>I wonder if the University of Minnesota NTS department has published >their authentication software yet. At the U, every student, faculty and >staff member receive X.500 accounts with which they can authenticate via >a web interface or system logins (UNIX). The NTS department uses the >X.500 accounts to authenticate wireless users by tying in the DHCP >subnet with DNS forwarding and/or iptables/ipchains filtering. > >The user then goes to the website to authenticate. When the >authentication is approved, the controlling daemon opens up the firewall >and routing rules for the DHCP IP address associated with that person. >It's pretty slick. Or, you could go with my new favorite toy, the NetScreen 5xp firewall. It's $495, and it supports authentication against LDAP, RADIUS, or an internal database. With LDAP or RADIUS, you could authentication against a windows domain very easily by running IAS on your domain controller. When a user tries to go anywhere via http, telnet, or ssh, the NetScreen will intercept it and bring up an authentication prompt (web page for http, command line for telnet or ssh). Once the user authenticates, their request is forwarded and allowed back through. You can set the length of time for their session, I'm not sure if the session is based on IP or MAC address, but it works sweet. Jay