It's scary to think that it's November already! For our team, that means the Christmas rush is little more than 6 weeks away. 6 weeks to order (and get delivered) all new equipment ready for rolling out in January, ready for the new school year in February.
Since my last post, there have been some positives as far as the budget is concerned. Apple decided to drop the price of MacBook Pros by about $400 each...meaning we can fit all our purchases into the nominal capital budget. At a meeting with Apple reps on Thursday, we have also found out that Apple is offering a 4th year of warranty...looks like they're starting to take notice of what their customers are saying (finally)!!
Plans are underway for the wireless network upgrade (sort of!). Just waiting on final quotes from the electricians (who are installing the Cat-6 outlets for new WAPs) and from HP (who are doing the implementation). I still need to check the calendar to find out when students finish for the year, so I can plan the de-commissioning of the current WAPs, and get the cablers in. Hopefully all cabling can be completed before Christmas, so we can get into the wireless implementation first week back in January.
Sometime before the wireless network upgrade, I need to extract the digit and get MAC address authentication (with dynamic VLAN assignment) working on our network switches. Hmmm...might need to install Windows Server 2003 on a "spare" box during this week.
Migration to Google Mail / Apps is progressing...albeit slowly. Currently testing whether we can use our existing authentication directory (Open Directory) to provision our Google Apps domain. Hope to test this in the next day or two...if all goes well, a migration to Google Apps may be only a week or two away.
Print cost recovery system testing is going well. We're currently testing in one of our labs...so far, so good. Some minor issues, but hopefully Stan (my technician who's doing the testing) will get those resolved.
Upgrade to the Learning Management System hasn't really progressed. Studywiz people are not particularly quick at responding to questions...maybe purchasing "upgraded" levels of support will fix this!? I hope so, because we can't increase our reliance on the product if the current levels of "support" continue!
At different times over the last couple of years, we have spoken about digital video delivery for staff and students. A very popular product among schools is ClickView, which we had seriously considered implementing. However, the lack of support became a serious issue before the project even got off the ground. Since then, we have had brief investigations of QuickTime Streaming server, and using our own PVRs to record free-to-air TV. However, the lack of Mac compatibility with the PVRs made the job too difficult.
However, we have discovered a new Topfield "Masterpiece" PVR, which gives us the Macintosh connectivity we've been craving. So, using a Mac, we can download recordings from the PVR, do basic editing (cut the ads out!), and then export the recording to a QuickTime Streaming server. An added bonus is that the PVR will accept composite inputs, meaning we can also record from Austar, VHS or DVD (subject to copyright restrictions, of course!). A further added bonus, is that using the QuickTime server, we can "catalog" the videos in the Library system, complete with URL. Therefore, anybody searching a topic on the library catalog can simply click a web link to view the video.
Seems a bit strange that we keep making more work for ourselves...I suppose that's what happens when you're continually trying to improve the quality of service! :)
Saturday, October 31, 2009
Sunday, October 18, 2009
2010 Budget
2010 budget submissions are now complete. As I thought, it has become unaffordable for the College to continue on the 3-year replacement cycle for student computers. With the chances of getting an increased IT capital budget at zero, our only option was to keep student computers for a 4th year. However, I did manage to convince the powers-that-be that in order to revert to a 4-year life cycle, we would need to:
a) keep 5% of spare desktops (7 in total for 2010) in case computers break down
b) replace batteries in 3-year old student laptops
c) keep 10% spare student laptops in case of breakdowns
Even with the keeping of student computers for a 4th year, we are still about $50,000 over the nominal budget figure indicated by the Business Manager. So we have to hope that:
a) Apple give us a good discount on about 80 staff laptops
b) We can get more money out of the College, or
c) We have to cut some things from the budget
I have to compile a "shopping list" to send to Apple, in the hope of meeting option (a). Options (b) and (c) are largely in the hands of the Business Manager.
There are a couple of other projects that we are investigating / beginning to implement:
1) Print Cost Recovery.
Our current system sees students print to a laser printer in each computer lab (unrestricted), while all student desktops can print to our Colour Laser - which requires IT staff to enter an admin password on the client computer. Whilst technically, this system has served us pretty well, there is a lot of wasted paper in the b/w lasers in each lab, and typing the password for the Colour Laser can take quite a bit of time, especially during periods of heavy use.
