Solved

Non-Wireless Certificate based Network Authentication

Posted on 2010-11-12
6
670 Views
Last Modified: 2012-05-10
I am thinking about bringing this idea up to my manager. Currently there is nothing stopping a random user walking on to the campus and plugging into our private network. Opening and closing ports will be to time consuming since we have so many users. So I thought that the same concept for certificate based wireless will work for the LAN. But I am not sure were to start researching this and what type of issues will come up. Here are the questions that I need help with.

1. What system requirements are there to implement this type of infrastructure. Such as Radius server, etc...

2. When visitors come in, how will we push the certificate to them if they can't associate with the domain?

3. Will there be an issue doing this with Mac users or Linux/Unix?

4. What might be the biggest hurdle I might face implementing this?

5. Most importantly, where can I find more information on this, books, articles, anything?

Thank you for all your help.
0
Comment
Question by:m_travis
  • 3
  • 2
6 Comments
 
LVL 7

Accepted Solution

by:
tstritof earned 500 total points
ID: 34128533
Hi,

the most important thing is what exactly would be the desired behavior of your LAN for internal users/computers and those that aren't. What type of network access or network services should be available to foreign user and what should be witheld? Please try to be as specific as possible.

To comment on your post - I think that the example of wireless access encryption is similar to VPN remote access and not to direct access to LAN. When you look at it both involve some level of physical isolation - e.g. wireless access point or VPN router/firewall. When directly plugged into LAN, well - you are directly plugged into LAN. And the name of RADIUS server itself (Remote Authentication Dial In User Service) suggests the same thing - it's remote access oriented - not local.

There are some possibilities to "secure" the network at "low level" by things like DHCP authentication and 802.1X protocol but that involves requiring such capabilities of all your clients, servers and network switches which can prove to be expensive. But more important - it can't stop some intent evil doer from finding a way around it.

Still, keep in mind that foreign computers and users plugging into your LAN don't automatically get access to any network resources unless they sucessfully authenticate and that is where you might enforce stronger security policies.

However, if you only wish to secure parts of your LAN you could set up some sort of physical isolation. This would actually mean implementing firewalls inside your network which only allow authenticated users/computers to access resources behind that firewall. You would have to:
- create an "unprotected" LAN segment (sometimes called perimeter network or DMZ) providing just basic network services like DHCP,
- put a firewall between "unprotected" LAN segment and the secure LAN segment where resources you are protecting reside, the firewall should be able to authenticate users and/or computers and allow passage only for those that sucessfully authenticate,
- ensure that foreign users have no way to gain physical access to outlets connected directly to the protected part of the LAN.

If you can't ensure the above - I have no 100% valid solution to suggest. If you can, read on :)

Regarding products able to do this task - there are various firewalls able to integrate with RADIUS servers. Microsoft offers ForeFront TMG firewall (formerly ISA server) as firewall solution, NPS service on W2K8 Server (formerly IAS service on W2K3 server) as RADIUS server solution (supports 802.1X too) and Active Directory as container of authenticated resources. They are able to service Windows clients, and also Mac/Linux clients to a certain level. The problem with both Mac/Linux is that these aren't your company's client machines which would allow you to install necessary software to better facilitate the integration. Since these are foreign computers - you don't have this option.

Other solutions exist too from various vendors but how and if they could be implemeted in your current network depends on what your current network architecture looks like, what exactly is it you want to achieve and how big is your budget.

The rollout bit is something that shouldn't be too difficult if you test the solution thoroughly. To be on the safe side you should create a limited perimeter network first for testing purposes and test it against all known client configurations. If all goes well you can extend the perimeter network to all public access outlets.

Finally, from my (bad) experience, you should turn as much attention (if not more) to your "trusted" internal users. It's amazing what people looking for ways to download stuff from internet, work from home, or perform any other "activity of intererest" are prepared to do to get what they want (one of my favorites was the user establishing unauthorized https encapsulated VPN tunnel to foreign network because standard VPN ports were blocked).

And regarding the reading material I can point you to some TecNet stuff here:
Network Policy and Access Services
and here:
802.1X Authenticated Wired Access

Regards,
Tomislav
0
 
LVL 17

Expert Comment

by:mikecr
ID: 34128968
Do you have to have certificates or would just username/password suffice? Using 802.1x authentication, you can give the user a temporary username and password on the network. Using mschap/chap/pap authentication, you can have radius foreward tthe request to a domain controller and do a lookup. This would be easier to implement than certificates. When the user leaves, all you have to do is disable their account in AD or wherever so that they won't have access any more.
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34129014
Hi,

bear in mind that you also have to consider licensing aspects when assigning any user access through assigning usernames in AD. If you are covered there ignore this post.

So determine what is it exactly you are giving/denying foreign users access to in the first place. Is it internet connectivity, shared printers, access to internal shares or applications - the whole thing.

Only when you decide that start considering the strategy. Otherwise the chosen strategy defines it for you and it may not be what you wanted.

Regards,
Tomislav
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34161327
There is already a technology in place to do what you are wanting to do.  There is no need to re-invent the wheel.   It works at Layer2 and if I haven't got my EEE numbers mixed up it is the 802.1X standard.   It requires a RADIUS Server and expensive Switches with the functionality designed into them.  I have never used it,...probably never will,...and so I can't say much more about them.

But here is a link that may help.
http://en.wikipedia.org/wiki/IEEE_802.1X
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34162367
:) pwindell I know I tend to "overpost a bit" but the 802.1X is something I discuss above. The wheel I'm reinventing is an experience from corporate practice (can't name no names here) but let's say it's about as big as any wheel can hope to get :)
0
 
LVL 17

Expert Comment

by:mikecr
ID: 34173654
AD is not a requirement for 802.1x. You could use a look up in a text file for a mac address, Microsoft ADAM which is free, a SQL DB lookup if you have a SQL server, just depends on what you set your radius server to do. The end result is the same, you want to authenticate a user before opening a port up for them and that's what 802.1x is designed to do.
0

Join & Write a Comment

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now