Reigster Machines on College Network

V

VeeDubbs

Limp Gawd
Joined
Dec 9, 2005
Messages
398
Hi All -

It's that time of year again when all the students move back into campus and we force them to register their computers with us, which, in turns, makes a lot of work for ourselves.

Here's what we require:

Uninstall any anti-virus you currently have
Install our antivirus -- Symantec Corporate Edition (free of charge)
Have current virus definitions (no more than 30 days old)
Connect to our WLAN (not required, but 99.999% people do it)
Run our validator agent (checks your OS, anti-virus and virus defs)
Register with your Novell username & password

I'm interested as to what other Colleges require to get on the network. As I said this seems to cause us a lot more work on our end. We hand out simple instructions (or the instructions are on the screen) but I guess people just don't want to follow them or know how to follow them -- or don't even try to follow them.

Anybody have something simple they are doing?

Thanks!
 
We don't register our students' PC's. Like you said, it would just create too much work, especially for small institutions, and I don't really see the point of joining them to our domain just to be able to push some policies or what not to their PC.

We just provide them with a downloadable Symantec AntiVirus and VLAN them completely from our internal network with very strict ACL's. We are looking into implementing network admission control.
 
When I went to University of Northern Iowa ~3 years ago they pretty much required exactly what you just said.

There was no validator agent though. Exact same antivirus too.
 
Washington and Lee uses your exact system.

I'm assuming you use Groupwise as well?
 
versello -

Could you explain more?

You just offer them the antivirus and hope they put it on? As for VLANs, do you just throw the different dorms on VLANs or does each student have their own VLAN, or each room? What kind of statements are in your ACLS? This has caused no issue for you?

lostmatt - no, we are not using groupwise - have looked into it though...
 
My old neighbor was IT director of a large college....a few years ago he was telling me of a new NAC unit he was putting it.

What it did....

The first time a students PC is plugged into the network...it is automatically put to a different subnet...where they are offered antivirus, and Microsoft updates through an intranet page.

The NAC "sniffs" the students computer...and automatically does this.

Until the computer does have an approved, and updated antivirus program, and until it has the required microsoft security patches/updates.....it is not let onto the main network. Once it has the above pre-reqs...it is then allowed onto the main network.

All done automatically.
 
VeeDubbs said:
versello -

Could you explain more?

You just offer them the antivirus and hope they put it on? As for VLANs, do you just throw the different dorms on VLANs or does each student have their own VLAN, or each room? What kind of statements are in your ACLS? This has caused no issue for you?

lostmatt - no, we are not using groupwise - have looked into it though...
Click to expand...

Pretty much we hope that they put it on. I've scripted a completely automated install where they just click "Install" and it does the rest.

In the event of a virus outbreak, it's pretty much just limited to whatever subnet they're on, which in this case is a dorm vlan of about 250 nodes. Our ACL's are set up to allow all outbound which eventually goes through our packet shaper, but only DNS, HTTP and HTTPS to internal websites. We don't allow them to connect to our file server or any of that, and the only reason we poke a hole is for Outlook e-mail which will eventually be offsited to Google Apps or Microsoft Live@EDU. For internal lab/staff PC's, we also have host-based firewalls set up. As long as the student traffic doesn't hit our servers directly, I'm happy with how we have it set up. Having a VLAN for each student or each room would create an administrative nightmare.

In my 2.5 years as network engineer here, we've never had any major virus problems. Like I said in my original post though, network admission control is the way to go if you want it done the better way.
 
The Cisco NAC is a nice tool, but most students here are either:

A - Not tech-savy enough to figure out how to install it (Next, Next, Finish install)
B - Plugged into the wrong wall port (You know, the one labeled "Phone", not "Network")
C - Have a laptop/PC riddled with so much malware that any configuration is nearly impossible
D - Running an OS that is just too much for their bargain-bin laptop (Vista, I'm looking at you)

A lot of the troubleshooting could be cleared up with vendors actually selling laptops and PCs that can comfortably run Vista, and are not doused with pre-installed "bonus apps" from the factory. We are actually thinking about just moving the student networks completely off of our network (VLANs and ACLs keep them seperate now) and getting a dedicated circuit for them. Cisco Clean Access is great if you have the staff and infrastructure to keep up with it.

Forgot an option

E - All of the above
 
blk95civicex said:
The Cisco NAC is a nice tool, but most students here are either:

A - Not tech-savy enough to figure out how to install it (Next, Next, Finish install)
B - Plugged into the wrong wall port (You know, the one labeled "Phone", not "Network")
C - Have a laptop/PC riddled with so much malware that any configuration is nearly impossible
D - Running an OS that is just too much for their bargain-bin laptop (Vista, I'm looking at you)

A lot of the troubleshooting could be cleared up with vendors actually selling laptops and PCs that can comfortably run Vista, and are not doused with pre-installed "bonus apps" from the factory. We are actually thinking about just moving the student networks completely off of our network (VLANs and ACLs keep them seperate now) and getting a dedicated circuit for them. Cisco Clean Access is great if you have the staff and infrastructure to keep up with it.

Forgot an option

E - All of the above
Click to expand...

Thanks blk95civicex - that was going to be my next question.

For those of you with NACs how truly automatic is it? Does it really save enough staff time to off-set the cost?
 
VeeDubbs said:
Thanks blk95civicex - that was going to be my next question.

For those of you with NACs how truly automatic is it? Does it really save enough staff time to off-set the cost?
Click to expand...

I myself have never used NAC(clean acess), but my old roomate did throughout his 4 years of college(he managed the network environment for SIU). He would always rant and rave how great clean access was, and it did sound like it was very efficient.

How I understand it is you need to log in with a particular client(windows, mac and now linux), your PC is then inspected for the proper security patches, software, etc... If you do not have the proper requirements you are put into a remediation VLAN where you are give limited access(to get required patches, software), or are given no access what so ever(its what you choose). Log off each user at the end of the day so they have to go through the checks daily(no p2p :p)

I would def. look into NAC, manually registering laptops for every student is EXTREMELY inefficient.
 
Thanks xphil3 --

I understand how it works and everything as we've been given demos by various vendors. I'm just curious if it truly cuts back on student questions. Because from what I've seen in the last few days here (and the first week of school for the past 5 years) is that students:

A: don't know what to do
B: don't want to try
C: don't read instructions
D: assume someone else will do it for them
E: don't know much about general computing
 
VeeDubbs said:
Hi All -

It's that time of year again when all the students move back into campus and we force them to register their computers with us, which, in turns, makes a lot of work for ourselves.

Here's what we require:

Uninstall any anti-virus you currently have
Install our antivirus -- Symantec Corporate Edition (free of charge)
Have current virus definitions (no more than 30 days old)
Connect to our WLAN (not required, but 99.999% people do it)
Run our validator agent (checks your OS, anti-virus and virus defs)
Register with your Novell username & password

I'm interested as to what other Colleges require to get on the network. As I said this seems to cause us a lot more work on our end. We hand out simple instructions (or the instructions are on the screen) but I guess people just don't want to follow them or know how to follow them -- or don't even try to follow them.

Anybody have something simple they are doing?

Thanks!
Click to expand...

What do you do for Macs and Linux machines? This sounds really annoying.

None of my schools required anything like this. UT Austin required you to log in each time you connected or setup 802.11x

MIT just requires you to register your MAC address
 
VeeDubbs said:
I'm just curious if it truly cuts back on student questions. Because from what I've seen in the last few days here (and the first week of school for the past 5 years) is that students:

A: don't know what to do
B: don't want to try
C: don't read instructions
D: assume someone else will do it for them
E: don't know much about general computing
Click to expand...

I see the same thing for about the week leading up to move-in and about two weeks after the start of a semester.
 
Damn, If I were still in college and they forced all the crap onto my PC, I wouldn't use there network.
 
valve1138 said:
Damn, If I were still in college and they forced all the crap onto my PC, I wouldn't use there network.
Click to expand...

Our network, our rules. ;)

I know, I would probably be the same way. I would probably get my own connection and not have to worry about any of it.
 
Where I go, we only have to register our computers via an automated registration tool using our Novell login. During registration, you have to accept the terms of use. No software, except for wireless as it uses EAP-TTLS.
 
blk95civicex said:
Our network, our rules. ;)

I know, I would probably be the same way. I would probably get my own connection and not have to worry about any of it.
Click to expand...

Of course when I went to college they had 4 class C subnets of real IP's. Everything was wide open. No firewall, nothing, just one big network! :eek:

This was 10 years ago.

I ran an audio streaming server out of my campus apartment :cool:
 
sorry but i would laugh at you if you told me to install Symantec, thats like telling me to put aol on my computer... much easier to adhoc someones laptop/computer.
 
VeeDubbs said:
Hi All -

It's that time of year again when all the students move back into campus and we force them to register their computers with us, which, in turns, makes a lot of work for ourselves.

