www.bpsnetworks.com/
Bernie, MO
Mikrotik Certified Consultant
(http://www.mikrotik.com/consultants.html)
--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


Re: [WISPA] Ethernet based authentication

2005-12-01 Thread Butch Evans

On Wed, 30 Nov 2005, Lonnie Nunweiler wrote:

doing anything. HotSpot and PPPoE require that you have a radius 
server.


Not necessarily.  Some implementations, this is true, but not all. 
(FWIW, the radius server DOES make management easier.)


--
Butch Evans
BPS Networks  http://www.bpsnetworks.com/
Bernie, MO
Mikrotik Certified Consultant
(http://www.mikrotik.com/consultants.html)
--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


Re: [WISPA] Ethernet based authentication

2005-12-01 Thread Richard Munoz
I thought that these switches would deny the Source MAC Address instead of 
disabling the entire port.


-Richard M.

A little more info would be good. If they want to authenticate everyone, 
then 802.1x switches are available-if you don't authenticate, your port 
turns off. If they just want to limit Internet access, Websense or St. 
Bernard make products to do that.


John

--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/



--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.13.10/189 - Release Date: 
11/30/2005





--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


Re: [WISPA] Ethernet based authentication

2005-11-30 Thread Scott Reed




How did connecting a laptop circumvent how they access the Internet?  Sounds to me like the government entity does not restrict access to the Internet, they restrict what a PC can get to on the PC.  Seems like a bad approach.  How about a good ole proxy server that requires authentication to get out to the Net?
 Or did I just plain miss something?

Scott Reed 


Owner 


NewWays 


Wireless Networking 


Network Design, Installation and Administration 


www.nwwnet.net

-- Original Message 
---

From: John Scrivner [EMAIL PROTECTED] 


To: wireless@wispa.org 


Sent: Wed, 30 Nov 2005 09:54:46 -0600 


Subject: [WISPA] Ethernet based authentication 



 Anyone out there have experience with PPPoE?. I have a client who is a  

 

local government entity. They have people who have abused their Internet  

 

connection in the past. They restrict who has Internet access and when  
 

it can be used. One of our techs unknowingly circumvented protocol by  
 

helping an employee learn how to connect his personal laptop to the  
 

hardwired Ethernet network. Now the government entity is highly peeved  
 

at me. They want a complete report on the incident and a plan for how I  

 

will prevent people from doing this in the future at all locations. I am  

 

thinking we can use PPPoE to force all users even on the hardwired  
 

network to authenticate in order to get on the Internet. What are your  
 

thoughts? What will this break on an internal network that may be doing  

 

other things? Could an internal Windows network still function normally  

 

while the computer is not authenticated for Internet access? I have  
 

never done PPPoE and need a little guidance from those of you who have. 
 

Many thanks, 
 

Scriv 
 

--  
 

WISPA Wireless List: wireless@wispa.org 
 
 

Subscribe/Unsubscribe: 
 

http://lists.wispa.org/mailman/listinfo/wireless 
 

 

Archives: http://lists.wispa.org/pipermail/wireless/ 
--- 
End of Original Message 
---






-- 
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


Re: [WISPA] Ethernet based authentication

2005-11-30 Thread Marlon K. Schafer (509) 982-2181
Our local school uses something that does what you are asking for the kids. 
Check with your school.


If that doesn't work I can get you the name and number for who to ask here.

I'm pretty sure it's done via some kind of security server.  Nothing so 
complicated as pppoe.


BTW, I think that if the city doesn't want their own people on the network 
they should make sure you know that before you do any work for them.  How 
are you possibly supposed to assume that an employee isn't allowed 
access


And they ARE securing all of the drives and servers so that they aren't 
shared with everyone right?


good luck!
Marlon
(509) 982-2181   Equipment sales
(408) 907-6910 (Vonage)Consulting services
42846865 (icq)And I run my own wisp!
64.146.146.12 (net meeting)
www.odessaoffice.com/wireless
www.odessaoffice.com/marlon/cam



- Original Message - 
From: John Scrivner [EMAIL PROTECTED]

To: wireless@wispa.org
Sent: Wednesday, November 30, 2005 7:54 AM
Subject: [WISPA] Ethernet based authentication


Anyone out there have experience with PPPoE?. I have a client who is a 
local government entity. They have people who have abused their Internet 
connection in the past. They restrict who has Internet access and when it 
can be used. One of our techs unknowingly circumvented protocol by helping 
an employee learn how to connect his personal laptop to the hardwired 
Ethernet network. Now the government entity is highly peeved at me. They 
want a complete report on the incident and a plan for how I will prevent 
people from doing this in the future at all locations. I am thinking we 
can use PPPoE to force all users even on the hardwired network to 
authenticate in order to get on the Internet. What are your thoughts? What 
will this break on an internal network that may be doing other things? 
Could an internal Windows network still function normally while the 
computer is not authenticated for Internet access? I have never done PPPoE 
and need a little guidance from those of you who have.

Many thanks,
Scriv
--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/



--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


Re: [WISPA] Ethernet based authentication

2005-11-30 Thread Lonnie Nunweiler
PPPoE will break things like printers.  I would use a HotSpot style
authentication and enable only the known machines.  All other machines
are sent to a login page or are simply firewalled and prevented from
doing anything. HotSpot and PPPoE require that you have a radius
server.

