[ale] Authentication for network access
Luis
lgonzal at mindspring.com
Thu Nov 30 11:40:41 EST 2000
I'm not sure if PPPoE would fit your needs either, as it uses PAP through
aradius server which then allows network access. But yes, there is software
for Win2k and Mac OS. All that software does is allow them to authenticate
through PAP (Password Authentication Protocol).
But what you're asking is probably dealing more with implementation of an
authentication scheme, rather than access. There's PAP, CHAP, ACAP which
are different methods of authentication, and I'm sure tons more but I'm not
an expert on the subject.
With DHCP, you could have a pool of IPs which are only given out when
access is needed. But same thing, with DHCP, it can also implement PAP and
CHAP.
But any way you go, more than likely, your authentication will be handled
by the server, not the client.
Authentication doesn't have much to do with the NICs unless you manually
record the MAC addresses, and allow network access that way.
- gonzo
On Wednesday, November 29, 2000 12:58 PM, Chris Ricker [SMTP:chris.ricke
r at genetics.utah.edu] wrote:
> On Wed, 29 Nov 2000, Dan Newcombe wrote:
>
> >
> > Here is one I'm stumped on.
> >
> > Is it possible to somehow have a person/machine authenticate itself
before
> > gaining network access?
> >
> > The options I've gone through in my mind:
> > DHCP - you can limit what NIC's can get an IP, however, that
> > requires magical knowledge of the NIC's before hand. With
> > 4500 student notebooks, that is a lot of magic, but
> > possibly not a bad price to pay for network access.
> >
> > PPPoE - thanks to peoples DSL trouble, I learned about this.
> > While it sounds like PPP over an Ethernet wire, I am
> > unsure what effect this would have on someone connecting
> > to other networks - do drivers need to be loaded on a 9x
> > machine to use this? Is there support for Mac's and
> > NT/2000?
> >
> > Are there any other options? One off-the-wall idea I had was some
scheme
> > where they would get an IP, but only be able to get to one location - a
> > web server on which they would have to authenticate themselves, which
> > would then adjust some routing tables to allow that IP address to have
> > full access, but that just seems a bit iffy to me.
>
> Here at the University of Utah, they use ACAP (as in the mail protocol
> stuff) to do exactly what you want (people with laptops log in using
their
> email username and password, that gets authenticated, and then the router
is
> given the green light to start sending them packets). It works exactly
like
> the off-the-wall scheme you describe, too ;-). For example, whenever I
go
> to the library, I plug in my laptop. Packets at that point can only go
> between my laptop and www.laptop.lib.utah.edu (you'll get a different
view
> of it than I will, since they play the outside / inside domain shell game
> with that URL). I go there and log in, and then the switch gets told
that
> I'm okay, and packets then can flow anywhere.
>
> Unfortunately, I think it's an in-house project which Cisco (?) is taking
> commercial, so I'm not sure how much they'll share at this point, but the
> idea definitely does work. Search Utah's web pages for ACAP or ANA
(Utah's
> name for the setup) and you might be able to hunt up more info.
>
> later,
> chris
>
> --
> Chris Ricker
kaboom at gatech.edu
>
chris.ricker at genetics.utah
.edu
>
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message
body.
--------------------------------
http://www.thisrules.com
It's easy to sit there and say you'd like to have more money. And I guess
that's what I like about it. It's easy. Just sitting there, rocking back
and forth, wanting that money.
--------------------------------
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list