[CS-FSLUG] Radius Server

veritosproject at gmail.com veritosproject at gmail.com
Tue Jun 27 12:10:16 CDT 2006 

How about leave it open (for the church website idea) but then use MAC
authentication for the other users?

On 6/27/06, David Aikema <david at aikema.net> wrote:
> On 6/27/06, Stephen J. McCracken <smccrack at hcjb.org.ec> wrote:
> > Timothy Butler wrote:
> > >       My church has been doing an expansion project, and I'm planning
> > > laying out wireless access points over the whole building to blanket
> > > it with Wi-Fi. This is good in that we could use access in different
> > > rooms much of the time, but bad in that we don't want people to
> > > freely come in with unfettered web access (surfing x-rated material
> > > in a church just isn't something we want to encourage, ya know?).
>
> > 4. Setup Squid (Proxy) and DansGuardian (Web Filter) on your Linux server.
>
> Rather than taking the auto-detectable proxy approach, you could also
> take the transparent proxy approach instead.
>
> > >       Also, if this could be linked to some kind of total authentication
> > > method that would cover Ethernet too, I'm game. It'd be nice if we
> > > could make it necessary to have a user ID to use the wired Ethernet
> > > jacks around the building too. I'm not familiar with the options in
> > > that direction, though...
>
> Something like this would probably work if you were to buy a managaed
> switch.  Then you could (at least in the managed switches that I've
> seen) enable and disable ports one at a time.  These are generally
> more expensive than the unmanaged consumer switches, but from a quick
> look at eBay you may be able to find some that won't break the bank.
>
> Authentication systems like NoCatAuth (http://nocat.net/) are more
> targetted at the wireless environment, but they might work with wired
> networks as well (perhaps with a little bit of customization).
>
> > 2. Use a DHCP server on the Linux server rather than the wireless points
> > (setup the wireless in bridge mode).  Deny unknown clients (they'll get
> > a 169.x.x.x address which won't go anywhere).  You'll need a bridge to
> > connect the wireless to the wired network and make one network out of
> > the two (see: http://www.wi-fiplanet.com/tutorials/article.php/1563991
> > and http://tinyurl.com/hxdyz for ideas.)
>
> > a. Rather than denying clients in DHCP, give them another subnet that
> > has a DNS that resolves every address to your linux server.  Have Apache
> > on your server show a default page with instructions on the steps
> > involved to get authorized to use the network (e.g. Fill out
> > application, Sign usage agreement, Have person "x" setup computer, etc.).
>
> Perhaps beyond just a signup sheet, you could also give everyone who
> wanders by access to your church's website.
>
> Dave
>
> _______________________________________________
> ChristianSource FSLUG mailing list
> Christiansource at ofb.biz
> http://cs.uninetsolutions.com
>

More information about the Christiansource mailing list