Question : Control internet access for specific group of students, maybe with IAS or ISA server, suggestions ?

Hello everyone,

I have been given the job of a business school, to make or find a system that allow teachers to disconnect the wireless network for a specific group of students, so they cant access the internet when they have lessons and hopefully therefore pay more attention to the teacher than they currently do.

The business school setup looks like this:

1. They are using Cisco 1130AG Aircon Access Points (AP)
2. APs Connect to the WDS (controller), WDS validate user with IAS service.
3. IASs validate the user against a group of active teams at the school
4. All students' laptops are outside domain and we are talking about. 800 laptops.

I would consider myself to have a fair bit of knowledge in wireless setups, IAS and ISA server, so I've looked at the possibilities within IAS and ISA server, but I cant think of a solution which meets the requirements.

I think the requirements gets difficult because the laptops is not in domain and the laptop is the student own, we cant install any script or software on the laptops.

We had in mind to make a website or some sort of graphic script surface that the teachers can access and manage students' wireless access, so they can disable internet access when they are teaching.

With my little understanding I think of a system that validate access through AD group membership as the only solution.

I hope that some of you masterminds on this forum can give me a push in the right direction J

Im open for all suggestions Im also up for ideas that include new hardware or software purchase

Answer : Control internet access for specific group of students, maybe with IAS or ISA server, suggestions ?

ISA should always (where possible) be a domain member anyway so that you CAN use AD if you wanted as opposed to just a simplified LDAP query - both work but AD membership for the ISA box is best-practice.

However, ISA operates at layer 3 and above up to layer 7 - therefore whether the machines are members of the domain is really irrelevant apart from your own control of which machines can be used.

ISA has absolutely NO idea whether a MACHINE is authenticated within AD or not. ISA DOES care though whether the USER is a domain member or not.

The machines are normally configured through dhcp using option 252 and the wpad file thereby setting the proxy entries within the browser to ensure all users go through proxy (ISA) in the first place. Because this is a dhcp setting, it only applies to when users are on your networks and requires no installation of software.

If the users have AD accounts then you can control them normally. If they do not then in reality, you should not even be allowing them onto your network in the first place.

In the latter condition, I would personally add another NIC to the ISA server and let them connect through there to the internet whilst publishing internal services - effecdtively a three-legged template implementation.

Random Solutions

Restored admin account. But how do create ACL rights??

Ping Returns Wrong IP Address

remote acess over internet

Dlink DSL-2740B What is a kernel: Intrusion? Should I be concerned?

the trust relationhip between workstation and prime domain failed

How to Stop Mass Non-Deliverable Spam?

How to determine if a printer is NDPS ready

NTDS KCC 1311, 1308 and 1566

VPN client error 'The network path cannot be found'.

Forcing computer to use cable instead of wireless?