FireRack End-User Self-Registration System
This is an extension to the Host Registration system that runs as a module on the FireRack Management Server (FMS). Its purpose is to provide a mechanism by which end users can register their own computers on the network, and get online with little or no intervention required by the network administrator. The user must authenticate themselves to do this and having done so can view current host registrations assigned to them and set or update the MAC addresses for the registrations.
It also provides a mechanism by which they can apply online to have their computers registered on the network. Such applications are subject to review and IP address assignment by the firewall administrator.
The module is intended as a straightforward front end for end users in a medium to large organisation. Netservers staff can re-brand the front end to suit the organisation and provide user authentication against a variety of existing systems.
MAC address detection
The front-end interface is intended to be access directly over HTTPS by the end user from the computer they wish to register, although this computer need not have the correct IP address configured. The FMS determines the MAC address of the computer by taking the source IP address of the HTTPS connection and doing a live query to the FireRack, which determines the corresponding MAC address from ARP. Note that to work correctly the HTTPS connections must go via the FireRack in question and not be proxied or SNAT'd.
If the switch management module is also available with Host Tracking enabled, the module will also attempt to identify the ethernet port and location from which the computer is connecting. It does this by searching for recent activity from the MAC address in the Host Tracking database. If it is able to identify a unique port then the identity of this port and the location to which it is attached is recorded along with the application.
Automatic host registration
It is intended that the module is used in the following scenario: on the LAN interface of the FireRack a special zone for unregistered hosts is created, with the DHCP server offering short term leases from a RFC 1918 private address space, in addition to the one or more zones for registered hosts offering no dynamic DHCP range and disallowing unregistered hosts.
The unregistered hosts zone should be configured to only allow connections to the DNS server on the FireRack and to the HTTPS auto-registration front end on the FMS. All HTTP and HTTP proxy connections may be DNAT'd into a special HTTP server running on the FMS that redirects any request to the HTTPS front end, regardless of what web site the user was trying to access.
Therefore, when a new computer is connected to the network, assuming it is configured to use DHCP (which is the default on most systems) it will automatically be given a temporary address in the unregistered host zone. When the user attempts to access any web site they will end up on the self-register site and be prompted for their login credentials. If their computer has been pre-registered on the system without the MAC address or with the incorrect MAC address then they may update this immediately and need only to renew their DHCP lease once the new configuration has been pushed to the FireRack. Otherwise, they may apply to be registered and must wait for the administrator to approve this. They can return to the HTTPS site later to view the progress of their application.
When the MAC address of a host changes, due to a replaced Ethernet interface for example, then with a fixed IP configuration the host would be completely blocked from the network. With DHCP, however, in failing to recognise the new MAC address the FireRack would allocate a temporary IP address in the unregistered host zone, allowing the user to access the auto-registration site and easily update their registered MAC address.
It is hence strongly recommend that a policy of using DHCP configuration for all hosts be adopted. Where it is infeasible to change all pre-existing computers to this configuration, some steps can be taken to help such computers access the registration server. Registration records should be created for these hosts without specifying the MAC address. The zone(s) for registered hosts should not use automatic MAC Address Validation, but instead have filtering rules to allow access to the registration server that appear prior to an explicit MAC Address Validation rule that blocks other traffic from the host.
Self-service Traffic Accounting and Audit Logs
An additional feature of the self-registration web service is that it allows end users to view traffic accounting and auditing information relating to their own registered computers. The traffic accounting data can provide summaries of traffic volume over rolling 24 hour, 7 day, 30 day and 1 year periods for each IP address, and allow the user to view graphs of their network activity. They can also view the argus traffic flow audit logs for all activity involving their own IP address.