[ale] Authentication for network access
Chris Ricker
chris.ricker at genetics.utah.edu
Wed Nov 29 12:57:41 EST 2000
On Wed, 29 Nov 2000, Dan Newcombe wrote:
>
> Here is one I'm stumped on.
>
> Is it possible to somehow have a person/machine authenticate itself before
> gaining network access?
>
> The options I've gone through in my mind:
> DHCP - you can limit what NIC's can get an IP, however, that
> requires magical knowledge of the NIC's before hand. With
> 4500 student notebooks, that is a lot of magic, but
> possibly not a bad price to pay for network access.
>
> PPPoE - thanks to peoples DSL trouble, I learned about this.
> While it sounds like PPP over an Ethernet wire, I am
> unsure what effect this would have on someone connecting
> to other networks - do drivers need to be loaded on a 9x
> machine to use this? Is there support for Mac's and
> NT/2000?
>
> Are there any other options? One off-the-wall idea I had was some scheme
> where they would get an IP, but only be able to get to one location - a
> web server on which they would have to authenticate themselves, which
> would then adjust some routing tables to allow that IP address to have
> full access, but that just seems a bit iffy to me.
Here at the University of Utah, they use ACAP (as in the mail protocol
stuff) to do exactly what you want (people with laptops log in using their
email username and password, that gets authenticated, and then the router is
given the green light to start sending them packets). It works exactly like
the off-the-wall scheme you describe, too ;-). For example, whenever I go
to the library, I plug in my laptop. Packets at that point can only go
between my laptop and www.laptop.lib.utah.edu (you'll get a different view
of it than I will, since they play the outside / inside domain shell game
with that URL). I go there and log in, and then the switch gets told that
I'm okay, and packets then can flow anywhere.
Unfortunately, I think it's an in-house project which Cisco (?) is taking
commercial, so I'm not sure how much they'll share at this point, but the
idea definitely does work. Search Utah's web pages for ACAP or ANA (Utah's
name for the setup) and you might be able to hunt up more info.
later,
chris
--
Chris Ricker kaboom at gatech.edu
chris.ricker at genetics.utah.edu
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list