Fwd: large campus network ... sugestions

hello,

On Dec 14, 2007 1:31 PM, Frederik Kriewitz <kontakt@kriewitz.eu> wrote:
> Certificate based authentication (clients have to reauth every few
> minutes, could be done via browser, automatic refresh...) or use
> certificate based VPN authentication.

Sounds very interesting. Sorry if I'm asking this but I want to know if u have implemented such a system anywhere because a major change in authentication even on a server gets me a lot of trouble due to the "air" which is the internet for some students... . If you did so can you tell me the overhead on the server usage (CPU, memory, network load) ?

If you know a good tutorial it would be handy. I'll google it. Appreciate it. Thanks

My "dream" is to authenticate any user independent on browser,OS (or any other specific application). It has to be spoof free because i want to open all ports, transparent proxy, and traffic shape all non http ("dream"). Freedom to the world ... they should be happy ... but i want also responsibility ... if you did something illegal ... it is your problem.

I must take also into consideration the fact that not all users know how to configure their browser and internet connection. That's why MAC+IP, Static ARP, DHCP was a great idea at the beginning.

> Does the proxy allow all ports (using CONNECT)???
> That's a stupid idea, you just should allow the required ports to be
> used (probably just HTTP(S)).
> That probably should stop most of your students directly tunneling
> traffic through the proxy.

CONNECT is allowed only for 443 TCP, https.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

> If they want to tunnel non HTTP(S) traffic through the proxy they'll
> have to use separate endpoint server (establish a tunnel (using the
> proxy) to a dedicated server listening on the HTTPS Port).

Most of the times they tunnel into their corporate networks (where they work).

> AFAIK there is no free service offering this feature. If the remaining
> students who are able to tunnel traffic through the proxy are still a
> problem just monitor the traffic/connection duration to all
> destination IP/Ports, shouldn't be to hard to find the tunnel endpoint
> servers and block them manually ;)

I never said that they don't pay accounts. They do so! I even had some complaints that they are using paid services and they can't access them ... can u beleive that ? I keep dropping servers from your-freedom.net but they keep on changing them, also there is surfnolimit bothering me... . IPP2P module for iptables works really great ... i can see my proxy connecting to bittorrent trackers on port 80. I did some acl regex to prevent that ... and iptables drop on proxy connections if they happen anyways.

>

Thank you.
I'll look into it and see how it works out for me.

Adrian TIRLA
ps: if you have some links that can keep me away from head aches i appreciate it.

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org