Re: large campus network ... sugestions
On Fri, Dec 14, 2007 at 09:57:21PM +0200, Tirla Adrian wrote:
> Hellow Willi,
> On Dec 14, 2007 6:11 PM, Willi Mann <firstname.lastname@example.org> wrote:
> > > I'm interested in a better authentication method than registering all
> > > the MACs+IPs of all my users (which after all is just dust in the wind
> > > ...) using my current hardware (16 servers, 1 for at least 250
> > > clients). I was thinking about ppp based authentication but it doesn't
> > > look very scalable and secure ... am I wrong ?
> > openvpn might be an easier solution.
> i was thinking also openvpn ... but i believe it is going to kill my
> CPUs of all my servers (at least 250 users per server) ... and if
> openvpn (never tried to actualy use it) creates like all ppp daemons a
> pppx tunnel which is encrypted ... my firewall is going to be a mess
> ... rules for all tunnels ? ... or ... am i missing something ?
> have you ever used openvpn with more than 200 clients/tunnels on the
> same machine ? if you did can u tell my what kind of hardware did you
> poses ?
[disclaimer: I work for INL, the company developing NuFW]
802.1x won't help (spoofable, and hard to deploy, nor openvpn (which
would kill your server).
You might want to have a look at NuFW , an authenticating firewall.
It is based on a client installed on workstations, to authenticate
connections. Unlike methods based on ip, mac address or whatever, it
does not make an association ip == user, so it can even differentiate
users on the same workstation, and apply different rules.
You can find a technical description , and a schema .
All packets can be logged with user information in a database.
NuFW is free (both in free beer and free speech), except for the windows
client. The other clients and tools for administration, NuFace  and
NuLog , are also free and opensource.