+ Post New Thread
Results 1 to 11 of 11
Wired Networks Thread, How does the INTERNET work? in Technical; what I want...what I really really want is to have a wireless network that is seen by everyone and can ...
  1. #1
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,286
    Thank Post
    80
    Thanked 45 Times in 31 Posts
    Rep Power
    30

    How does the INTERNET work?

    what I want...what I really really want is to have a wireless network that is seen by everyone and can be connected to either with or without a passkey, that on first attempt to gain internet access a login screen is presented which requests username and password - which is authenticated against active directory credentials - and if corrrect ones given - internet access is granted. This should work no matter which device the end-user is using, no matter what OS or browser is being used for internet access.

    So in asking the question "How does the INTERNET work?" What I am really quizzing is how does a browser KNOW how to route itself out through a particular network to get internet access.

    Our establishment is on the SWGfL and we use an on-site "smartcache" for caching and filtering purposes - the RM smartcache is using Active Directory authentication to identify users and computers. It also acts as a proxy listening on port 8080. It's IP address is NOT our default gateway.

    Currently fixed devices on the network have their IE settings for proxy server (LAN settings) pushed down via a GPO which sets it to the IP address of the smartcache and the correct port no.

    At home I do not have to configure IE at all - once I'm connected to my wireless router it just works.

    Is it possible to have what I want?
    and
    Can someone explain to me......how DOES the internet work?

  2. #2
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,421
    Thank Post
    508
    Thanked 282 Times in 258 Posts
    Rep Power
    81
    Hey - we have a setup here where if you logon to the network and open up a Browser it has the company logo and asks for a username and password - it's basically Captive Portal running on a Pfsense box - pfsense is rolling out our IP's and what ever device accepts and IP (basically anything on the network wired or wireless) as soon as you bring up a browser if you haven't already done so in the specified time frame it will ask you to re-authenticate. I'm not sure it works with AD but you can use the local User Manager in Pfsense to setup your logins.

    If someone hasn't got authenticated through the captive portal no matter how hard they try they wont get internet or network access, i cant see any options of authenticating against LDAP but we may have an out of date version running so grab the latest version and it may support it.

    With the Captive Portal page on pfsense you can customize it how you like, you can even give "one time voucher codes" which we use for visitors so they dont need to have a username and password just input the voucher code and that will give them internet access.

    It's all about the DNS settings and the Gateway Settings which are given to your by your router.

    Hope this helps

  3. #3
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,286
    Thank Post
    80
    Thanked 45 Times in 31 Posts
    Rep Power
    30
    Quite interesting .....

    LOL - does nt really answer the question - but thanks for the reply

  4. #4

    Join Date
    Jan 2010
    Posts
    105
    Thank Post
    2
    Thanked 17 Times in 17 Posts
    Rep Power
    12
    Quote Originally Posted by kennysarmy View Post
    So in asking the question "How does the INTERNET work?" What I am really quizzing is how does a browser KNOW how to route itself out through a particular network to get internet access.
    It doesn't know. It uses the default settings, which normally work unless there's something in the way e.g. the smartcache. Your fixed network machines would not work through the proxy if they weren't getting the correct browser settings pushed to them via GPO. If they didn't have that GPO they'd be trying to go out to the internet via their default gateway on port 80 for web browsing the way your home machine does with a basic home router. As there's no path to the internet on port 80 behind the smartcache you'd end up with no internet browsing on those machines.

    It sounds like you would want a transparent proxy to work with devices that aren't specifically configured. Authenticating with the transparent proxy would be all that's required. How that would, or if it could, fit in with your current arrangements though I couldn't say as I've not seen an RM Smartcache. Technically though, I don't believe it's impossible but I'll leave a more detailed answer to someone more familiar with that particular kit.

  5. #5

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,655
    Thank Post
    516
    Thanked 2,443 Times in 1,891 Posts
    Blog Entries
    24
    Rep Power
    831
    Ok, it is not possible to have a single wireless network which has a security key, and doesn't have one (but asks for a login after they connect).

    You'd have to have 2 networks - one which needs a security key to connect, and one with a captive portal which takes username and password.

    The internet works by routing. When a computer is assigned an IP, it is also told which address routes traffic by default (the default gateway).

    When you have a proxy, you can either run it like you are doing, with manual settings in a GPO/typed into your browser, or you can turn it into a transparent proxy, and then set your DHCP server to tell clients that the proxy is the default gateway.

  6. #6

    Join Date
    Oct 2005
    Posts
    825
    Thank Post
    51
    Thanked 111 Times in 101 Posts
    Rep Power
    63
    It is possible to have what you want... but this doesn't really correlate with your question "How does the internet work"... in my mind that's a completely different question.

    You want:

    -a wireless network system that uses Captive Portal authentication (my Ruckus system does this).
    - WPAD to push out your proxy settings

    Do you want to know more?

  7. #7

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,623
    Thank Post
    1,240
    Thanked 777 Times in 674 Posts
    Rep Power
    235
    Quote Originally Posted by kennysarmy View Post
    what I want...what I really really want is to have a wireless network that is seen by everyone and can be connected to either with or without a passkey, that on first attempt to gain internet access a login screen is presented which requests username and password - which is authenticated against active directory credentials - and if corrrect ones given - internet access is granted. This should work no matter which device the end-user is using, no matter what OS or browser is being used for internet access.
    As others have pointed out, you want a transprent proxy as your network gateway, with the address of that gateway given out to clients via DHCP. Squid works as a transparent proxy (you used to have to recompile with transparent proxy support, but it now works right away) and you can write a script to run from Squid to authenticate users - have it match up machine IP addresses to authenticated users, probably.

    Edit: Sorry, that's Squid with Dansgaurdian, with a filter script that runs from Dansgaurdian.
    Last edited by dhicks; 4th October 2011 at 03:39 PM.

  8. #8

    Join Date
    Dec 2007
    Posts
    864
    Thank Post
    90
    Thanked 164 Times in 139 Posts
    Rep Power
    49
    We had the same issue last year with RM SmartCache 2 etc.

    We did get it working (kind of) by using 2 old pc's and a combination of SmoothWall Express and FreeProxy (i think???, with 2 NICs installed).

    Long story short....

    - On SmoothWall Express the Purple Interface/NIC was connected to the WiFi and the Red Interface/NIC went to NIC1 on a XP Client running FreeProxy (and RMSmartCache client installed), then in turn NIC2 connected normally to the LAN.
    - The computer name/ip address of the XP Client (running FreeProxy) was added to RM SmartCache 2 along with the appropriate filtering level. (staff/pupil).
    - Transparent proxy was setup on SmoothWall Express and the upstream ip address was the ip address of NIC1 on the XP Client running FreeProxy (inturn the upstream proxy address for FreeProxy was that of the RM SmartCache 2)
    - DHCP etc was configured on SmoothWall Express
    - This was all due to our version of RM SmartCache 2 box being too old for the lastest update that allow AD Authentication!
    - This meant that all connected users were filtered at the same level though!


    In the end, we saw the light and now have 2x SmoothWall UTM1000 appliances and Ruckus Wireless system!

    The main issue is that RM SmartCache 2 is just a caching device, no firewall and routing facilities.
    Not sure if this helps!

    NB
    If you are total bamboozled, the internet is explained here
    The IT Crowd - Series 3 - Episode 4: The Internet - YouTube
    Last edited by MYK-IT; 4th October 2011 at 12:38 PM.

  9. #9
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,286
    Thank Post
    80
    Thanked 45 Times in 31 Posts
    Rep Power
    30
    Quote Originally Posted by pantscat View Post
    It is possible to have what you want... but this doesn't really correlate with your question "How does the internet work"... in my mind that's a completely different question.

    You want:

    -a wireless network system that uses Captive Portal authentication (my Ruckus system does this).
    - WPAD to push out your proxy settings

    Do you want to know more?
    Yes I do....

    Is the ruckus system pushing out the WPAD ?

  10. #10

    Join Date
    Oct 2005
    Posts
    825
    Thank Post
    51
    Thanked 111 Times in 101 Posts
    Rep Power
    63
    @kennysarmy - Actually I was a bit wrong about WPAD - some devices wont support this out of the box (iPads, smart phones and the like).

    So... other people have been far more accurate by saying that you want a transparent proxy. Smoothwall does this rather nicely.

