Question : Control internet access for specific group of students, maybe with IAS or ISA server, suggestions ?

Hello everyone,

I have been given the job of a business school, to make or find a system that allow teachers to disconnect the wireless network for a specific group of students, so they cant access the internet when they have lessons and hopefully therefore pay more attention to the teacher than they currently do.

The business school setup looks like this:

1. They are using Cisco 1130AG Aircon Access Points (AP)
2. APs Connect to the WDS (controller), WDS validate user with IAS service.
3. IASs validate the user against a group of active teams at the school
4. All students' laptops are outside domain and we are talking about. 800 laptops.

I would consider myself to have a fair bit of knowledge in wireless setups, IAS and ISA server, so I've looked at the possibilities within IAS and ISA server, but I cant think of a solution which meets the requirements.

I think the requirements gets difficult because the laptops is not in domain and the laptop is the student own, we cant install any script or software on the laptops.

We had in mind to make a website or some sort of graphic script surface that the teachers can access and manage students' wireless access, so they can disable internet access when they are teaching.

With my little understanding I think of a system that validate access through AD group membership as the only solution.

I hope that some of you masterminds on this forum can give me a push in the right direction J

Im open for all suggestions Im also up for ideas that include new hardware or software purchase

Answer : Control internet access for specific group of students, maybe with IAS or ISA server, suggestions ?

ISA should always (where possible) be a domain member anyway so that you CAN use AD if you wanted as opposed to just a simplified LDAP query - both work but AD membership for the ISA box is best-practice.

However, ISA operates at layer 3 and above up to layer 7 - therefore whether the machines are members of the domain is really irrelevant apart from your own control of which machines can be used.

ISA has absolutely NO idea whether a MACHINE is authenticated within AD or not. ISA DOES care though whether the USER is a domain member or not.

The machines are normally configured through dhcp using option 252 and the wpad file thereby setting the proxy entries within the browser to ensure all users go through proxy (ISA) in the first place. Because this is a dhcp setting, it only applies to when users are on your networks and requires no installation of software.

If the users have AD accounts then you can control them normally. If they do not then in reality, you should not even be allowing them onto your network in the first place.

In the latter condition, I would personally add another NIC to the ISA server and let them connect through there to the internet whilst publishing internal services - effecdtively a three-legged template implementation.

Random Solutions

DHCP and default gateway

NIC Agent: Connectivity has been lost for the NIC in slot 1, port 1 - regularly reported in Microsoft Small Business Server 2003 Premium Server Performance Report.

Telenet Problem Port 23 to Mail Servers (Yahoo/Hotmail) - Win XP Home - Can Telnet to Others (i.e., 216.86.77.194)

DNS mess duplicate entries with different IP

Windows cannot locate the server copy of your roaming profile

Cannot copy Video.Zip: The path is too deep (Windows XP)

Looking for a Traffic Analyzer

can't ping dmz zone ip through checkpoint firewall

How Can I Trace a Private IP for an Unknown Host?