- Posts: 227
- Thank you received: 0
Authenticate access to internet
14 years 6 months ago #34437
by apit
Replied by apit on topic Re: Authenticate access to internet
Actually we trying to authenticate all user access to internet... The main reason is to have a report for every user that using campus internet. An example , our CEO want statistic for all user that using Facebook every month.
Port security is just to allow authorize MAC address in network..Is it?
Port security is just to allow authorize MAC address in network..Is it?
14 years 6 months ago #34443
by Nevins
Useful Threads
================================
www.firewall.cx/forum/2-basic-concepts/3...e-resource-page.html
Replied by Nevins on topic Re: Authenticate access to internet
Port security can work only if you make it a requirement for users to register their labtop for your network (otherwise they would be unable to get on). The idea is your authenticating them by making them come to you first before being able to get onto your network. People who don't have a valid registered mac address wouldn't be able to get on. Also if you require people to register before getting onto your network if they do any damage you can find it easier later with use of a port monitoring program.
Anyways if your looking at creating a report your going to have to use some type of reporting tools like WireShark.
What format is the data required to be in for the report?
Anyways if your looking at creating a report your going to have to use some type of reporting tools like WireShark.
What format is the data required to be in for the report?
Useful Threads
================================
www.firewall.cx/forum/2-basic-concepts/3...e-resource-page.html
14 years 6 months ago #34444
by S0lo
You can do this with an ASA using user/password web authentication. Although you did not say you have an ASA firewall, but I noticed that you mentioned having one in one of your recent posts. So here is a guide for it:
www-china.cisco.com/en/US/docs/security/...fwaaa.html#wp1051298
If thats what your looking for, tell us if you need further help.
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Replied by S0lo on topic Re: Authenticate access to internet
Actually we trying to authenticate all user access to internet...
You can do this with an ASA using user/password web authentication. Although you did not say you have an ASA firewall, but I noticed that you mentioned having one in one of your recent posts. So here is a guide for it:
www-china.cisco.com/en/US/docs/security/...fwaaa.html#wp1051298
If thats what your looking for, tell us if you need further help.
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
14 years 6 months ago #34445
by apit
From the technical doc ,
Is it 16 concurrent user that login to the ASA? Actually we have about 6xx numbers of user at our office.
Replied by apit on topic Re: Authenticate access to internet
Actually we trying to authenticate all user access to internet...
You can do this with an ASA using user/password web authentication. Although you did not say you have an ASA firewall, but I noticed that you mentioned having one in one of your recent posts. So here is a guide for it:
www-china.cisco.com/en/US/docs/security/...fwaaa.html#wp1051298
If thats what your looking for, tell us if you need further help.
From the technical doc ,
Secured web-client authentication has the following limitations:
•A maximum of 16 concurrent HTTPS authentication sessions are allowed. If all 16 HTTPS authentication processes are running, a new connection requiring authentication will not succeed.
Is it 16 concurrent user that login to the ASA? Actually we have about 6xx numbers of user at our office.
14 years 6 months ago #34446
by KiLLaBeE
Replied by KiLLaBeE on topic Re: Authenticate access to internet
I have to disagree about port security, and I'll explain.
For his scenario and his needs, port security is too inflexible and the wrong tool. Port security is meant for you to specify what MAC address(es) a port should receive frames from and to drop all other frames. An appropriate scenario would be if you wanted a certain port to ONLY receive traffic from a specific connected device, and if someone unplugs the device and plugs something else in, the port would neglect the traffic. It's an appropriate solution for public-facing network-capable devices.
The reasons why port-security is the wrong tool:
Configuration
Configuring port security would be the biggest problem. Sure, users can go to him and "register" their MAC addresses, but the administrative overhead in that would be extremely time consuming. He'd have to SSH/telnet to the switch, know exactly what port on the switch the user would be connecting to, and configure the MAC address there. This is granted that he doesn't have to trace the cable from the wall jack to the port on the switch, because that would just increase the amount of time it takes to setup a single user. Additionally, MAC addresses are configured on a port-by-port basis. What if someone moves their laptops around? What if computers get relocated? He'd have to reconfigure the MAC addresses on the ports and set aging timers where needed. Sure, he can record the MAC addresses somewhere (Excel spreadsheet) for easy reference, but he still has to punch the commands in on the switch, SSH where needed, and verify that it's the right port. Every time a new computer/laptop is added to the network, he would have to get the MAC address and configure it on the switch as well.
You can bypass all these hurdles by configuring port-security to register the MAC address of the first frame it receives (which would be the first computer/laptop that connects to it), but if an unauthorized user plugs the laptop into it first, the security will have been defeated. Even if he sets up port security so that multiple MAC addresses are allowed, security would be defeated because an unauthorized user would be able to plug their device in and gain access.
Also, in its initial installment, port security would be a huge pain. He'd have to survey all the computers/laptops for their MAC addresses. Again, he could SSH to all the switches, run show mac-address-table and get the MACs there, or he could find some tool that automatically does this, but he'd still have to enter the commands for each port.
Troubleshooting
It's bound to happen: someone plugs their laptop elsewhere and wonders why their laptop can't connect to the network. This results in a helpdesk call. The helpdesk can't do anything because they don't have access to the switches. This triggers a call to the network engineer who has to stop what he's doing to figure out what port # it is and what MAC address it is.
You can set "IT policy" that everyone must register their MAC addresses, but again, that places inflexibility on the business…if not defeating the purpose of being a mobile user on a laptop (granted there's no wifi) since the mobile users can't happily move around with their laptops
Also, it sounds like only authenticated users will be able to access the Internet, and if they're not authenticated, they would still be able to access the local network. With port security, they would be able to access all or nothing because port security can't differentiate Internet vs local network traffic since it's an L2 technology.
Reporting
My understanding is that Wireshark only (or mostly) sniffs traffic and has no reporting capabilities. Then again, I've never bothered to look at what it's other features are. I'm sure it's vast because there's a book AND a cert for the tool, but I digress. If the CEO wants reporting, a more purpose-built, sophisticated tool would be needed -- a proxy server.
A proxy server is specifically built to filter web traffic and perform reporting…that's the selling point. I know with ISA 2004, you can integrate it with Active Directory and specify what users/user groups will be able to access what sites…or if they can access any sites at all. A proxy server would allow users to connect their laptops/computers to the network, and if they're authenticated (via ISA's integration with AD), then they could access whatever. If they try anything else, they're blocked and it's logged. If an unauthorized user tries to access the Internet, and if appropriate ACLs are in place on the Internet router (to only allow traffic from the proxy server and other key servers), then the unauthorized user would not gain access.
Once the proxy server is installed, he could use existing technology (Active Directory group policy) to setup everyone's IE to point to the proxy server...and the proxy would do the work from there.
There are other offerings for proxy servers, such as Untangle
For his scenario and his needs, port security is too inflexible and the wrong tool. Port security is meant for you to specify what MAC address(es) a port should receive frames from and to drop all other frames. An appropriate scenario would be if you wanted a certain port to ONLY receive traffic from a specific connected device, and if someone unplugs the device and plugs something else in, the port would neglect the traffic. It's an appropriate solution for public-facing network-capable devices.
The reasons why port-security is the wrong tool:
Configuration
Configuring port security would be the biggest problem. Sure, users can go to him and "register" their MAC addresses, but the administrative overhead in that would be extremely time consuming. He'd have to SSH/telnet to the switch, know exactly what port on the switch the user would be connecting to, and configure the MAC address there. This is granted that he doesn't have to trace the cable from the wall jack to the port on the switch, because that would just increase the amount of time it takes to setup a single user. Additionally, MAC addresses are configured on a port-by-port basis. What if someone moves their laptops around? What if computers get relocated? He'd have to reconfigure the MAC addresses on the ports and set aging timers where needed. Sure, he can record the MAC addresses somewhere (Excel spreadsheet) for easy reference, but he still has to punch the commands in on the switch, SSH where needed, and verify that it's the right port. Every time a new computer/laptop is added to the network, he would have to get the MAC address and configure it on the switch as well.
You can bypass all these hurdles by configuring port-security to register the MAC address of the first frame it receives (which would be the first computer/laptop that connects to it), but if an unauthorized user plugs the laptop into it first, the security will have been defeated. Even if he sets up port security so that multiple MAC addresses are allowed, security would be defeated because an unauthorized user would be able to plug their device in and gain access.
Also, in its initial installment, port security would be a huge pain. He'd have to survey all the computers/laptops for their MAC addresses. Again, he could SSH to all the switches, run show mac-address-table and get the MACs there, or he could find some tool that automatically does this, but he'd still have to enter the commands for each port.
Troubleshooting
It's bound to happen: someone plugs their laptop elsewhere and wonders why their laptop can't connect to the network. This results in a helpdesk call. The helpdesk can't do anything because they don't have access to the switches. This triggers a call to the network engineer who has to stop what he's doing to figure out what port # it is and what MAC address it is.
You can set "IT policy" that everyone must register their MAC addresses, but again, that places inflexibility on the business…if not defeating the purpose of being a mobile user on a laptop (granted there's no wifi) since the mobile users can't happily move around with their laptops
Also, it sounds like only authenticated users will be able to access the Internet, and if they're not authenticated, they would still be able to access the local network. With port security, they would be able to access all or nothing because port security can't differentiate Internet vs local network traffic since it's an L2 technology.
Reporting
My understanding is that Wireshark only (or mostly) sniffs traffic and has no reporting capabilities. Then again, I've never bothered to look at what it's other features are. I'm sure it's vast because there's a book AND a cert for the tool, but I digress. If the CEO wants reporting, a more purpose-built, sophisticated tool would be needed -- a proxy server.
A proxy server is specifically built to filter web traffic and perform reporting…that's the selling point. I know with ISA 2004, you can integrate it with Active Directory and specify what users/user groups will be able to access what sites…or if they can access any sites at all. A proxy server would allow users to connect their laptops/computers to the network, and if they're authenticated (via ISA's integration with AD), then they could access whatever. If they try anything else, they're blocked and it's logged. If an unauthorized user tries to access the Internet, and if appropriate ACLs are in place on the Internet router (to only allow traffic from the proxy server and other key servers), then the unauthorized user would not gain access.
Once the proxy server is installed, he could use existing technology (Active Directory group policy) to setup everyone's IE to point to the proxy server...and the proxy would do the work from there.
There are other offerings for proxy servers, such as Untangle
14 years 6 months ago #34447
by FlipRich
Layer 2 port security is definitely not the way to go if your wanting to restrict web access to users. That's like defending against terrorism by putting guards at the door of every person's house. It's just not practical.
I dont think Open dns isnt going to give you the detailed reports that you're wanting to present to the CEO. I suggest purchasing a Cymphonix device, maybe the Cisco Ironport, or even the Websense software filter to get effective web filtering and reports. I havent messed with the ASA's web filter feature yet but to answer your question below about the "16 concurrent users", it looks like that limit only applies to https connections.
Rich
Network Engineer /CCNP, CCNA-S
Tallahassee, FL
Replied by FlipRich on topic Re: Authenticate access to internet
Actually we trying to authenticate all user access to internet... The main reason is to have a report for every user that using campus internet. An example , our CEO want statistic for all user that using Facebook every month.
Port security is just to allow authorize MAC address in network..Is it?
Layer 2 port security is definitely not the way to go if your wanting to restrict web access to users. That's like defending against terrorism by putting guards at the door of every person's house. It's just not practical.
I dont think Open dns isnt going to give you the detailed reports that you're wanting to present to the CEO. I suggest purchasing a Cymphonix device, maybe the Cisco Ironport, or even the Websense software filter to get effective web filtering and reports. I havent messed with the ASA's web filter feature yet but to answer your question below about the "16 concurrent users", it looks like that limit only applies to https connections.
Rich
Network Engineer /CCNP, CCNA-S
Tallahassee, FL
Time to create page: 0.145 seconds