Access schools internet but not the school network??

[burgemaster]

We regularly have guest users come to the school and want to plug in their laptops to purely access the internet. We now also are looking to lease out a room in one of our buildings and they too would like internet access.
If there a way that I can provide internet access to these guest users without having to worry about viruses/accessing/browsing our network?
They will need to have their proxy setup via a PAC, or if not i can tell them the details to enter themselves?

Thanks in advance

[MatthewL]

Create a seperate VLAN or LAN and put a transparent proxy in, you looking to use wireless or wired? Alot of the managed networks have the functionality into do this.

[burgemaster]

Thanks Matthew,

we only have a few cheap wireless access points around the school. most would be plugging into the network directly.
Would i setup the VLAN on the main switch?
How would the network know whether these computers are domain pc`s/printers/etc or whether they are guest machines? Does a WPAD or PAC file do this?

Thanks in advance

[Snuffkins]

The ports on the switch would be assigned to the new VLAN that you configure on them. Any devices connected to those ports would not be able to communicate with your main network unless you setup routing between the two if you ever wanted to, which i assume you don't. What switching hardware do you have though?

[burgemaster]

Cheers, We are all procurve, with the main switch being the 53XX series.

Incase i haven't explained correctly, i would like any school PC/Printer/Laptop to be able to be plugged in anywhere on the network and have everyday network default access. BUT THEN, any guest PC/Laptop that gets plugged in to any of these same network sockets be not connected to the network apart from being able to use the internet.

So i was hoping that a WPAD/PAC solution could maybe see that the laptop wasnt maybe on the domain or something, meaning it would get connected to the VLAN and also be issued with an IP and the proxy set to port point to our smoothwall box using port 9000 which we use for guest access to the internet.

is this possible?

[rwilson]

On our wireless network, we use 802.1x, IAS, Group Policy, and Active Directory security groups to manage VLAN access. I'd think the same thing could be done with wired ports. Domain computer accounts would get internal VLANs and guests would need to set up 802.1x and authenticate as the guest account to be on the guest network. There might be a way to set a default for switches so that non-authenticated devices are on the guest VLAN. I don't know about that.

I can't post URLs here yet. Do a Google search for, 802.1x procurve, and check out those results. HP has a document on doing this and there is one from Avaya that looked good.

[Eric]

According to what I just have read of the HP docs, the 53XX series does allow you to allocate un-authenticated ports to a guest VLAN, so 802.1x authentication should work for you, but this is likely to require all of your printers, etc to be set up for 802.1x. An alternative would be to use MAC-based authentication and a RADIUS server (to specify which VLAN a port should be assigned to, based on a MAC address list held on the server.) You should really hold a list of MAC addresses for your authorised equipment in any case (and your DHCP logs can give you a head start in defining one.)

You would then need a transparent proxy, or WPAD(?) to support the devices on your guest VLAN. Something like a Routerboard (inexpensive) should be able to do either of these, but I haven't tried this myself.

Apparently there are drawbacks to using 802.1x on the HPs - if the switch goes off-line, then all the devices attached to the network will need to re-authenticate before they can use the network again. Though I think that this may be due to problems with the freeRADIUS server in particular.

A problem with MAC addresses is that an attacker can spoof a valid one and get on your authorised VLAN, but this may not be a big risk for you.