Subject: | |
From: | |
Reply To: | |
Date: | Thu, 8 Sep 2005 17:10:21 -0400 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Call me lazy.
We, too, do not use "Allow" but assign everyone to a role. I even have a role
called "Bypass security" that is a simple Allow All. Our switches live in this role.
Our Game Systems role allows all traffic, as long as it's confined to ResNet or
goes off-campus. Game Systems do not need to browse our web, do email, register
for classes, etc. ;-) I don't want to keep up with the various ports used by
the game servers out there.
I don't care if the MAC is a game system or a PC, but most of our students care
about their email, course materials in Blackboard, etc. This appears to have the
desired effect of keeping other types of systems out of the game system role.
--Cal Frye, Network Administrator, Oberlin College
www.ouuf.org, www.calfrye.com
Say Yes Twice for Oberlin Schools! www.oberlinyesyes.com
"When my information changes, I change my opinion. What do you do, Sir?" --
John Maynard Keynes.
Michael Grinnell wrote:
> We created a page for our HelpDesk to use that uses the API to register
> the device. The HelpDesk checks the MAC Address prefix against the OUI
> database to verify that it's not someone's router or pc. The web form
> creates an "allow" filter with a description that includes:
> who registered it
> who it's registered to
> what type of device it is
> the date it was registered.
>
> We've looked at eventually moving these devices from "allowed" to a
> specific role, but we wanted to see what other schools' experiences
> were first.
|
|
|