Lonnie

On 11/30/05, John Scrivner [EMAIL PROTECTED] wrote:
 Anyone out there have experience with PPPoE?. I have a client who is a
 local government entity. They have people who have abused their Internet
 connection in the past. They restrict who has Internet access and when
 it can be used. One of our techs unknowingly circumvented protocol by
 helping an employee learn how to connect his personal laptop to the
 hardwired Ethernet network. Now the government entity is highly peeved
 at me. They want a complete report on the incident and a plan for how I
 will prevent people from doing this in the future at all locations. I am
 thinking we can use PPPoE to force all users even on the hardwired
 network to authenticate in order to get on the Internet. What are your
 thoughts? What will this break on an internal network that may be doing
 other things? Could an internal Windows network still function normally
 while the computer is not authenticated for Internet access? I have
 never done PPPoE and need a little guidance from those of you who have.
 Many thanks,
 Scriv
 --
 WISPA Wireless List: wireless@wispa.org

 Subscribe/Unsubscribe:
 http://lists.wispa.org/mailman/listinfo/wireless

 Archives: http://lists.wispa.org/pipermail/wireless/



--
Lonnie Nunweiler
Valemount Networks Corporation
http://www.star-os.com/
--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


Re: [WISPA] Ethernet based authentication

2005-11-30 Thread Jory Privett
I do not really understand  what you are trying to accomplish but I do PPPoE 
for my network.  I have used it in a few other cases.  It is fairly easy to 
setup and should not limit anything on a windows network.  Call me if I can 
be of help

Jory Privett
WCCS
940.683.5797

- Original Message - 
From: John Scrivner [EMAIL PROTECTED]
To: wireless@wispa.org
Sent: Wednesday, November 30, 2005 9:54 AM
Subject: [WISPA] Ethernet based authentication


Anyone out there have experience with PPPoE?. I have a client who is a
local government entity. They have people who have abused their Internet
connection in the past. They restrict who has Internet access and when
it can be used. One of our techs unknowingly circumvented protocol by
helping an employee learn how to connect his personal laptop to the
hardwired Ethernet network. Now the government entity is highly peeved
at me. They want a complete report on the incident and a plan for how I
will prevent people from doing this in the future at all locations. I am
thinking we can use PPPoE to force all users even on the hardwired
network to authenticate in order to get on the Internet. What are your
thoughts? What will this break on an internal network that may be doing
other things? Could an internal Windows network still function normally
while the computer is not authenticated for Internet access? I have
never done PPPoE and need a little guidance from those of you who have.
Many thanks,
Scriv
-- 
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


-- 
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


Re: [WISPA] Ethernet based authentication

2005-11-30 Thread David E. Smith

John Scrivner wrote:

Anyone out there have experience with PPPoE?.


[ snip ]

Based on the scenario you've described, PPPoE may not be the best 
solution. It'll probably break a lot of Windows-specific stuff (printer 
and file sharing leap to mind). Those could be worked around with a 
sufficiently complex firewall setup, but it might be more trouble than 
it's worth.


A few other ideas pop into mind right off:

* Many higher-end managed switches can be set up to only allow specified 
MAC addresses network access. You could do a network audit, get a list 
of all the allowed MACs in a location, and tell the switch to drop other 
traffic. Think wireless MAC authentication only with wires. :)


* Put all the important stuff in a separate subnet and require VPN 
logins to access it. Configure the firewall to only allow access from 
IPs allocated to the VPN subnet. This won't keep someone from bringing 
in their own laptop and connecting to the VPN, but at least you'll know 
who did it. You could do this with StarOS, RouterOS, or even 
Windows/Active Directory if you're brave enough.


* Fear and paranoia. Spread the word that the network is regularly 
monitored for unauthorized access, and that unauthorized MACs being seen 
from your port on the switch could be a write-up/lose-your-job offense. 
Use a managed switch that can record MAC-to-physical-port associations, 
and dump the logs somewhere. If you're really ambitious, actually review 
the logs on occasion and follow up on those threats :D


David Smith
MVN.net
--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/


Re: [WISPA] Ethernet based authentication

2005-11-30 Thread John Thomas

John Scrivner wrote:

Anyone out there have experience with PPPoE?. I have a client who is a 
local government entity. They have people who have abused their 
Internet connection in the past. They restrict who has Internet access 
and when it can be used. One of our techs unknowingly circumvented 
protocol by helping an employee learn how to connect his personal 
laptop to the hardwired Ethernet network. Now the government entity is 
highly peeved at me. They want a complete report on the incident and a 
plan for how I will prevent people from doing this in the future at 
all locations. I am thinking we can use PPPoE to force all users even 
on the hardwired network to authenticate in order to get on the 
Internet. What are your thoughts? What will this break on an internal 
network that may be doing other things? Could an internal Windows 
network still function normally while the computer is not 
authenticated for Internet access? I have never done PPPoE and need a 
little guidance from those of you who have.

Many thanks,
Scriv



A little more info would be good. If they want to authenticate everyone, 
then 802.1x switches are available-if you don't authenticate, your port 
turns off. If they just want to limit Internet access, Websense or St. 
Bernard make products to do that.


John

--
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/