Thursday, January 17, 2013

1.1 Networking series - Setup

Some interesting and useful details on our config:

Our Fortigate unit uses FSSO plugin/software installed on our DC to get user ID's. It is also used to do traffic shaping and web filtering for all connections. The unit is installed on the edge and manages all traffic between various LAN's and two WLAN connections we have.

In the institution, we have WIFI available everywhere. We are using Aerohives APs. These are thick clients that can work without a controller and may also execute some additional roles. In our setup, the controller is used only for statistics and pushing new configs. Three access points are configured as redundant Radius Servers and one acts as an ActiveDirectory authenticator. 
This means that wireless network is very resilient and places little load on the AD: it will cash user login/group. At the same time, user profiles are modified in real time according to their behavior and device they are using. For example, an admin using a wireless device will be placed in a special group that has less access than his/her normal profile.

All this functions normally, until the moment we would like to use Fortigate unit to do some accounting/web quota on the users coming from wireless. The machines that belong to our institution are registered in AD. The machines that belong to users, are not. As a result web quota does not work.
Can we do it somehow? Can we optimize our network traffic and identify, at Fortigate, all users (even if it is their own device)?

No comments:

Post a Comment