|
Posted by michael.owen on October 30, 2006, 4:15 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hi all,
I've been looking into a small-scale 802.1x rollout, and have encountered
something of a problem. The systems on the network I'd be NAC-ing are XP
boxes which are members of an NT4 domain, with all users authenticated at the
domain level. (No local accounts are typically used.) I was hoping to use
machine authentication, but it seems as though most RADIUS servers only
support machine auth when they have a directory (typically AD) to confirm the
membership of the supplicants. (This certainly appears to be the case with ACS,
and Steel-Belted radius as well, from what I can tell from the documentation.)
Obviously, I don't have an AD for these systems, despite having a PKI. (Possibly
an unusual situation.) Does anyone know of a RADIUS server or NAC product that
will support machine authentication without a domain to refer to? I see the
benefits of the directory query, but it's just not an option for this particular
situation.
(I'm more than happy to look at solutions outside the windows 802.1x support if
they work!)
Cheers for any advice,
Michael
----- Posted with Newsbin Pro 5.0 ------
--- www.newsbin.com ---
|
|
Posted by Todd H. on October 30, 2006, 5:36 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Hi all,
>
> I've been looking into a small-scale 802.1x rollout, and have encountered
> something of a problem. The systems on the network I'd be NAC-ing are XP
> boxes which are members of an NT4 domain, with all users authenticated at the
> domain level. (No local accounts are typically used.) I was hoping to use
> machine authentication, but it seems as though most RADIUS servers only
> support machine auth when they have a directory (typically AD) to confirm the
> membership of the supplicants. (This certainly appears to be the case with
ACS,
> and Steel-Belted radius as well, from what I can tell from the documentation.)
>
> Obviously, I don't have an AD for these systems, despite having a PKI.
(Possibly
> an unusual situation.) Does anyone know of a RADIUS server or NAC product that
> will support machine authentication without a domain to refer to? I see the
> benefits of the directory query, but it's just not an option for this
particular
> situation.
>
> (I'm more than happy to look at solutions outside the windows 802.1x support
if
> they work!)
>
> Cheers for any advice,
> Michael
If I have this straight, your only central username/password via an
NT4 domain controller? And you'd like users to be able use those
credentials to auth to your wireless network?
Just trying to make sure we understand what you have to auth against.
--
Todd H.
http://www.toddh.net/
|
|
Posted by Michael Owen on October 31, 2006, 4:35 am
If you were Registered and logged in, you could reply and use other advanced thread options
>> Hi all,
>>
<cut down my original post>
>>
>> Cheers for any advice,
>> Michael
>
> If I have this straight, your only central username/password via an
> NT4 domain controller? And you'd like users to be able use those
> credentials to auth to your wireless network?
>
> Just trying to make sure we understand what you have to auth against.
No worries, I wasn't entirely clear. Here's what I'm trying to do, in its
entirety:
I'm trying to implement NAC on a wired network using EAP-TLS. I have a PKI,
and things on that front are working fine. If I stick with standard
user-based 802.1x authentication (using user certs, 802.1x'ing after login)
things are fine. That said, user auth doesn't really work in our model,
thanks to the lack of local accounts. We need access to the network for user
logins, and the user login can't happen before 802.1x auth. So, we looked at
machine authentication.
Unfortunately, using "machine authentication" is not so simple. It appears
that the Cisco ACS server I am using as my authentication server only
supports machine authentication if it has an AD to talk to. From what I can
tell, it's taking the machine name and machine password from the XP client
(supplicant) and performing secondary validation through that. It doesn't
want to talk to my NT domain.
What I'm trying to find is an authentication server (assumably a RADIUS
server) which can perform the basics of the cert validation in EAP-TLS, and
then either rely on a local user store for the additional windows
credentials, or just plain ignore them.
Hope that post made more sense - I was so knackered last night I could barely
see straight. =P
Here's the only comment from Cisco I've found:
http://www.informit.com/articles/article.asp?p=653377&seqNum=3&rl=1
Cheers,
Mike
|
|
Posted by MC on October 30, 2006, 8:53 pm
If you were Registered and logged in, you could reply and use other advanced thread options
If I understand what you are trying to do correctly, you're running into
the problem that a lot of radius servers and IAS don't work on an NT4
domain.
A tip I found earlier: Funk Software's Odyssee Server is great and
simple for WLAN only use (RADIUS). Can authenticate against an NT4
domain specifically.
An other option (but I have not tried it myself, nor looked into it
in-depth) seems to be that you could plug samba 2.x in your domain with
a win2k client machine to provide the translation of NT4 domain
authentication to LDAP (which can then be used for the RADIUS). At the
very least this sounds rather tricky to set up but might be an option if
nothing else works.
HTH
MC
michael.owen wrote:
> Hi all,
>
> I've been looking into a small-scale 802.1x rollout, and have encountered
> something of a problem. The systems on the network I'd be NAC-ing are XP
> boxes which are members of an NT4 domain, with all users authenticated at the
> domain level. (No local accounts are typically used.) I was hoping to use
> machine authentication, but it seems as though most RADIUS servers only
> support machine auth when they have a directory (typically AD) to confirm the
> membership of the supplicants.
|
|
Posted by Michael Owen on October 31, 2006, 4:38 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Hi Michael,
>
> If I understand what you are trying to do correctly, you're running into
> the problem that a lot of radius servers and IAS don't work on an NT4
> domain.
>
> A tip I found earlier: Funk Software's Odyssee Server is great and
> simple for WLAN only use (RADIUS). Can authenticate against an NT4
> domain specifically.
>
> An other option (but I have not tried it myself, nor looked into it
> in-depth) seems to be that you could plug samba 2.x in your domain with
> a win2k client machine to provide the translation of NT4 domain
> authentication to LDAP (which can then be used for the RADIUS). At the
> very least this sounds rather tricky to set up but might be an option if
> nothing else works.
>
> HTH
>
> MC
Thanks for mentioning the Odysee Server, I'll have a look at it - does it
rely on using Steel-Belted RADIUS as an authentication server? I was poking
through the docs for Steel-Belted, and got the impression it still relied on
the presence of an AD for machine-auth use with Windows XP clients.
Cheers,
Mike
|
| Similar Threads | Posted | | SSL Server authentication, SSL client authentication, SSL connection and SSL session | August 14, 2006, 1:05 pm |
| WEP authentication, why WEP authentication scheme is flawed and how it can be attacked | August 1, 2006, 12:51 pm |
| MS Active Directory Vs LDAP | October 8, 2006, 11:38 am |
| "/usr/local/nagios/etc" directory doe not exits | May 9, 2005, 11:28 pm |
| "/usr/local/nagios/libexec" directory missing | May 11, 2005, 2:40 am |
| SSRT2320 rev.0 HP-UX elevated privileges related to directory permissions | April 8, 2004, 6:16 am |
| SSRT2320 rev.0 HP-UX elevated privileges related to directory permissions | May 17, 2004, 2:22 pm |
| Is there any third party tools to connect active directory with Oracle? | May 9, 2005, 8:03 am |
| Machine Used by Spammers | December 27, 2005, 5:36 am |
| Cisco Access Control Server and Oracle Internet Directory | July 22, 2004, 11:44 am |
|
XML site map