I have this idea, ok? What I noticed while migrating some of the users from the Admissions Department at the University for which I work, was that it was tough to explain to them sufficiently that:
- Their passwords are going to have to change at some point, due to security policy.
- When they change it on their desktop, it’s not automatically done on their laptop.
- After changing the desktop password, they need to connect the laptop to the network and then login with that new password for it to be cached.
Now, it’s easy to write out, and easy for a tech to understand the scenario – but it’s not that easy for a 45yr old Hispanic guy who hates his laptop anyway to grasp. But what if they didn’t have to grasp anything? What if no matter where you were, the login process and the features available were as seamless in Wisconsin as if you were sitting at your desk in Texas?
What I’m proposing is this:
- Internet is gained through the use of a mobile AirCard, that is set to automatically connect once plugged in. If no AirCard, some other form of high-speed internet would suffice, and possibly be preferred.
- Use OpenVPN as a system service that runs when Windows boots. It makes its connection to the Main Network with a PSK (pre-shared key), authenticates, and then routes all internet and network traffic through that connection.
- A Windows or Linux client that has been previously joined to the Active Directory Domain on campus.
Upon boot, the computer connects to the internet, and then sets up the VPN connection to the main campus. This is done as a Windows or Linux service. When the login prompt appears, the user enters their most recent credentials for the main campus, and logs in. These credentials are then passed through the secured VPN to the main campus, authenticated against LDAP or AD, and their group policies, logon scripts, and other drive mappings are passed back down to the client. After the personal settings have loaded, their laptop experience is just as it would be if they were on the main campus LAN – but all their traffic is secured, and over a WAN.
Can it be done? Has it been done? Is there a step I’m missing – or some important brick preventing it?
Blogged with Flock