Wednesday, December 17, 2008

AAA for Wired and Wireless Campus Area Internet Users @IOE Pulchowk

Center for Information Technology of IOE Pulchowk campus has been managing Internet Users over WINNT Domain. It has been 4 years since I have been working as system/network administrator managing different servers of IOE.EDU.NP domain and SOI System under WIDE Project. During this run, several improvement have been done like IOE Mail, bandwidth management, power management, network management and hardware update etc.. But it’s a universal truth that clients never satisfy with the service.

As a consequence, I tried to remove all the domain controllers with old P2 Dell server and replace the authentication through radius users over Quad Core 2Ghz Dell Server. I found radius authentication the best one solution for wired/wireless and dialup users. So that through a single database server can control all kinds of user’s authentication though LDAP is also another solution. IOE Pulchowk has more than 2000 users on its LAN, so it’s not the easy task to maintain more than 1500 machines enabled with internet. Virtual LANs on the central backbone switch, two Transparent Proxies, and two Radius servers enabled the system a bit manageable.
Chillispot is a wireless captive portal mostly suitable on wireless internet, though it can be used in wired LAN (UAM technique). I designed to have a concept of utilizing chillispot on wired as well as wireless LAN. Chilli-Radius Authentication with appropriate firewall and bandwidth control is the current implementation as new authentication system in IOE Pulchowk Campus. But performance is another major issue whether the new system might have shown improvement in internet access or not.
The central authentication system is supposed to have some benefits like:
•Users can be captured with their MAC/IP address
•MAC authentication can be implemented
•Fraud users can be identified
•Users with unnecessary site access can be easily traced.
•All the users request is passed through transparent proxy: performance is supposed to be improved
•Public IP block Saved (private Class B IP addressing has been implemented)
•Web based password change option

There is still difficulty in wireless user’s authentication in case of using wireless routers. Normal Wireless router doesn’t have authentication within itself. But due to over traffic chilli and firewall process seems not working properly. Symptoms of frequent connectivity breakdown may need more research and test.

authentication system

The basic authentication and internet system is as follows:
•When a client browse the internet, the gateway servers running chilli and proxy provides authentication page to clients.
•Client supply the username and password which is forwarded to radius servers for the users validation.
•Radius server replies with the validation information to chilli, then the users are authenticated and the subsequent request of users would be forwarded to transparent proxy.
•Users can be seen online until he/she logged out.

Lists of users with their machines IP/MAC address accessing internet