2.10.6. Classroom extensions

The ClassRoom Extensions (CRE) to the proxy server give you the ability to delegate administrative tasks to non-administrative users through a separate Web Access Management page.

The CRE offers these features:

Full web based access management

Different security levels

Flexible configuration

The CRE creates a new role, between that of Admin and Users: the Supervisor.

The Supervisor can turn on and off web access for predefined groups (e.g. specific computers in a classroom) without the need to have administrative access rights, or knowledge of, the IPCop GUI.

The Web Access Management Interface can be started from any client computer. Open a web browser and enter the URL https://192.168.1.1:8443/cgi-bin/webaccess.cgi (replacing the 192.168.1.1 with the IP Address of your IPCop).

If the Web Access Management Interface has not been enabled by the Admin, you'll see this text: “The management interface has been disabled by the Administrator”.

If the Web Access Management Interface has been enabled, but the Admin has not defined any groups, you will see this text: “There are no access groups available”.

2.10.6.1. Classroom extensions configuration

The classroom extensions are enabled/disabled and configured on the proxy server web page.

After making any changes, remember to press the Save button to apply them.

Classroom extensions configuration

Enabled Check this box to enable the Supervisor Web Access Management Interface.

Supervisor password (optional).  When this password is set, all Supervisor users must enter the password to manage web access. This is optional, but for security reasons, either set a Supervisor password, or define Supervisor IP addresses.

Supervisor IP addresses (one per line) (optional).  This field allows you to define the IP addresses that will be able to manage web access. This is an optional configuration item which can be used to increase security, or to simplify management, if you don't want to configure a Supervisor password.

For example, add these IP addresses, if you want to allow them Supervisor access:

192.168.1.20
192.168.1.30

The highest level of security is achieved when both a Supervisor password is set, and IP restrictions are applied, as described in the CRE security levels section below.

Classroom group definitions Your classroom group definitions are entered in this field. A classroom group definition takes this format:

[groupname]
client MAC address or client IP address or IP range or IP subnet
client MAC address or client IP address or IP range or IP subnet
client MAC address or client IP address or IP range or IP subnet

So, for example, you might have a pair of group definitions like this:

[Example group 1]
192.168.1.11
192.168.1.12
192.168.1.13
[Example group 2]
192.168.1.21-192.168.1.25

Each group has a 'groupname', which must be unique. The groupname is the part of the group definition between the square brackets. The name will appear in the web access management interface.

Each group can have an unlimited number of client definitions. You can use mixed client definitions within a group, but each definition must be in a single line. Here are some examples:

Single host - MAC Address

01:23:45:67:89:0A

Single host - IP Address

192.168.1.11

Host range

192.168.1.21-192.168.1.25

Subnet (netmask notation)

192.168.1.32/255.255.255.240

Subnet (CIDR notation)

192.168.1.32/28

2.10.6.2. CRE security levels

Level 1: No password, no IP address restrictions - no security.  All clients will be able to manage web access without any restriction. This is not recommended for production environments.

Note

Use this for debugging or testing purposes only!

Level 2: Password set, no IP address restrictions - lower security.  All clients will be able to manage web access, but a password will be required to save the changes. This security level is recommended in an environment without special Supervisor computers.

Level 3: No Password, IP restrictions applied - lower security.  All clients listed here will be able to change the web access settings. The clients will be identified by their IP address, a password is not required to save the changes.

Note

If the client IP address is not listed here, the web access management interface will appear in a “view-only” mode.

Level 4: Password set, IP restrictions applied - higher security.  This is the highest security level for the web access management interface. Only the listed clients can change the settings, a password will be required to save the changes.

Note

If the client IP address is not listed here, the web access management interface will appear in a “view-only” mode.