To change all this, we're looking at installing PaperCut. This means that we should be able to give students access to all printers (including the Colour Laser), but "charge" them a cost per page. We would give students an allowance for printing each year...once they've used up their credit, they can purchase more from the Accounts Office. In theory, this should make students somewhat accountable for their printing, and enable us to recover some of the costs of student printing. Time will tell...
2) Move to Google Mail (and Apps)
Ever since we upgraded our Email server to Mac OS X 10.5 (Leopard) Server (a change that was forced on us by the purchase of new hardware) our server has been unreliable. Almost every day of late, we have to restart the mail server because of currupted accounts or "zombie" server processes. We looked at other solutions (such as Kerio Mail), but at about $32,000 they were a bit out of our reach.
Then, thanks to St Brendan-Shaw College (Devonport), we discovered that Google offer free email and apps to Education customers. After a bit of testing, I have recommended that this is the way we should provide email to staff and students. Now I just have to come up with an implementation plan - and time is running out before the end of the year! An added bonus is that the current email server can be re-deployed as a PaperCut print server...win/win!
3) Upgraded Learning Management System
Currently, our LMS (Studywiz) will support up to 800 client connections. Thanks to the DER, we can expect more than 1100 computers on campus in the next couple of years. Therefore, we plan to use some of our "on cost" funding to purchase additional servers for Studywiz, to the point where we will have separate Web, Application and Database servers (all 3 roles are performed by one box currently).
Doing this should also give us some additional advantages...currently, our Head of eLearning wants the Studywiz server to directly connect to our Student Records database to get updated data on students, teachers and subjects. Not a good idea, in my opinion, for a server accessible to the entire Internet to have access to our Student Records database. Under our new Studywiz architecture though, I should be able to host the Studywiz database server inside the network, from where it can (securely) connect to our Student Records database. Fingers crossed that this is how it pans out.
Of course, to cope with Google Apps usage, and to enable students to access Studywiz from home, we will need to improve our Internet connection speed. Getting pricing out of Telstra is like pulling teeth, so I don't think we'll be looking at anything faster than our current ADSL2 connection (10Mbit/1Mbit)...the pricing will be waaaaaay out of our league. Instead, we'll possibly be looking at aggregating several ADSL2 links to deliver higher bandwidth, at a fraction of the cost. A further advantage of this scenario is that if we use different ISPs for our aggregated links, an outage of 1 ISP will not kill our connection entirely. This plan is still in its very early stages...so watch this space.
a) keep 5% of spare desktops (7 in total for 2010) in case computers break down
b) replace batteries in 3-year old student laptops
c) keep 10% spare student laptops in case of breakdowns
Even with the keeping of student computers for a 4th year, we are still about $50,000 over the nominal budget figure indicated by the Business Manager. So we have to hope that:
a) Apple give us a good discount on about 80 staff laptops
b) We can get more money out of the College, or
c) We have to cut some things from the budget
I have to compile a "shopping list" to send to Apple, in the hope of meeting option (a). Options (b) and (c) are largely in the hands of the Business Manager.
There are a couple of other projects that we are investigating / beginning to implement:
1) Print Cost Recovery.
Our current system sees students print to a laser printer in each computer lab (unrestricted), while all student desktops can print to our Colour Laser - which requires IT staff to enter an admin password on the client computer. Whilst technically, this system has served us pretty well, there is a lot of wasted paper in the b/w lasers in each lab, and typing the password for the Colour Laser can take quite a bit of time, especially during periods of heavy use.
To change all this, we're looking at installing PaperCut. This means that we should be able to give students access to all printers (including the Colour Laser), but "charge" them a cost per page. We would give students an allowance for printing each year...once they've used up their credit, they can purchase more from the Accounts Office. In theory, this should make students somewhat accountable for their printing, and enable us to recover some of the costs of student printing. Time will tell...
2) Move to Google Mail (and Apps)
Ever since we upgraded our Email server to Mac OS X 10.5 (Leopard) Server (a change that was forced on us by the purchase of new hardware) our server has been unreliable. Almost every day of late, we have to restart the mail server because of currupted accounts or "zombie" server processes. We looked at other solutions (such as Kerio Mail), but at about $32,000 they were a bit out of our reach.
Then, thanks to St Brendan-Shaw College (Devonport), we discovered that Google offer free email and apps to Education customers. After a bit of testing, I have recommended that this is the way we should provide email to staff and students. Now I just have to come up with an implementation plan - and time is running out before the end of the year! An added bonus is that the current email server can be re-deployed as a PaperCut print server...win/win!
