Lapnet: Difference between revisions
m (add external links header, make lapd bold) |
No edit summary |
||
(2 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
{{unsupported}} | |||
We wrote our own (using Linux iptables, ISC dhcpd, Apache/cgi, and a (custom) daemon '''lapd'''), | Satrting in about 1996 we saw increasing number of users wanting to connect up their laptops. Initially in DAMTP we had a couple of special ways to connect them using dedicated (physical) networks in our main terminal room (the Dungeon). After a while it became clear that this wouldn't scale, so we started looking at other solutions, and since we were upgrading to VLAN-aware switches we made use of that to provide a (small) number of ports elsewhere on site (this was still in Silver Street where we were not permitted to re-wire so mostly had 10base2 networking). The networks were very insecure since the cables were easy to access and carried traffic for many machines. | ||
For the CMS site we were to get shiney new networking, with new switches and patch-frames etc. The spec for the equipment included the minimal features we needed to provide something slighly better than we already had and after talking to suppliers (mainly Cisco) we got some new ideas about authenticated access to the network using firewalls opening holes as needed. | |||
At about this point the ITS published various recommendations on what levels of security, logging and verification was needed to permit connection of users' own machines. | |||
With these in mind (we saw a draft) we wrote our own captive portal (web based authentication) setup to permit users to connect their own machines (e.g. laptops). | |||
We wrote our own (using Linux iptables, ISC dhcpd, Apache/cgi, and a (custom) daemon '''lapd''' which keeps track of the ''authentication state'' of devices etc), mainly because at the time none of the existing systems did what we needed, e.g. keeping the logs required by the ITS rules. A prototype of the setup was in use in 1999 at Silver Street and went to a ''live'' pilot during the move to CMS later that year. | |||
We plan to extend this to Wireless at fairly soon and of course add the extra support needed for dot1x based authentication for wired and WPA/WPA2/dot11i authentication for wireless (see Lapwing, JRS etc). | |||
=External Links= | =External Links= |
Latest revision as of 12:46, 17 June 2015
Satrting in about 1996 we saw increasing number of users wanting to connect up their laptops. Initially in DAMTP we had a couple of special ways to connect them using dedicated (physical) networks in our main terminal room (the Dungeon). After a while it became clear that this wouldn't scale, so we started looking at other solutions, and since we were upgrading to VLAN-aware switches we made use of that to provide a (small) number of ports elsewhere on site (this was still in Silver Street where we were not permitted to re-wire so mostly had 10base2 networking). The networks were very insecure since the cables were easy to access and carried traffic for many machines.
For the CMS site we were to get shiney new networking, with new switches and patch-frames etc. The spec for the equipment included the minimal features we needed to provide something slighly better than we already had and after talking to suppliers (mainly Cisco) we got some new ideas about authenticated access to the network using firewalls opening holes as needed.
At about this point the ITS published various recommendations on what levels of security, logging and verification was needed to permit connection of users' own machines.
With these in mind (we saw a draft) we wrote our own captive portal (web based authentication) setup to permit users to connect their own machines (e.g. laptops).
We wrote our own (using Linux iptables, ISC dhcpd, Apache/cgi, and a (custom) daemon lapd which keeps track of the authentication state of devices etc), mainly because at the time none of the existing systems did what we needed, e.g. keeping the logs required by the ITS rules. A prototype of the setup was in use in 1999 at Silver Street and went to a live pilot during the move to CMS later that year.
We plan to extend this to Wireless at fairly soon and of course add the extra support needed for dot1x based authentication for wired and WPA/WPA2/dot11i authentication for wireless (see Lapwing, JRS etc).
External Links
Some user documentation can be found at Lapnet, though it doesn't yet mention anything about Raven 'cos we havn't yet re-written all of the docs etc.
For a few more technical details (very out of date and doesn't yet mention Raven), see technical.txt