[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[K12OSN] Re: Authenticating mixed clients for Internet Access

Steve et al-
It seems I may have been unclear in stating my request, for which I apologize. We are trying to migrate away from MS server OS's for a variety of reasons, cost being the most significant. When I stated we have a mix of NT and Linux servers, I failed to mention that the remaining NT machine only serves to update our Norton AV corporate edition clients. There are no other services running on it, nor do we wish there to be any.
My primary stumbling block in this project is finding a centralized way to control which users are allowed out to the Internet (via proxy, gateway, what have you) that will work for both Linux and Windows systems. I believe I have unified user logins across platforms sorted using Samba and PAM, but it is the Internet access control that is stumping me. We need to allow / deny Internet access to different users based on whether or not they have completed their acceptable use forms, and also have the ability to deny access to those who abuse the system. I am relatively new to this particular facet of network administration and design, so please excuse my ignorance on the topic. It seems this should be a common need with a well-established solution, but I have not found one.
The users move between platforms regularly and I need consistency across them. I have found software (such as Microsoft's Proxy server, or Novell's) which works on a per-user basis, but those only run on OS's we do not use, or work only for Windows clients. It would be simple enough to block a particular machine using an ACL or similar, but I have not found anything that will authenticate on a per user basis on a Linux-based gateway, firewall, or proxy. I need it to work from either Windows Domain login (processed by a Samba PDC) or Linux terminal logins. I have found options which require people to SSH into a gateway to open a connection from the client, but I do not see that as a usable option in a k-12 environment. My users are simply not up to that kind process, especially not for the younger kids (or older teachers, for that matter). Am I chasing my tail, or is this sort of thing possible?

<snip from Steve Sobol>
LDAP might be another potential solution.

I have heard of a lot of people using LDAP as an authentication database, but I have yet to find any good current documentation on how to get such a beast rolling. I guess I just don't "get it". Such an open-ended and centralized system would be ideal for the services we want to offer in the future. I've tried a few times to figure it out on my own with OpenLDAP, but it seems pretty clunky in the role of an authentication db. What am I missing? What resources would you suggest?

-Thanks in Advance and Best Regards-

-Quentin Hartman-

Original Post Follows:

I am working on re-building a network for a k-12 institution, and am trying to put in some security features that are sorely needed. One of the most glaringly obvious omission for this environment is that there is no mechanism in place to authenticate users for internet access. It is a mixed environment of Linux and Windows 9x workstations and Linux and NT servers. I would very much like to have centralized user management. The scenario goals we are trying to achieve are:
1- Unrestricted user logs in. Has access to file / app servers and Internet
2- Semi-restricted user logs in. Has access to file / app servers, but not internet.
3- restricted user logs in. Has access only to local files and programs.
4- Unauthorized user cannot login.
I imagine a combination of policy files for the 9x clients, samba, pam, and squid could achieve this, but I would like your feedback on the best way to proceed to complete this project. Am I on the right track at all?
-Quentin Hartman-

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]