Network Registration and User Tracking

Download Report

Transcript Network Registration and User Tracking

Network Registration
and
User Tracking
An Open Source Approach
Mark Berman
Ashley Frost
Williams College
In The Beginning…
And on the Second Day…
And Ralph Created DHCP
And it was good.
Ralph Droms was author of most of the DHCP RFCs
Durga is the Hindu Mother Godess. She kills demons!
Wasn’t It?
Problems to Solve:
• Self Service
Registration
• Ownership and
Location Tracking
• VLAN Assignment
• Quarantine
Unregistered
Machines
Problem Solver:
Ashley Frost
Senior Network & Systems Administrator
Williams College
Autohost
Automatic Host Registration and
Maintenance
Challenges
• Every year over 500 new students arrive on
campus with computers that need to be
registered.
• This involves verifying identities,
recording MAC addresses of the new
hosts, and assigning unused static IP
addresses within the appropriate VLANs.
The Real Challenges
• Most students arrive on the same day
• They often have no virus protection and
probably have one or more viruses.
• Students depend on immediate network
access for other services such as course
registration.
How we used to do it…
• All hands on deck!
• Long lines
• Badly handwritten notes with usernames
and MAC addresses
• Confused users
• Data entry and the typos that go with them
Then we got a little smarter…
• We found a non-intrusive way to tie an
authenticated username to a MAC address
• Unix login scripting: Autohost v1-3
• Client passes Authenticated Identity w/ IP
address
• Server checks IP against dynamic DHCP
lease database and registers user if new.
Better, but still more to do
• No more waiting to register. “Yay!”
• No more slips of paper. “Yay!”
• Requirement to log into unix timeshare to
register a host.
• Sometimes students would register
themselves to lab machines. “Boo!”
• No protection from unregistered hosts with
viruses. “Boo!”
also..
• Limited management capability via a textbased menu system
• No easy mechanism for registering
multiple hosts to one user
• No information available about host
location
• No provision for expiring hosts
Autohost IV
•
•
•
•
•
Web based interface for all operations
Integrated with LDAP
VLAN Aware
No requirement for unix login
Multiple privilege levels for host
maintenance (User, Support Desk, Admin)
• Intuitive for end-users
Nuts and Bolts
• All unregistered hosts (hosts not in a cisco
vmps table) fall into the default
“unregistered” VLAN.
• Simple rigged DNS responder in
unregistered VLAN
• DHCP for unregistered VLAN assigns this
rigged responder as the primary
nameserver
Registration
• Prior to logging in, users see information
about virus removal tools
• Users authenticate against unix via IMAP
but could also use LDAP
• LDAP provides additional info such as full
name and status (faculty/staff/student)
• Users are given a list of prior registered
hosts and a chance to delete them
Registration continued
• Additional voluntary information can be
entered such as Host Location & Type
• Some fields may be modifiable by support
staff that are presented as static fields to
end-users. eg. Hostname, VLAN,
Expiration Date
• Finally, a thank you message with further
instructions
Behind the Scenes
• Hosts are registered as LDAP records
• Extensive error checking for every host
• Separate utilities build configuration files
from this database for static DNS and
DHCP assignments
• A Cisco VMPS table is constructed from
this database and downloaded to the
switches
Host Maintenance
• Multiple tiers of privilege separation
• eg. Support desk can register hosts for
other users, but cannot modify anything in
the Server VLAN
• Switching a host from one vlan to another
is as simple as selecting one from a
dropdown list.
• All new hosts are entered with some
default expiration time
Putting it all together
• Small server for fake DNS responder
• Primary DNS/DHCP/Web server with two
network interfaces
• Apache + PHP + LDAP + IMAP support
• Openldap
• gen-dns, gen-dhcp, gen-vmps scripts
Tying it in with Network
Management
Questions?