    The tricky part about a transparent proxy is identifying the user at the other end as it won't necessarily do any sort of authentication to identify the user - all you will see is that an anonymous user from ip address 1.2.3.4 is looking at Google, for example.

    It's up to you to decide whether this is acceptable.

    It may be possible to get your (hypothetical) wireless system to log all of the authentication attempts - e.g. record the date/time/IP address/username and then cross reference this against "naughty" behaviour on your transparent proxy.

    Essentially, unless you're allocating fixed IPs or IP reservations to client devices so that you know who is using which device (which doesn't help you with open access, multi-user PCs), then you'll have to give everyone the same level of internet access/filtering.

    I hope that makes sense.

    I should also point out that the transparent proxy would be set as the default gateway, and therefore the clients wouldn't have any proxy settings per se.
    Last edited by pantscat; 4th October 2011 at 04:56 PM. Reason: more clarity! less waffle (ish).

  11. #11

    Join Date
    Dec 2007
    Posts
    864
    Thank Post
    90
    Thanked 164 Times in 139 Posts
    Rep Power
    49
    SmoothWall (with G3) comes with an abundance of authentication features, with SSL Login page probably being the all round solution for personal devices that the school does not manage etc

    As per SmoothWall's Help...

    No authentication
    Identify users by their IP address only. All requests are assigned to the Unauthenticated IPs group.

    Redirect users to SSL Login page
    Identify users with the Smoothwall authentication service. If no user is logged in, redirect web requests to the SSL Login page which checks their username and password.
    The Smoothwall authentication service supports only one user per client IP address.
    The SSL Login page automatically refreshes itself so that the authentication time-out period does not elapse; because of this, the user must leave the SSL Login page open at all times.
    SSL login is more secure than Ident or web proxy authentication because the authentication process between the user’s workstation and the Smoothwall System system is encrypted.
    To securely logout, the user must click Logout from the SSL Login page

    Core authentication
    Identify users with the Smoothwall authentication service. If no user is logged in, identify the user by their IP address and assign the request to the Unauthenticated IPs group.
    The Smoothwall authentication service supports only one user per client IP address.
    Core authentication is typically used with the SSL Login page. For example, anonymous users can be allowed to certain sites only, but users can optionally log in to gain a higher level of access.

    Identification by location
    Identify users by their IP address. Assign a group based on the identification by location policy configured for their location.
    Identification by location is typically used where certain clients do not support the authentication method used by the rest of the network. For more information, see Identification by Location.

    NTLM identification (via redirect)
    Identify users with the Smoothwall authentication service. If no user is logged in, redirect Web requests to the NTLM login page, which obtains the username logged into their Microsoft Windows workstation.
    The Smoothwall authentication service supports only one user per client IP address.
    Note: NTLM identification does not verify a user's credentials. It should only be used where all client workstations are secured and members of a Microsoft Windows domain. Unsecured clients can spoof their credentials.

    NTLM authentication (via redirect)
    Identify users with the Smoothwall authentication service. If no user is logged in, redirect Web requests to the NTLM login page, which obtains the username logged into their Microsoft Windows workstation and validates their credentials with the domain controller.
    The Smoothwall authentication service supports only one user per client IP address.
    Last edited by MYK-IT; 4th October 2011 at 05:03 PM.

SHARE:
+ Post New Thread

Similar Threads

  1. [Video] Through the Wormhole: How Does the Universe Work? Narrator: Morgan Freeman
    By DaveP in forum Jokes/Interweb Things
    Replies: 0
    Last Post: 6th August 2011, 02:48 PM
  2. How does the system work?
    By Matthewstuart in forum General Chat
    Replies: 21
    Last Post: 15th February 2009, 03:13 PM
  3. How does Radius work?
    By ranj in forum Wireless Networks
    Replies: 3
    Last Post: 4th January 2008, 12:42 PM
  4. how does solus work?
    By browolf in forum MIS Systems
    Replies: 8
    Last Post: 17th December 2007, 11:28 AM
  5. Oh why wont the internet work anymore :S
    By tarquel in forum Wireless Networks
    Replies: 4
    Last Post: 27th August 2005, 07:33 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •