+ Post New Thread
Results 1 to 7 of 7
Internet Related/Filtering/Firewall Thread, Access schools internet but not the school network?? in Technical; We regularly have guest users come to the school and want to plug in their laptops to purely access the ...
  1. #1

    Join Date
    Aug 2007
    Posts
    851
    Thank Post
    106
    Thanked 66 Times in 47 Posts
    Rep Power
    27

    Access schools internet but not the school network??

    We regularly have guest users come to the school and want to plug in their laptops to purely access the internet. We now also are looking to lease out a room in one of our buildings and they too would like internet access.
    If there a way that I can provide internet access to these guest users without having to worry about viruses/accessing/browsing our network?
    They will need to have their proxy setup via a PAC, or if not i can tell them the details to enter themselves?

    Thanks in advance

  2. #2

    Join Date
    Oct 2008
    Location
    Lincolnshire
    Posts
    2,348
    Thank Post
    13
    Thanked 241 Times in 229 Posts
    Rep Power
    70
    Create a seperate VLAN or LAN and put a transparent proxy in, you looking to use wireless or wired? Alot of the managed networks have the functionality into do this.

  3. #3

    Join Date
    Aug 2007
    Posts
    851
    Thank Post
    106
    Thanked 66 Times in 47 Posts
    Rep Power
    27
    Thanks Matthew,

    we only have a few cheap wireless access points around the school. most would be plugging into the network directly.
    Would i setup the VLAN on the main switch?
    How would the network know whether these computers are domain pc`s/printers/etc or whether they are guest machines? Does a WPAD or PAC file do this?

    Thanks in advance

  4. #4
    Snuffkins's Avatar
    Join Date
    Jan 2006
    Posts
    207
    Thank Post
    14
    Thanked 8 Times in 8 Posts
    Rep Power
    23
    The ports on the switch would be assigned to the new VLAN that you configure on them. Any devices connected to those ports would not be able to communicate with your main network unless you setup routing between the two if you ever wanted to, which i assume you don't. What switching hardware do you have though?

  5. #5

    Join Date
    Aug 2007
    Posts
    851
    Thank Post
    106
    Thanked 66 Times in 47 Posts
    Rep Power
    27
    Cheers, We are all procurve, with the main switch being the 53XX series.

    Incase i haven't explained correctly, i would like any school PC/Printer/Laptop to be able to be plugged in anywhere on the network and have everyday network default access. BUT THEN, any guest PC/Laptop that gets plugged in to any of these same network sockets be not connected to the network apart from being able to use the internet.

    So i was hoping that a WPAD/PAC solution could maybe see that the laptop wasnt maybe on the domain or something, meaning it would get connected to the VLAN and also be issued with an IP and the proxy set to port point to our smoothwall box using port 9000 which we use for guest access to the internet.

    is this possible?
    Last edited by burgemaster; 19th January 2012 at 08:27 PM.

  6. #6

    Join Date
    Jan 2010
    Posts
    1
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    On our wireless network, we use 802.1x, IAS, Group Policy, and Active Directory security groups to manage VLAN access. I'd think the same thing could be done with wired ports. Domain computer accounts would get internal VLANs and guests would need to set up 802.1x and authenticate as the guest account to be on the guest network. There might be a way to set a default for switches so that non-authenticated devices are on the guest VLAN. I don't know about that.

    I can't post URLs here yet. Do a Google search for, 802.1x procurve, and check out those results. HP has a document on doing this and there is one from Avaya that looked good.

  7. Thanks to rwilson from:

    Roberto (20th January 2012)

  8. #7

    Join Date
    Apr 2009
    Location
    London
    Posts
    60
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0
    According to what I just have read of the HP docs, the 53XX series does allow you to allocate un-authenticated ports to a guest VLAN, so 802.1x authentication should work for you, but this is likely to require all of your printers, etc to be set up for 802.1x. An alternative would be to use MAC-based authentication and a RADIUS server (to specify which VLAN a port should be assigned to, based on a MAC address list held on the server.) You should really hold a list of MAC addresses for your authorised equipment in any case (and your DHCP logs can give you a head start in defining one.)

    You would then need a transparent proxy, or WPAD(?) to support the devices on your guest VLAN. Something like a Routerboard (inexpensive) should be able to do either of these, but I haven't tried this myself.

    Apparently there are drawbacks to using 802.1x on the HPs - if the switch goes off-line, then all the devices attached to the network will need to re-authenticate before they can use the network again. Though I think that this may be due to problems with the freeRADIUS server in particular.

    A problem with MAC addresses is that an attacker can spoof a valid one and get on your authorised VLAN, but this may not be a big risk for you.



SHARE:
+ Post New Thread

Similar Threads

  1. Laptop that connects to internet but not network
    By Little-Miss in forum Learning Network Manager
    Replies: 12
    Last Post: 24th February 2011, 10:10 AM
  2. Workstation can access local proxy but not WWW
    By speckytecky in forum Network and Classroom Management
    Replies: 3
    Last Post: 15th December 2008, 11:27 AM
  3. Can access most websites but not all
    By SimpleSi in forum General Chat
    Replies: 10
    Last Post: 20th February 2008, 12:19 AM
  4. Leopard install works on one but not the other
    By thegrassisgreener in forum Mac
    Replies: 2
    Last Post: 19th November 2007, 03:55 PM
  5. Replies: 8
    Last Post: 2nd November 2005, 03:46 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •