+ Post New Thread
Results 1 to 10 of 10
Internet Related/Filtering/Firewall Thread, BYOD Connecting to network in Technical; We have a (part) MERU wireless system and smoothwall. I'd like to be able to offer access without giving out ...
  1. #1


    Join Date
    May 2009
    Posts
    2,961
    Thank Post
    259
    Thanked 786 Times in 596 Posts
    Rep Power
    286

    BYOD Connecting to network

    We have a (part) MERU wireless system and smoothwall.

    I'd like to be able to offer access without giving out a key. So the user will connect to the access point, they will then be prompted for their network credentials and authenticate with the domain. No authentication, no access. Authenticate OK and it doesn't matter what device it is, you are in.

    Is this possible?

  2. #2
    JonThompson's Avatar
    Join Date
    Nov 2011
    Location
    Leicester
    Posts
    175
    Thank Post
    18
    Thanked 26 Times in 19 Posts
    Rep Power
    10
    You will require a Radius server. The Meru Wireless controller can be configured to act as a Radius server which would allow access via AD authentication (Or so Im led to believe).

  3. Thanks to JonThompson from:

    pcstru (4th December 2012)

  4. #3

    twin--turbo's Avatar
    Join Date
    Jun 2012
    Location
    Carlisle
    Posts
    2,334
    Thank Post
    1
    Thanked 381 Times in 340 Posts
    Rep Power
    150
    Yes

    You will need radius server configured on your DC,

    You will need a radius entry in the meru "Configuration > Security > Radius"
    You will need a security Profile "configuration > security >profile"to use the radius server
    You will want an ESS " configuration > wireless > ess " to use the security profile


    HOWEVER...

    are you going to be restricting what they can do once connected to your network?

    are you vlanning, port ACLing?

    Rob
    Last edited by twin--turbo; 4th December 2012 at 11:06 AM.

  5. Thanks to twin--turbo from:

    pcstru (4th December 2012)

  6. #4
    maark's Avatar
    Join Date
    Feb 2006
    Location
    leicester
    Posts
    470
    Thank Post
    90
    Thanked 73 Times in 65 Posts
    Rep Power
    38
    I thought smoothwall could do the authentication with AD accounts - that's what I am planning here but not got round to setting it up yet.

  7. #5

    Join Date
    Oct 2007
    Location
    Northamptonshire
    Posts
    310
    Thank Post
    20
    Thanked 80 Times in 68 Posts
    Rep Power
    43
    Quote Originally Posted by maark View Post
    I thought smoothwall could do the authentication with AD accounts - that's what I am planning here but not got round to setting it up yet.
    It can, but I'm guessing they're talking about authentication for the Wireless prior to Smoothwall authentication.

    We leave our BYOD network as an open wireless network, when a user connects and then tries browsing the web they get the Smoothwall SSL login prompt at which point they enter their username & password and can then start browsing the internet on their device with their normal filter policy. I've created a Smoothwall policy towards the top policy of the web filter policy to block everything for Year7-11 students on the BYOD subnet (added as a location) as we only allow Sixth Form and Staff on the BYOD network,

  8. #6

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    You want to VLAN off BYOD stuff as you have no idea what they are using and have no control over it. Ideally you want to check these devices before you let them on your network too. I do this with Packetfence myself.

    PacketFence: Open Source NAC (Network Access Control)

  9. Thanks to Geoff from:

    Abaddon (4th December 2012)

  10. #7

    twin--turbo's Avatar
    Join Date
    Jun 2012
    Location
    Carlisle
    Posts
    2,334
    Thank Post
    1
    Thanked 381 Times in 340 Posts
    Rep Power
    150
    Quote Originally Posted by Ashm View Post
    It can, but I'm guessing they're talking about authentication for the Wireless prior to Smoothwall authentication.

    We leave our BYOD network as an open wireless network, when a user connects and then tries browsing the web they get the Smoothwall SSL login prompt at which point they enter their username & password and can then start browsing the internet on their device with their normal filter policy. I've created a Smoothwall policy towards the top policy of the web filter policy to block everything for Year7-11 students on the BYOD subnet (added as a location) as we only allow Sixth Form and Staff on the BYOD network,

    do you have encryption? if not then the UN/PW is being fired over the air with no encryption.

    we have an easy SSID passphrase and encrypted traffic.

    Rob

  11. #8

    Join Date
    Oct 2007
    Location
    Northamptonshire
    Posts
    310
    Thank Post
    20
    Thanked 80 Times in 68 Posts
    Rep Power
    43
    Quote Originally Posted by twin--turbo View Post
    do you have encryption? if not then the UN/PW is being fired over the air with no encryption.

    we have an easy SSID passphrase and encrypted traffic.

    Rob
    BYOD network is VLAN'd off with no access to main network, smoothwall is the gateway/dns/dhcp. UN/PW is going via the Smoothwall SSL login. Also client isolation is set up on this wireless network.

  12. Thanks to Ashm from:

    maark (4th December 2012)

  13. #9


    Join Date
    May 2009
    Posts
    2,961
    Thank Post
    259
    Thanked 786 Times in 596 Posts
    Rep Power
    286
    Quote Originally Posted by twin--turbo View Post
    are you going to be restricting what they can do once connected to your network?

    are you vlanning, port ACLing?
    Many thanks.

    We do VLan traffic. Our current set up requires that they have a wireless key and they then authenticate with smoothwall and only get filtered http or https traffic.

    I'd like to be able to open up the protocols a little more so staff (and possibly students) can connect IMAP/POP3, SIP etc.

  14. #10

    twin--turbo's Avatar
    Join Date
    Jun 2012
    Location
    Carlisle
    Posts
    2,334
    Thank Post
    1
    Thanked 381 Times in 340 Posts
    Rep Power
    150
    Ours is nice and simple as we just let the pupils access one server on :443 ( our VDI ) and that is all. This is via a Captive portal on pFsense, the meru just vlans the Student BYOD ESS to that machine.

    We are not implementing AD intergration as yet, we are starting small with 6FM users that have to register for the service acceptint the AUP. We will add them to the users on the Portal.

    Once evlauated we will look at the need for Directoy intergration.

    Rob

SHARE:
+ Post New Thread

Similar Threads

  1. Connect to network resource?
    By anthrax69 in forum Wired Networks
    Replies: 12
    Last Post: 21st November 2011, 01:13 PM
  2. Student laptop connection to network
    By RoyG in forum School ICT Policies
    Replies: 35
    Last Post: 4th November 2009, 08:23 AM
  3. Disable logon when not connected to network
    By Japtastic in forum Windows Server 2000/2003
    Replies: 6
    Last Post: 22nd June 2009, 04:30 PM
  4. Replies: 8
    Last Post: 9th November 2007, 01:33 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •