How do you stop non-domain members

[techyphil]

Happy new year all,

This is my first 2010 post and was wondering if there was a simple way (other then saying no) to allow student laptops on your network for internet access whilst preventing them browsing network shares.

We've locked our shares down as much as possible, but shares are required by software which is open and we don't want anybody just copying files off the network.

I've thought about RADIUS and VLAN but who actually has such a system in place and what costs are involved?


Many thanks

[TheLibrarian]

What exactly do you want them to be able to do on the network?

[Ric_]

The easiest way to go about it is to implement a system such as Ruckus Wireless that can create a guest wireless VLAN.

It's worth bearing in mind though that any Microsoft services (e.g. authentication, Exchange, etc.) will attract additional licensing costs.

[techyphil]

Well I just want visitors or student's personal laptops to just be able to access the Internet without the stresses of them backslashing around "\\server"

Ok thanks, how do you guys do it though?

[azrael78]

We've done what you're looking at - while we didn't use Ruckus, our licensing agreement with MS lets us use things like ISA Server, this may or may not be an option for you.

In short:

Pick up some Wireless APs - put these in a separate VLAN and IP Range from the rest of your network, thus creating a perimeter.

Your wireless clients will then get IPs from the server you choose to sit on that wireless network and hand out DHCP/DNS and other services.

As I'm not familiar with Ruckus - I can't help you much with that but ZeroShell is a free Linux-based 'captive portal' solution. It can integrate with AD or any other kind of database if you need authentication.

This way - your clients just come in, connect to your wifi and surf away, they can't access the main network as that's a separate thing entirely.

It's hard to put what you can do into words without saying 'Use ISA Server' - as that's what we use.
Hopefully something I've said here will give you some ideas as to how you can achieve this with hopefully, little expenditure and a little bit of work to get it initially working.

HTH,

Az

[techyphil]

hey thanks azrael78,

I'm going to look at that this weekend and I'll let you know how I get on. It sounds like an ideal CHEAP solution!!

Thx again

[stevehill06]

maybe use Smoothwall instead of ISA Server. You could probably use Smoothwall Express, not 100% sure thou.

Cheers,
Steve

[azrael78]

I wasn't sure if Smoothwall could do what he's asking but if there's any chance - go for it.
It'll undoubtedly be cheaper than ISA and if you have issues with it, we have several people here on the forums who use it and love it.

Az

[mrforgetful]

We've just recently started something like this using Bluesocket.

Can print off timebased accounts for visitors or student laptops which just connect to a visible network and go straight onto the net, domain laptops automatically see and connect to a hidden SSID which can access our network.

[Psymon]

For internet only access we used our existing wireless (not tagged to a guest vlan) and then using RADIUS moved the clients to a seperate VLAN for guest access.

This was then filtered with an ACL on the switch (on the guest vlan) to only allow access to DC's for DNS and DHCP (port based) and the firewall for 80 and 443 (HTTP / S).

Works fine

[speckytecky]

If you are Windows Server 2008 you should have access to a service called Network Access Protection
http://technet.microsoft.com/en-us/n.../bb545879.aspx