Here's what we require:

Uninstall any anti-virus you currently have
Install our antivirus -- Symantec Corporate Edition (free of charge)
Have current virus definitions (no more than 30 days old)
Connect to our WLAN (not required, but 99.999% people do it)
Run our validator agent (checks your OS, anti-virus and virus defs)
Register with your Novell username & password

I'm interested as to what other Colleges require to get on the network. As I said this seems to cause us a lot more work on our end. We hand out simple instructions (or the instructions are on the screen) but I guess people just don't want to follow them or know how to follow them -- or don't even try to follow them.

Anybody have something simple they are doing?

Thanks!
Click to expand...

Pretty much the same thing, although we use McAfee.

And OH MY GOD..... I would hope College would prepare those that choose to go for such things as FOLLOWING INSTRUCTIONS.
 
utshost said:
sorry but i would laugh at you if you told me to install Symantec, thats like telling me to put aol on my computer... much easier to adhoc someones laptop/computer.
Click to expand...

Their network, their rules. I'm sure though they'd be more then willing to show you where the closest computer lab is than having an unprotected system on their network. It's not like telling you to put AOL, It's more like getting vaccinated before going back to school.
 
i have no problem with AV, i just have a problem with symantec. but you are right their network, their rules. i'd figure out a way to get on the net with out symantec.
 
utshost said:
i have no problem with AV, i just have a problem with symantec. but you are right their network, their rules. i'd figure out a way to get on the net with out symantec.
Click to expand...

Good luck. The programs that most schools have that go through these procedures will check your machine, will see that you don't have symantec, and will not let you on. No matter how you slice it.

Doesn't hurt to play by the rules, sometimes.
 
I just registered my laptop with my university yesterday and all I had to do was give them my MAC address. Took me a whopping 30 seconds to register and I was good to go.
 
Also, many schools have worked out a license agreement with the vendor that the school uses to provide a free AV software package to students. You can setup Clean Access to check for a variety of AV suites, as long as one is installed. If it finds that one is not installed, it can link you to a few sites to get an AV suite, or give the option do download one from the local server.
 
utshost said:
i have no problem with AV, i just have a problem with symantec. but you are right their network, their rules. i'd figure out a way to get on the net with out symantec.
Click to expand...

If you're in the dorms I'd go and ask the Computer networking services people what your options are. They may just be looking for just an AV suite to be installed. It never hurts to ask.
 
utshost said:
i have no problem with AV, i just have a problem with symantec. but you are right their network, their rules. i'd figure out a way to get on the net with out symantec.
Click to expand...
good luck zerocool :rolleyes:
 
WOW at the University of Southern Indiana, we have to put in our id number and password and are good to go....
 
Keiichi said:
Their network, their rules. I'm sure though they'd be more then willing to show you where the closest computer lab is than having an unprotected system on their network. It's not like telling you to put AOL, It's more like getting vaccinated before going back to school.
Click to expand...



Only if your vaccine is a cumbersome giant plastic suit that you have to wear whenever you go to school..
 
blk95civicex said:
Also, many schools have worked out a license agreement with the vendor that the school uses to provide a free AV software package to students. You can setup Clean Access to check for a variety of AV suites, as long as one is installed. If it finds that one is not installed, it can link you to a few sites to get an AV suite, or give the option do download one from the local server.
Click to expand...

I had avast, and it couldn't detect it. Then I got AVG, and it still couldn't. No way I was going to install mcafee. ended up having to run windows in a VM.

Luckily unix and unix-like systems don't have to go through that 20 step checking process.
 
I just set this crap up here at my school, and I don't like it, installation was simple, just open up web browser, download NAC client, run NAC client and have it tell me I don't have the proper anti virus so it gives me the link where i can download McAfee for free, but i dont want that crap and it is On-Access scan and using over 80MB of ram and other resources.

My setup was pretty much the same as the OP described but if you do not meet the requirements the NAC wants you still get access for 2 hours before being logged out.
 
At UT, it's mostly plug and pray. They say to have anti-virus on your computer but I don't know how they really enforce it. They sell McAfee for 5 dollars to students. Personally the biggest problem I see is when people plug their network cables into the phone jacks :D
My freshman year, I helped a lot of people who 'couldn't get internet' because of just that...gotta love it!
 
It shouldn't really be a lot of work. Some of our clients just create a little php script that the students can access (usually with some password from the mail or some other source) and they just enter their MAC at year's beginning. The program puts it into a database, and then there's a script to create the rules for DHCP or the shaper that's used for access security.

We recommend giving each student a rule on the shaper that manages each IP's or MAC's bandwidth in a way that they don't have to worry about viruses. If the client used too much bandwidth, it will pretty much shut them down until they fix it. And they're easy to find with the network monitor, or just looking for IPs with excessive packet drops.

Its the same amount of work for 200 or 40,000 students.

David
 
You must log in or register to reply here.
Back
Top