I've been asked to setup access control/filtering on a network that has it's own address block (a /24). This is for students who will be connecting to the wireless network. Requirements are as follows.
- Website/category filtering (stop people going on dodgy stuff)
- Outbound port blocking
- Transparent (no need to change router/subnets/etc)
- Captive portal (ideally hooked into AD)
- Logging (at least 1 month).
- Traffic shaping (not essential, but nice)
The client the system to be set up so that if they recieve a complaint that someone has been accessing illegal materiel from the network, they can take an IP address and a date (for at least a month ago) and work out who it was. If this can be done from a nice web interface, even better.
We've looked at Untangle, which seemed to be the best bet, but after talking to their support, seemed to be lacking. It would be good if the system rememebered MAC addresses that people logged in from, so they wouldn't have to keep logging in, but Untangle doesn't seem to support this. They also said that the Captive Portal logs weren't kept very long (couldn't be exact), and that they would be lost when restarting the device. The suggested solution was to copy them off with SSH, and read the logs by hand. Not ideal.
Does anyone know a solution. Untangle sounds like it would be very hard to actually track down someone who was doing stuff on it more than a few days ago - which isn't really acceptable. Surely someone else has done something like this?
You could try a content filter from Smoothwall - sounds like it does everything you need tbh - content filtering, AD integration with web portal login, firewall for port blocking... Certainly worth talking over your requirements with them, it is a commercial product, probably a bit more expensive than untangle, but the support is on a professional footing. [Bias warning: I work for Smoothwall]
You might take a look at ForeScout, but it's probably cost a little more than Untangled. The ForeScout product is mainly a NAC, but it can be configured to meet the requirements that you described.
We are implementing Untangle, but using a custom page for login. This allows me to manage users and what not through a custom system, all without breaking future support in Untangle. Basically, Untangle only supports sessions with a max of 24 hours. When they login, a script on a different server adds them to a different DHCP pool, which is set to pass-through.
Not exactly the most secure method in the world, but for us, it is fine.
You should take a look at packetfence. I implemented couple of year back for a university and it did the job.