Forcing users to log in to the domain

[Dennis Woodward]

We have a wireless network whereby students can easily jump on our network
for internet purposes without logging into the domain. How can I force them
to log in to the domain? Is there a way to "hide" the internet behind a
windows server that forces them to "authenticate" with a username and
password before going out to the internet?

 

[James McIllece [MS]]

We have a wireless network whereby students can easily jump on our
network for internet purposes without logging into the domain. How
can I force them to log in to the domain? Is there a way to "hide"
the internet behind a windows server that forces them to
"authenticate" with a username and password before going out to the
internet?

Hi Dennis --

Yes, you can require users to be authenticated.

I don't know what your whole setup is, but it sounds like you have the
guest account enabled, so students are logging on as guest (unauthenticated
access).

Just disable the guest account and they will be forced to log on to the
network with their user name and password (depending on what authentication
method you have deployed.)

If you haven't deployed any authentication, you can deploy Internet
Authentication Service in Windows Server 2003. After initial configuration,
you can manage all of your access points as RADIUS clients using IAS.

The general steps are as follows:

Install IAS on your DC or another computer. Use the IAS Help to find out
how to enable IAS to read user accounts in Active Directory. Make sure the
IAS server is added to the RAS and IAS servers group in AD. (If you aren't
using AD, read the Help on how to use IAS as a standalone server. Your user
accounts database, if not AD, must be LDAP compliant to work with IAS.)

In your user accounts database, create the groups that

In the IAS console:

Configure your wireless access points as RADIUS clients to the IAS/RADIUS
server. Configure each RADIUS client with a shared secret that you also
configure on the IAS server. If the APs are 802.1X capable, I would deploy
PEAP. If not, you can use MS-CHAP v2 (without PEAP). If you use MS-CHAP v2
by itself, read the Help on enabling use of the Message Authenticator
attribute.

Also create remote access policy that defines the authentication method you
want to use. (Recommended: PEAP-MS-CHAP v2). If you use PEAP-MS-CHAP v2,
obtain a server cert from Verisign or another company, or you can deploy
certificate services in WS03. For full details see "Enterprise Deployment
of Secure 802.11 Networks Using Microsoft Windows" at
http://www.microsoft.com/windowsserver2003/technologies/ias/default.mspx

Hope that helps...



--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Lanwench [MVP - Exchange]]

In addition, you can look into LEAP (Cisco supports this - don't know what
your WAP is). However, if you're seeing the issues you are, it sounds like
you aren't even using WEP - I'd force 128-bit WEP and hide the SSID.

 

[Dennis Woodward]

Here's the scenario:

We have implemented a laptop program at our boarding school and all students
are required to have a laptop. This is where the problem starts. Because
the students own the laptops, they also have local admin rights.

I can set thier username to have any other rights but they are smart enough
to know that they can change their group by logging in locally (with admin
rights) and granting themselves admin rights.

Along with this, many know how to bypass our proxy server which also does
filtering and port blocking.

I do have WEP enabled on all access points (Shared Key 152-bit) and have had
to configure over 175 wireless clients one by one....ugh!

I am now wanting to force all of these wireless users to log into the
network (to share printers, drives, etc.) in order to get out to the
internet.

Is there a way of doing this? (I am liking what the other reply says about
server 2003) Would 2003 offer a better solution of this issue?


"Lanwench [MVP - Exchange]"