Starting over.

We force all pages except a select few to nav to NetReg and force them to go through registration using their account and password for (everything else).

For guests they certainly can just plug into jacks in non-NetReg buildings (once NetReg is everywhere that won’t be the case) or they can use our wireless network which requires VPN. We give out guest VPN accounts but a worker bee has to claim responsibility for the network usage of their guest.

NOT a perfect situation.

And how do you require guests to use VPN? What do they VPN into? I would think you’d want guests to just get Internet access, either through a dirty, unsecure network, or a NAT’ed network so at least they get some protection but have no access to inside.

ISP, eh? Small world

I could have said that in one comment; didn’t.

We have separate subnets, not all are converted over yet because of old wiring in many of our buildings.

So NetReg seems to be a good answer for smaller networks, and seems to also give a decent semblance of security, but I would probably argue for 802.1x authentication, which is one of our next projects. When you have a switch that supports 802.1x, then what happens is you get put into a VLAN based on your authentication, and it can be without the user’s participation.

Everyone know about two-factor authentication? Here’s the gist: you have three ways to prove you are who you say you are: something you have (like a token), something you know (like a username and password) and something you are (biometric - fingerprint, retinal scan). Two-factor authentication is when you have 2 of the 3 things. A smart card with a login is 2 factor. A SecurID card with a 60-second password, combined with a login is 2 factor.

Now, for sake of argument, imagine a Windows domain and Windows machines in that domain. When you join the system to the domain, you can have a group policy automatically add a certificate, signed by the domain controller, to the machine. That’s one form of authentication (something you have; a token). Then, assume the user is logged into the machine with their username and password. That would be the second form of authentication (something you know). Given these two forms, the computer authenticates to the switch, the switch puts them in the appropriate VLAN, and then DHCP server on that segment doles out a specific IP.

The cool thing here is that if the computer does NOT authenticate, it can be put into an unsecure VLAN, given a different address and maybe given NAT’ed internet access but no internal access.

That way, you can open up all the ports in your campus and not worry as much about physical security - you know, how people visitors might come into your conference rooms and “borrow” a network connection, and all of a sudden get access to internal stuff? Properly implemented 802.1x massively minimizes that threat.

We use NetReg because we’re lazy. Register your IPs, stupidasses. (Not you, them.)

When I worked at Scient (my all-time favorite job), we had a neat system that worked well with our environment. We were 1800 consultants in 14 different offices throughout the US. Everyone was at 80% travel or more, so you never knew which office any given colleague was visiting. We heavily employed the use of peer review, conferences, etc and wanted to take advantage of serendipity whenever possible.

So the cool system was this:

A) you connect your laptop to the LAN

B) the DHCP server gives you an address.

(Yes, I realize this doesn’t sound very cool so far, but keep reading.)

C) the DHCP makes note of your MAC address.

(hmm. that sounds interesting)

D) The MAC address is matched against a database of employees kept up to date by IT every time they issue a laptop.

(ok, that sounds maybe a little cool, but what’s the point?)

E) A side process spawns and goes to traverse the switches to find out what port that MAC address was currently connected to.

(alright, that would be a pretty neat script. Are you auditing or something?)

F) Each network port is mapped to a coordinate system on every floor plan of every campus in the same database. So for example, port 4/16 of this switch is actually connected to cube 104 in the east wing.

(whoa, sounds like someone did a lot of work)

G) Each cube is given a set of map coordinates based on the floor plan, such that cube 104 is on this GIF file right about “here”, in xy coordinates, like 645,324.

(someone is a little busy, aren’t they?)

H) The “zone” (what Scient called it’s customized intranet) had an employee lookup page. On that lookup page, when you found an employee by name, number, skillset or whatever, over on the right hand side was a graph of “where am I today?”. Right under that, was a big header listing the name of the campus (ie, Austin, New York, San Franscisco) and the floor (2nd, 3rd), and then below THAT, a floor plan with a big red dot on the cube where the person was.

(gasp! spurt! choke! WHAT?!?!?!? The intranet was a dynamic map telling you where they were parked for the day?!?! OMG! THAT’S SO FREAKING COOL!)

Good refresher and brought back some memories. Thanks.