Avatar of m_travis
m_travisFlag for United States of America asked on

Non-Wireless Certificate based Network Authentication

I am thinking about bringing this idea up to my manager. Currently there is nothing stopping a random user walking on to the campus and plugging into our private network. Opening and closing ports will be to time consuming since we have so many users. So I thought that the same concept for certificate based wireless will work for the LAN. But I am not sure were to start researching this and what type of issues will come up. Here are the questions that I need help with.

1. What system requirements are there to implement this type of infrastructure. Such as Radius server, etc...

2. When visitors come in, how will we push the certificate to them if they can't associate with the domain?

3. Will there be an issue doing this with Mac users or Linux/Unix?

4. What might be the biggest hurdle I might face implementing this?

5. Most importantly, where can I find more information on this, books, articles, anything?

Thank you for all your help.
Active DirectoryNetwork OperationsNetwork Architecture

Avatar of undefined
Last Comment
mikecr

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
tstritof

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
mikecr

Do you have to have certificates or would just username/password suffice? Using 802.1x authentication, you can give the user a temporary username and password on the network. Using mschap/chap/pap authentication, you can have radius foreward tthe request to a domain controller and do a lookup. This would be easier to implement than certificates. When the user leaves, all you have to do is disable their account in AD or wherever so that they won't have access any more.
tstritof

Hi,

bear in mind that you also have to consider licensing aspects when assigning any user access through assigning usernames in AD. If you are covered there ignore this post.

So determine what is it exactly you are giving/denying foreign users access to in the first place. Is it internet connectivity, shared printers, access to internal shares or applications - the whole thing.

Only when you decide that start considering the strategy. Otherwise the chosen strategy defines it for you and it may not be what you wanted.

Regards,
Tomislav
pwindell

There is already a technology in place to do what you are wanting to do.  There is no need to re-invent the wheel.   It works at Layer2 and if I haven't got my EEE numbers mixed up it is the 802.1X standard.   It requires a RADIUS Server and expensive Switches with the functionality designed into them.  I have never used it,...probably never will,...and so I can't say much more about them.

But here is a link that may help.
http://en.wikipedia.org/wiki/IEEE_802.1X
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
tstritof

:) pwindell I know I tend to "overpost a bit" but the 802.1X is something I discuss above. The wheel I'm reinventing is an experience from corporate practice (can't name no names here) but let's say it's about as big as any wheel can hope to get :)
mikecr

AD is not a requirement for 802.1x. You could use a look up in a text file for a mac address, Microsoft ADAM which is free, a SQL DB lookup if you have a SQL server, just depends on what you set your radius server to do. The end result is the same, you want to authenticate a user before opening a port up for them and that's what 802.1x is designed to do.