We have a large network in our university with about 10000 users. We have an AD and wants to use a Squid server for caching and NTLM authentication. We have 40 Mbit/s Internet too, we are going to share it.
In AD we have students, teachers, … OUs , and every group should have its appropriate Internet speed. I know we should use a traffic shaper for sharing Internet in the best way.
First question is: which traffic shaper is suitable for use (in Linux)? Can we use a MikroTik?
The second is: can we use Squid authentication to identify users and their OU from AD then give them their Internet speed from the traffic shaper (and how we can)?
THe third is: is there any other solution to solve this problem? (Problem: using AD with the best way for sharing the Internet connection.)
Best Answer
The easy answer is to use something like 802.1x.
If you've got a totally blank slate, you then go buy enterasys switches which can apply policies to users based on 802.1x radius responses. Faculty would get unlimited bandwidth, students would get 50k/sec to the internet but unlimited to the local network, etc.
If you've got an existing network (and you're not using enterasys switches) you then would put different classes of users into different subnets, and then apply your traffic shaping at the border using freebsd and PF or linux's traffic shaping and based on those subnets. Any given existing subnet would be split into 2-4 subnets each with a different policy. It'd be a hassle to deploy, but not absurdly hard.
In another life, I setup a firewall for our campus wireless network that setup a captive portal and authenticated users against an ldap database. It would have been pretty easy to apply different traffic shaping polices based on user attributes. Setting this up was far from trivial, though, and I wouldn't suggest it as a solution these days.
I'm sure other people have other ways of solving this problem, and mine may well be more complex and not as reliable as those other ways.