+ Post New Thread
Results 1 to 12 of 12
Wireless Networks Thread, NAC in Technical; Has anyone looked at Network Access Control ? I ask this because a number of schools appear to be investing ...
  1. #1
    NewOrder's Avatar
    Join Date
    Mar 2007
    Location
    Stafford
    Posts
    195
    Thank Post
    10
    Thanked 18 Times in 17 Posts
    Rep Power
    18

    NAC

    Has anyone looked at Network Access Control ? I ask this because a number of schools appear to be investing in devices/laptops for kids to take home and I'm wondering what is the most simplest way to allow them on to a school network. I want to make sure its simple secure and low maintenance.

    What worries me is the rubbish etc that they will have on their devices and this needs to be stopped.

    I remember a number of years a go a LEA gave out laptops to teachers over the summer. They all came back in and September was virus month.

    I saw this quote

    You Can't Control People.

    Control What's On Your Network.

  2. #2

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,921
    Thank Post
    1,332
    Thanked 1,773 Times in 1,100 Posts
    Blog Entries
    19
    Rep Power
    593
    Yep, we are putting in a Cisco solution this year, and segmenting the WLAN into a hidden, ultra-controlled section for staff and curriculum laptops that need to be part of the domain, and having a public hotspot style section with only port 443 access to one set of servers running Sun's Secure Global Desktop as a web front end for our TS system. I know of a few other schools looking at similar.

  3. #3


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,678
    Thank Post
    352
    Thanked 794 Times in 714 Posts
    Rep Power
    346
    Wish I had the cash to even look at the Sun Global Desktop letalone the rest!

  4. #4
    NewOrder's Avatar
    Join Date
    Mar 2007
    Location
    Stafford
    Posts
    195
    Thank Post
    10
    Thanked 18 Times in 17 Posts
    Rep Power
    18

    Thanks for quick responses

    2 things

    1. Anything less complicated? Remeber a lot of heads will have seen situations where they hit a hotspot and connect to the Internet

    and

    2 They will expect that within the school and how will you give them access to materials on the network?

  5. #5
    stratisphere's Avatar
    Join Date
    Apr 2007
    Posts
    295
    Thank Post
    33
    Thanked 87 Times in 31 Posts
    Rep Power
    30
    Here's our setup:

    We have a Sonicwall SSLVPN box (which is responsible for remote access for out on the internet). (SSL VPN Secure Remote Access - Everywhere Access For Every Size Organization - SonicWALL, Inc.)

    We also have 2 wireless networks. Like GrumbleDook's setup, one is hidden, secured etc etc for mostly tech access (dont have the resources in school to let staff use it yet).
    Another one, again, like GrumbleDook's, is public. This is it's own little network setup up to use a little (but more than good enough!) desktop PC running linux routing only SSL (port 443). This then goes direct into another interface on our SSLVPN.

    So basically if kids want to use wireless, they can but to only access their work via the remote access site.

    We are experimenting with setting up a hotspot type system where the first time you connect, you have to authenticate via web browser. It then logs how long your using it etc etc. From that, we can then direct them to the correct proxy server (Wouldnt want to let them have unfiltered internet access now )

  6. #6
    torledo's Avatar
    Join Date
    Oct 2007
    Posts
    2,928
    Thank Post
    168
    Thanked 155 Times in 126 Posts
    Rep Power
    47
    Quote Originally Posted by GrumbleDook View Post
    Yep, we are putting in a Cisco solution this year, and segmenting the WLAN into a hidden, ultra-controlled section for staff and curriculum laptops that need to be part of the domain, and having a public hotspot style section with only port 443 access to one set of servers running Sun's Secure Global Desktop as a web front end for our TS system. I know of a few other schools looking at similar.
    GD - could you expand a liitle on the cisco solution you'll be using, will it be the CSA product and/or CCA (cisco clean access) ?

    We've had a look at CSA in the past, at the time we were a bit unsure as the technology was quite new - at the time cisco also had the CTA (Cisco Trust Agent) and CCA appliances that we believed were also part of overall NAC solution in additon to selected AntiVirus products, 802.1x capable catalyst switches and Cisco ACS as the radius server.

    It's difficult to know which bits you actually need for a NAC solution.
    Last edited by torledo; 29th March 2008 at 11:08 AM.

  7. #7

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    737
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    36

    NAP

    Have a look at the Microsoft's offering of NAP (Network Access Protection) as well which does require at least one windows 2008 server but this can be installed on your existing 2003 inftrastrure so its not a big deal. Windows XP SP3 will come with a NAP client so that should make it easier to control the policies.

    All these solutions relies on the 802.1x support on your infrastruture devices such as switches, routers and acccess points as well as WLAN controllers.

    If you are just worried about kids plugging their own laptops then the simple 802.1x authentication is enough but if you are looking to find out and screen for dirty/healthy clients then you need NAC or NAP. These technology takes the 802.1x concept one step further by screening the clients for various other criteria such as the correct SP level, latest virus definitions and other conditions such as client being a member of domain and or in appropriate groups.

    We are using the our main wireless system (for staff) using the 802.1x with MS IAS (Radius) server and hidden SSIDs. For 6th form students we offer free wifi on thier own laptops and this is again controlled using 802.1x (WPA/TKIP) and are re-directed to the web filtering/proxy server so the net access is controlled. In order to access their My Docs we use the easylink (webdav) and open 443 from the wireless VLAN to the corp network. This works very well and its secure as well.

    HTH,

    Ash.

  8. #8
    NewOrder's Avatar
    Join Date
    Mar 2007
    Location
    Stafford
    Posts
    195
    Thank Post
    10
    Thanked 18 Times in 17 Posts
    Rep Power
    18

    Thanks

    Hi folks thanks for the replies. I'm now looking at a few NAC/Nap devices. I'll report back

  9. #9

    john's Avatar
    Join Date
    Sep 2005
    Location
    London
    Posts
    10,498
    Thank Post
    1,488
    Thanked 1,049 Times in 918 Posts
    Rep Power
    301
    May also be worth noting that Sophos V8 which is around the corner soon has some stuff like this in it as well as Drive restrictions and things I believe

  10. #10

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    I use packetfence.

    packetfence / home

  11. #11

    Join Date
    Apr 2008
    Posts
    2
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    If I may suggest...

    For endpoint security (e.g. making sure that laptop/endpoint virus defs are up to date), Novell ZESM is a decent product. A real pain in the *** to install, but once running it's very stable.

  12. #12

    Join Date
    Mar 2007
    Location
    Devon
    Posts
    1,041
    Thank Post
    225
    Thanked 63 Times in 56 Posts
    Rep Power
    29
    I am looking into this at the moment and want to get to grips with packetfence but have no time at moment maybe over the summer break.

    Problem i have with OS stuff is i'm lazy and just want to install one package to do the lot, one day i'll get my head around it as i know there is a whole host of fun things out there in OS.

SHARE:
+ Post New Thread

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •