Stop rogue laptops accessing the internet

[SelbyGlenn]

Hi there,

I work in a boarding school that has a large LAN. Students are not allowed to use their own private laptops on the network but it is virtually impossible to police. The only reason they attach to the n/w is to use the internet.

I currently have an ISA Server 2000 running in proxy mode which requires user authentication. The students know that if they enter the proxy settings into IE, then they can authenticate using their domain username and password on their private laptops. What I want to know is how do I stop PC's that are not members of the domain from accessing the internet?


Thanks in advance for any help and suggestions,

Regards,


Glenn
BEng MCSE CCA

 

[CiscoGuy33]

Glenn

What kind of switch ports are they connecting to, I know that with most Cisco switches you can turn on port security and then lock the MAC address of the computers that should be plugged in to that port, if they unplug and plug in a different device the port will shut down.

Then you will know exactly who did it and they would be without any connection until you could reset the port

Just a thought!


E.A. Broda
CCNA, CCDA, CCAI, Network +

 

[SelbyGlenn]

3com switches and unfortunately they're not intelligent. Upgrading them isn’t an option due to cost. :-( Also, students tend to roam around with their laptops so locking a MAC address to a specific port wouldn't work in this scenario. Thanks for the suggestion though!

Glenn
BEng MCSE CCA

 

[Stevehewitt]

Now I could be wrong, but I thought you could setup schedules and policies etc. on ISA - and one of which is computer access? Just state no access to those machines (or a deny page with they're username, machine name and IP to scare them off!)

Cheers,




Steve.

"They have the internet on computers now!" - Homer Simpson

 

[Sympology]

How about a good old fashoined telling off (followed by most strict measures)

Clearly state in an IT Usuage policy that no pc's other than school ones can access the Network without written permission.

Next state that giving out password is again against this policy

Then force a password change for EVERY user.

Once done, use logs to find out unknown machines on the network and cross refernce them with access logs. Those that have a unrecognised pc accessing the web, pull them up on it.
Do this enogh and make sure the punishment is actually dished out, they will stop.

To often we use technology to fix a social issue.

That's my opinion, you may disagree.

Only the truly stupid believe they know everything.
Stu.. 2004

 

[voltron1011]

http://www.smoothwall.net/

 

[voltron1011]

Also, ipcop

 

[Auger282]

really basic.. we use DHCP with reservations and exclude the pools so it wont give out addresses to anyone that doesnt have a reservation (We do this out of a backtracking policy.. not to keep people off our network.. but it would work)

 

[SelbyGlenn]

http://www.smoothwall.net/

is no good. Users can still gain access by assigning proxy settings on their private laptops and then authenticate using their domain username.

Ipcop as far as I can tell is only available on a Linux platform (please correct me if I'm wrong)

Reserving every IP address in DHCP will only stop the students temporarily. It won't take them long to figure out that entering a static IP address on their private laptop will get round the problem

Thanks for all your ideas guys but I’m afraid I’m still stuck. The only way I can see this is going to work is to have some kind of third party client software that talks to a server at machine (not user) level for authentication.


Glenn
BEng MCSE CCA

 

[Auger282]

what about putting in a radius server... we use it for our wifi clients.. you can connect but if you dont authenticate you're dead in the water

 

[SelbyGlenn]

I have been playing around with Radius but I had a problem with it timing out during log off. The user certificate drops the connection before the users profile has finished uploading.

Have you had this problem?

Glenn
BEng MCSE CCA