3) Upgraded Learning Management System
Currently, our LMS (Studywiz) will support up to 800 client connections. Thanks to the DER, we can expect more than 1100 computers on campus in the next couple of years. Therefore, we plan to use some of our "on cost" funding to purchase additional servers for Studywiz, to the point where we will have separate Web, Application and Database servers (all 3 roles are performed by one box currently).
Doing this should also give us some additional advantages...currently, our Head of eLearning wants the Studywiz server to directly connect to our Student Records database to get updated data on students, teachers and subjects. Not a good idea, in my opinion, for a server accessible to the entire Internet to have access to our Student Records database. Under our new Studywiz architecture though, I should be able to host the Studywiz database server inside the network, from where it can (securely) connect to our Student Records database. Fingers crossed that this is how it pans out.
Of course, to cope with Google Apps usage, and to enable students to access Studywiz from home, we will need to improve our Internet connection speed. Getting pricing out of Telstra is like pulling teeth, so I don't think we'll be looking at anything faster than our current ADSL2 connection (10Mbit/1Mbit)...the pricing will be waaaaaay out of our league. Instead, we'll possibly be looking at aggregating several ADSL2 links to deliver higher bandwidth, at a fraction of the cost. A further advantage of this scenario is that if we use different ISPs for our aggregated links, an outage of 1 ISP will not kill our connection entirely. This plan is still in its very early stages...so watch this space.
Saturday, October 17, 2009
Friday, October 2, 2009
A change of direction...who would have thought!?
Quite a bit has changed since my last post, but I shouldn't be surprised, since I was responsible for most of it! It turns out that our "planned" direction of giving students laptops was financially flawed, even though Mr Rudd and his mates are throwing truckloads of cash at us (the Digital Education Revolution). I tried explaining the following scenario to the ICT Oversight Committee, but don't know if all members fully got it...perhaps my delivery was flawed. I hope that writing it down here will make more sense:
Our current enrollment projections tell us that we will have 935 students in years 9-12 (in 2013). Under DER funding, the Govt will fund 70% of the cost of computers for these students (at $1000 per unit)...a total of approximately $163K per year (based on a 4 year life cycle - which I HATE btw, but that's a topic for another post!!)
However, our plan was to provide laptops for year 9s, which they would then keep until the end of year 12 (4 years). Of our 935 students, 265 of them would be in year 9 each year, meaning the purchase of 265 computers every year. Even at $1000 per unit, this means a shortfall of 102,000 each year ($265K for laptops, $163K funded by DER). But, when one considers the machines we are purchasing are more expensive than $1000, it becomes more expensive: 265 computers @ $1199 = $317K in approximate numbers. After the Government's contribution, we are left with a shortfall of $154K every year. Given a nominal IT budget of $300K every year (for maintaining everything else: desktops, staff laptops, servers, networking, printers, etc) this is a big chunk of money to find every year!
So, armed with this information (or something very much like it) I managed to convince the Oversight Committee that their 1:1 dream was not sustainable financially. Instead, we have settled on a plan to provide more "laptop cabinets" to achieve our targeted 1:1 student to computer ratio.
Our first DER progress report has now been completed, and an Implementation Plan based on this scenario has been submitted to DEEWR. Now we have some "on cost" money to be spent...for us, this means:
1) Complete wireless network rollout for the entire College
2) Purchase additional servers for our Studywiz Learning Management System
3) Purchase about 30 - 40 data projectors for classrooms
4) Purchasing software for our extra laptops
Interesting to note that even though we're adding 162 more computers (with the 178 we rolled out in March), we have no plans for additional IT support staff - we think we can cope just fine with the staff we have. Only additional help will be a "lacky" to carry laptops back to the IT Centre for re-imaging during the holidays. If we had gone with the "give laptops to kids" rollout model, I wonder how many extra staff would have been required?
So, now I have an IT Budget submission to get done by next Wednesday. Thanks to the Govt's 4-year life cycle, looks like we have to ditch our current 3-year turnaround plan - particularly for student machines. Hopefully I can convince the powers-that-be to give us an upgraded maintenance budget to cope with the computers that will now be out of warranty.
Well, best get back to it before the boss finds out that I'm working on the weekend!!
Our current enrollment projections tell us that we will have 935 students in years 9-12 (in 2013). Under DER funding, the Govt will fund 70% of the cost of computers for these students (at $1000 per unit)...a total of approximately $163K per year (based on a 4 year life cycle - which I HATE btw, but that's a topic for another post!!)
However, our plan was to provide laptops for year 9s, which they would then keep until the end of year 12 (4 years). Of our 935 students, 265 of them would be in year 9 each year, meaning the purchase of 265 computers every year. Even at $1000 per unit, this means a shortfall of 102,000 each year ($265K for laptops, $163K funded by DER). But, when one considers the machines we are purchasing are more expensive than $1000, it becomes more expensive: 265 computers @ $1199 = $317K in approximate numbers. After the Government's contribution, we are left with a shortfall of $154K every year. Given a nominal IT budget of $300K every year (for maintaining everything else: desktops, staff laptops, servers, networking, printers, etc) this is a big chunk of money to find every year!
So, armed with this information (or something very much like it) I managed to convince the Oversight Committee that their 1:1 dream was not sustainable financially. Instead, we have settled on a plan to provide more "laptop cabinets" to achieve our targeted 1:1 student to computer ratio.
Our first DER progress report has now been completed, and an Implementation Plan based on this scenario has been submitted to DEEWR. Now we have some "on cost" money to be spent...for us, this means:
1) Complete wireless network rollout for the entire College
2) Purchase additional servers for our Studywiz Learning Management System
3) Purchase about 30 - 40 data projectors for classrooms
4) Purchasing software for our extra laptops
Interesting to note that even though we're adding 162 more computers (with the 178 we rolled out in March), we have no plans for additional IT support staff - we think we can cope just fine with the staff we have. Only additional help will be a "lacky" to carry laptops back to the IT Centre for re-imaging during the holidays. If we had gone with the "give laptops to kids" rollout model, I wonder how many extra staff would have been required?
So, now I have an IT Budget submission to get done by next Wednesday. Thanks to the Govt's 4-year life cycle, looks like we have to ditch our current 3-year turnaround plan - particularly for student machines. Hopefully I can convince the powers-that-be to give us an upgraded maintenance budget to cope with the computers that will now be out of warranty.
Well, best get back to it before the boss finds out that I'm working on the weekend!!
Friday, August 28, 2009
The Digital Education Revolution and other ramblings
For some reason, I haven't had time to write much lately. I put this down to the amount of work I have on at the moment. This is largely due to the Federal Government's Digital Education Revolution. I heard an interesting nickname for this a couple of months ago = "Manna from Kevin". Quite amusing! :)
I have managed to clean up a few things. Firstly, I think I solved my "Dodgy Database" issue. After restoring a "known good" copy of the database, we were still having "weird" issues. By chance, on a call to FileMaker tech support for a totally unrelated issue, I found out that FileMaker 8.0 is *not* compatible with Mac OS X 10.5 Leopard. Therefore, an upgrade of affected computers to FileMaker 8.5 seems to have sorted the problem (and thankfully we had enough licences to cover this!)
The new AUP for staff has caused quite a stir. Many staff are concerned about privacy, thinking that the IT Department is just Big Brother, and will look at their private banking details, emails from their wives, etc. No matter how much you explain that we can only monitor on the authorisation of the Principal (based on reasonable suspicion), and we can only monitor / audit to (a) restore systems to normal operation, or (b) ensure compliance with the Policy, some people still don't get it. Are we being too unreasonable? I certainly don't think so, and there's nothing in the Policy that bothers me personally...still, you can't please everybody all the time!
At St Patrick's, we had our "planning meeting" on Thursday to decide what we're doing with all the money that Kevin and his mates want to throw at us. We have to reach a student:computer ratio of 1:1 for grades 9-12 by 31 December 2011. Bearing this in mind, the ICT Oversight Committee has decided that beginning in 2011:
1) All Year 9 students will be issued a laptop. This laptop will remain in their "home" classroom in the Year 9 campus (yes, we're getting a special, new Year 9 facility in 2011, but that's a whole other story). The laptop will still be considered that student's own computer, and they'll be expected to look after it.
2) When a student moves into the Senior School (years 10, 11 and 12), they will take their "Year 9" laptop with them...only difference is now they will be able to take it home if they wish.
3) Year 7 and 8 students will be required to purchase an iPod Touch, with which they can access the Internet, our Learning Management System, etc. There are no doubt plenty of other applications for these (a graphics calculator is one that I found the other day - in 30 seconds!) that can be of use in many curriculum areas. For times that the iPod is not sufficient, we'll still provide some computer labs and laptops for students to use.
We still have to manage some side issues...like when our initial Grade 9s get to Grade 11, the Grade 12s that they share classes with will need to be equipped...but hopefully I have a plan that allows this to happen. There will also be lots of hurdles to overcome with this plan, but I have another 12 months to sort most of those out. My immediate future is to plan our implementation (including infrastructure, support staff, all costs) and report back to DEEWR by 23rd September. Something tells me the next few weeks are going to be busy.
The next couple of weeks might be even busier, if I happen to go to Melbourne for an HP ProCurve training course between 8 and 11 September. Not quite sure if I want to go yet, as it will mean being away for our 5th Wedding Anniversary - something I'd rather not miss! On the other hand, if HP are giving me a ~$4000 course for free, I'd be a fool to pass it up.
One last thing....I (finally) have a clean desk! Here's the proof:
I can't take any credit for this masterpiece...my much better half came into the Office on Friday and did this for me (whilst waiting to go to the dentist). I promise I'll try and keep it looking this good!
Right...better go and start planning. Yes, even on a weekend :(
I have managed to clean up a few things. Firstly, I think I solved my "Dodgy Database" issue. After restoring a "known good" copy of the database, we were still having "weird" issues. By chance, on a call to FileMaker tech support for a totally unrelated issue, I found out that FileMaker 8.0 is *not* compatible with Mac OS X 10.5 Leopard. Therefore, an upgrade of affected computers to FileMaker 8.5 seems to have sorted the problem (and thankfully we had enough licences to cover this!)
The new AUP for staff has caused quite a stir. Many staff are concerned about privacy, thinking that the IT Department is just Big Brother, and will look at their private banking details, emails from their wives, etc. No matter how much you explain that we can only monitor on the authorisation of the Principal (based on reasonable suspicion), and we can only monitor / audit to (a) restore systems to normal operation, or (b) ensure compliance with the Policy, some people still don't get it. Are we being too unreasonable? I certainly don't think so, and there's nothing in the Policy that bothers me personally...still, you can't please everybody all the time!
At St Patrick's, we had our "planning meeting" on Thursday to decide what we're doing with all the money that Kevin and his mates want to throw at us. We have to reach a student:computer ratio of 1:1 for grades 9-12 by 31 December 2011. Bearing this in mind, the ICT Oversight Committee has decided that beginning in 2011:
1) All Year 9 students will be issued a laptop. This laptop will remain in their "home" classroom in the Year 9 campus (yes, we're getting a special, new Year 9 facility in 2011, but that's a whole other story). The laptop will still be considered that student's own computer, and they'll be expected to look after it.
2) When a student moves into the Senior School (years 10, 11 and 12), they will take their "Year 9" laptop with them...only difference is now they will be able to take it home if they wish.
3) Year 7 and 8 students will be required to purchase an iPod Touch, with which they can access the Internet, our Learning Management System, etc. There are no doubt plenty of other applications for these (a graphics calculator is one that I found the other day - in 30 seconds!) that can be of use in many curriculum areas. For times that the iPod is not sufficient, we'll still provide some computer labs and laptops for students to use.
We still have to manage some side issues...like when our initial Grade 9s get to Grade 11, the Grade 12s that they share classes with will need to be equipped...but hopefully I have a plan that allows this to happen. There will also be lots of hurdles to overcome with this plan, but I have another 12 months to sort most of those out. My immediate future is to plan our implementation (including infrastructure, support staff, all costs) and report back to DEEWR by 23rd September. Something tells me the next few weeks are going to be busy.
The next couple of weeks might be even busier, if I happen to go to Melbourne for an HP ProCurve training course between 8 and 11 September. Not quite sure if I want to go yet, as it will mean being away for our 5th Wedding Anniversary - something I'd rather not miss! On the other hand, if HP are giving me a ~$4000 course for free, I'd be a fool to pass it up.
One last thing....I (finally) have a clean desk! Here's the proof:
I can't take any credit for this masterpiece...my much better half came into the Office on Friday and did this for me (whilst waiting to go to the dentist). I promise I'll try and keep it looking this good!
Right...better go and start planning. Yes, even on a weekend :(
Sunday, July 26, 2009
New AUP for Staff
Over the 6-9 months, the Human Resource Coordinator and myself have developed a new Acceptable Usage Policy for Staff. The big change in this document is the banning of social networking sites (ie FaceBook, MySpace, Twitter) during work hours. The draft has been circulated to all staff for comment...we'll see what sort of reaction we get.
Other than that, have been doing a lot of database development work. Seems like everyone wants something new / different in the system. Seems like rather than being an IT Manager, I am "simply" a database admin. Let's hope I can get the latest round of changes completed, then maybe people will stay off my back for a little while!
There has been some other interesting stuff going on though. NSSCF dictates that we must move to a 1:1 student:computer ratio by end 2011. This gives us 2 years to plan and implement some kind of 1:1 rollout for 800 students...gonna be a very interesting challenge.
I had a meeting with reps from HP ProCurve last Monday. Unfortunately, we can't get any "trade-in" for our existing wireless infrastructure if we choose to move to HP's newest "MSM" technology. Very disappointing given the amount of money we'd spent only 6 months ago, when we purchased the best equipment available to us. Will have to re-visit the numbers to see how this affects the total cost of completing our wireless rollout.
Other than that, have been doing a lot of database development work. Seems like everyone wants something new / different in the system. Seems like rather than being an IT Manager, I am "simply" a database admin. Let's hope I can get the latest round of changes completed, then maybe people will stay off my back for a little while!
There has been some other interesting stuff going on though. NSSCF dictates that we must move to a 1:1 student:computer ratio by end 2011. This gives us 2 years to plan and implement some kind of 1:1 rollout for 800 students...gonna be a very interesting challenge.
I had a meeting with reps from HP ProCurve last Monday. Unfortunately, we can't get any "trade-in" for our existing wireless infrastructure if we choose to move to HP's newest "MSM" technology. Very disappointing given the amount of money we'd spent only 6 months ago, when we purchased the best equipment available to us. Will have to re-visit the numbers to see how this affects the total cost of completing our wireless rollout.
Sunday, July 5, 2009
Dodgy databases?
Hmmm...looks like I have a database problem. In our student records database (FileMaker) the Absence data is displaying "weirdly". 2 users in Admin are seeing different database records (related to the same student). I've also had report of other "dodgy" behaviour relating to absences. So, it looks like my absence table is corrupt.
The fix? Well, first I take a "known good" copy of the database file (from an earlier backup). Then I'll need to export the records from the old file, and import into my "new" file. Finally, stop the database server, replace the file and re-start the server. I should be doing this now (8:00pm Sunday), but for some reason I cannot be bothered. Hmm...might do it after I've made myself a nice cup of tea!
Fingers crossed that this works!
The fix? Well, first I take a "known good" copy of the database file (from an earlier backup). Then I'll need to export the records from the old file, and import into my "new" file. Finally, stop the database server, replace the file and re-start the server. I should be doing this now (8:00pm Sunday), but for some reason I cannot be bothered. Hmm...might do it after I've made myself a nice cup of tea!
Fingers crossed that this works!
NAC Next on the List
Now that 802.1x is up and running, and the policy stuff is starting to come together, I want to turn my attention to Network Access Control (NAC). Main reason for this, is I don't want any privately-owned computers connecting via an ethernet cable, giving themselves an IP address, and causing havoc on the network.
Basically, my plan is to use MAC address authentication, and to dynamically assign computers to VLANs based on their MAC address. College-owned computers will be placed in the appropriate VLAN (IT Staff, Administration, Staff and Student) wherever on campus they are plugged in to the network. Unknown computers (ie, those NOT owned by the College) will be dumped into a VLAN that allows them to go nowhere...regardless of what IP settings they give themselves.
Advantages of this are twofold:
1) Privately-owned computers cannot "steal" the IP address of any other network device. Currently, there is a potential for disaster if a student plugs in their computer and gives themselves the IP address of one of our servers, for instance.
2) When we move computers, they will automatically connect to the correct VLAN - giving us more flexibility in deployment, and less configuring of edge switch ports as computers are added / moved.
Apparently, I can do all this using FreeRADIUS. I shouldn't have the same problems with NAC that I had with 802.1x, since I'm not interrogating an OS X LDAP database for users....I can create a local database of MAC addresses which the RADIUS server will look to for NAC authentication.
I need to do some more reading...but I hope I can get this working soon. Will keep you posted! :)
Basically, my plan is to use MAC address authentication, and to dynamically assign computers to VLANs based on their MAC address. College-owned computers will be placed in the appropriate VLAN (IT Staff, Administration, Staff and Student) wherever on campus they are plugged in to the network. Unknown computers (ie, those NOT owned by the College) will be dumped into a VLAN that allows them to go nowhere...regardless of what IP settings they give themselves.
Advantages of this are twofold:
1) Privately-owned computers cannot "steal" the IP address of any other network device. Currently, there is a potential for disaster if a student plugs in their computer and gives themselves the IP address of one of our servers, for instance.
2) When we move computers, they will automatically connect to the correct VLAN - giving us more flexibility in deployment, and less configuring of edge switch ports as computers are added / moved.
Apparently, I can do all this using FreeRADIUS. I shouldn't have the same problems with NAC that I had with 802.1x, since I'm not interrogating an OS X LDAP database for users....I can create a local database of MAC addresses which the RADIUS server will look to for NAC authentication.
I need to do some more reading...but I hope I can get this working soon. Will keep you posted! :)
Wednesday, June 3, 2009
802.1x finally working!
After 2 days of playing around, trying to get RADIUS talking to our Open Directory server, we have chosen a different tack, and solved the problem using Apple's own RADIUS installation.
The main problem was that Apple's Open Directory doesn't include some standard LDAP attributes (such as memberOf), meaning that we couldn't interrogate a user's LDAP record and determine their group memberships - we want to restrict access to users in the group "wireless". Since I didn't want to alter the structure of Open Directory (Bad Things [TM] might happen), we were almost resigned to the fact that it wouldn't work.
But then, we discovered how to 'tweak' the RADIUS server provided with Mac OS X Server 10.5 "Leopard", create our own SSL certificate, and use Apple's own restrictions to limit access to the RADIUS service...voila! A working 802.1x system. The problem here was, that Apple's RADIUS implementation only supports AirPort Base Stations, so we had to implement some workarounds to get it working with our HP ProCurve wireless controllers.
This command was useful for generating the DH Parameter file for TLS: "openssl dhparam -check -text -5 2048 -out dh", while this link was handy for getting RADIUS working correctly: http://www.macosxhints.com/article.php?story=20071130134610850
Only things remaining to do are look at restricting the times of day that students can use the new WLAN, and to come up with an Application form to join the network, and a "howto" to show students how to connect the network. We may also have to look at a Proxy Auto-Config so students get the correct web proxy settings at home and at school.
The main problem was that Apple's Open Directory doesn't include some standard LDAP attributes (such as memberOf), meaning that we couldn't interrogate a user's LDAP record and determine their group memberships - we want to restrict access to users in the group "wireless". Since I didn't want to alter the structure of Open Directory (Bad Things [TM] might happen), we were almost resigned to the fact that it wouldn't work.
But then, we discovered how to 'tweak' the RADIUS server provided with Mac OS X Server 10.5 "Leopard", create our own SSL certificate, and use Apple's own restrictions to limit access to the RADIUS service...voila! A working 802.1x system. The problem here was, that Apple's RADIUS implementation only supports AirPort Base Stations, so we had to implement some workarounds to get it working with our HP ProCurve wireless controllers.
This command was useful for generating the DH Parameter file for TLS: "openssl dhparam -check -text -5 2048 -out dh", while this link was handy for getting RADIUS working correctly: http://www.macosxhints.com/article.php?story=20071130134610850
Only things remaining to do are look at restricting the times of day that students can use the new WLAN, and to come up with an Application form to join the network, and a "howto" to show students how to connect the network. We may also have to look at a Proxy Auto-Config so students get the correct web proxy settings at home and at school.
Sunday, May 31, 2009
RADIUS authentication of Wireless clients
This week, I have Shane Harris from HP's Network Solutions Group visiting the College to set up RADIUS authentication for a new WLAN. This will allow students to bring their own computers to the College and connect to the Internet.
I think we need to consider the following:
1) New SSID for privately owned student laptops
2) Configure RAIDUS authentication on new SSID
3) New DHCP scope for the new subnet
4) Access Control List to define what they can/can't connect to
5) New user group in Open Directory for users of these laptops
Once installed, we may consider extending this to other WLANs, or possibly to VPN access, or even wired LAN access.
On Monday I'll be a little behind the 8-ball. I only found out after leaving work on Friday that HP were coming this week....haven't got Linux and FreeRADIUS installed on the server yet...will have to get to that early Monday morning.
I think we need to consider the following:
1) New SSID for privately owned student laptops
2) Configure RAIDUS authentication on new SSID
3) New DHCP scope for the new subnet
4) Access Control List to define what they can/can't connect to
5) New user group in Open Directory for users of these laptops
Once installed, we may consider extending this to other WLANs, or possibly to VPN access, or even wired LAN access.
On Monday I'll be a little behind the 8-ball. I only found out after leaving work on Friday that HP were coming this week....haven't got Linux and FreeRADIUS installed on the server yet...will have to get to that early Monday morning.
TISIT Meeting 27 May 2009
On Wednesday we had our annual gathering of TISIT (Tas Independent Schools IT) at Scotch Oakburn College. Our membership seems to be getting stronger each year, and this year (for the first time) we had sponsors giving presentations, providing lunch and supplying a "lucky door prize".
Sponsors this year were HP ProCurve Networking and ComputerCorp. These sponsors, along with our own members, gave several informative presentations during the day. Things of particular interest to me were:
1) Cloud filtering of email. A couple of schools conveyed their experience with "outsourcing" their email to staff and students. Given the mail issues we've been experiencing, may be worth looking at Google Mail for our situation.
2) Universal Threat Management (UTM) solution. Given that we aren't particularly happy with our content filtering (proxy) solution, a Fortigate appliance could be the way to go. Will need to investigate further, particularly with Open Directory authentication. Could be a real bonus for users, as no proxy config will be required on client machines.
3) HP ProCurve product roadmap. On the downside, our current WESM wireless solution is unlikely to support 802.11n, and to move to this technology we'll need to "upgrade" to a Colubris wireless solution. However, I have it on reasonable authority that HP will allow us a "trade-in" of our existing solution once 802.11n is ratified. On the upside, it looks like HP ProCurve's ONE (Open Network Environment?) means that an Avaya VOIP solution (for instance) may just be a module that plugs into our core switch...will need further investigation, but I am quite excited by this news.
Spoke to some other members about formalising TISIT, and looks like we'll pursue this in the future, so that we become a recognised professional body.
Sponsors this year were HP ProCurve Networking and ComputerCorp. These sponsors, along with our own members, gave several informative presentations during the day. Things of particular interest to me were:
1) Cloud filtering of email. A couple of schools conveyed their experience with "outsourcing" their email to staff and students. Given the mail issues we've been experiencing, may be worth looking at Google Mail for our situation.
2) Universal Threat Management (UTM) solution. Given that we aren't particularly happy with our content filtering (proxy) solution, a Fortigate appliance could be the way to go. Will need to investigate further, particularly with Open Directory authentication. Could be a real bonus for users, as no proxy config will be required on client machines.
3) HP ProCurve product roadmap. On the downside, our current WESM wireless solution is unlikely to support 802.11n, and to move to this technology we'll need to "upgrade" to a Colubris wireless solution. However, I have it on reasonable authority that HP will allow us a "trade-in" of our existing solution once 802.11n is ratified. On the upside, it looks like HP ProCurve's ONE (Open Network Environment?) means that an Avaya VOIP solution (for instance) may just be a module that plugs into our core switch...will need further investigation, but I am quite excited by this news.
Spoke to some other members about formalising TISIT, and looks like we'll pursue this in the future, so that we become a recognised professional body.
Saturday, May 23, 2009
Email server re-installation
At the beginning of 2009, we migrated our Mac OS X Mail Server to new hardware and new OS (Leopard). Since then, there have been several issues with user email accounts, which we suspected were to do with a corrupt mail database. Therefore, we informed users that we were going to completely format the mail server and re-install.
The install went as well as can be expected. 3 hours after taking a "just in case" backup, we had mail services returning to normal. Now, to sit back and wait for the complaints from users that "my Webmail has been deleted". That'll serve them right for not paying attention to the 10+ warnings they've had over the past two weeks!
If we still have Mail problems, I'll be seriously thinking about ditching Mac OS X Server as a suitable platform for mail...who knows, we might even end up with Exchange one day!
The install went as well as can be expected. 3 hours after taking a "just in case" backup, we had mail services returning to normal. Now, to sit back and wait for the complaints from users that "my Webmail has been deleted". That'll serve them right for not paying attention to the 10+ warnings they've had over the past two weeks!
If we still have Mail problems, I'll be seriously thinking about ditching Mac OS X Server as a suitable platform for mail...who knows, we might even end up with Exchange one day!
Subscribe to:
Posts (Atom)
