Non-Wireless Certificate based Network Authentication

Posted on 2010-11-12
Last Modified: 2012-05-10
I am thinking about bringing this idea up to my manager. Currently there is nothing stopping a random user walking on to the campus and plugging into our private network. Opening and closing ports will be to time consuming since we have so many users. So I thought that the same concept for certificate based wireless will work for the LAN. But I am not sure were to start researching this and what type of issues will come up. Here are the questions that I need help with.

1. What system requirements are there to implement this type of infrastructure. Such as Radius server, etc...

2. When visitors come in, how will we push the certificate to them if they can't associate with the domain?

3. Will there be an issue doing this with Mac users or Linux/Unix?

4. What might be the biggest hurdle I might face implementing this?

5. Most importantly, where can I find more information on this, books, articles, anything?

Thank you for all your help.
Question by:m_travis
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Accepted Solution

tstritof earned 500 total points
ID: 34128533

the most important thing is what exactly would be the desired behavior of your LAN for internal users/computers and those that aren't. What type of network access or network services should be available to foreign user and what should be witheld? Please try to be as specific as possible.

To comment on your post - I think that the example of wireless access encryption is similar to VPN remote access and not to direct access to LAN. When you look at it both involve some level of physical isolation - e.g. wireless access point or VPN router/firewall. When directly plugged into LAN, well - you are directly plugged into LAN. And the name of RADIUS server itself (Remote Authentication Dial In User Service) suggests the same thing - it's remote access oriented - not local.

There are some possibilities to "secure" the network at "low level" by things like DHCP authentication and 802.1X protocol but that involves requiring such capabilities of all your clients, servers and network switches which can prove to be expensive. But more important - it can't stop some intent evil doer from finding a way around it.

Still, keep in mind that foreign computers and users plugging into your LAN don't automatically get access to any network resources unless they sucessfully authenticate and that is where you might enforce stronger security policies.

However, if you only wish to secure parts of your LAN you could set up some sort of physical isolation. This would actually mean implementing firewalls inside your network which only allow authenticated users/computers to access resources behind that firewall. You would have to:
- create an "unprotected" LAN segment (sometimes called perimeter network or DMZ) providing just basic network services like DHCP,
- put a firewall between "unprotected" LAN segment and the secure LAN segment where resources you are protecting reside, the firewall should be able to authenticate users and/or computers and allow passage only for those that sucessfully authenticate,
- ensure that foreign users have no way to gain physical access to outlets connected directly to the protected part of the LAN.

If you can't ensure the above - I have no 100% valid solution to suggest. If you can, read on :)

Regarding products able to do this task - there are various firewalls able to integrate with RADIUS servers. Microsoft offers ForeFront TMG firewall (formerly ISA server) as firewall solution, NPS service on W2K8 Server (formerly IAS service on W2K3 server) as RADIUS server solution (supports 802.1X too) and Active Directory as container of authenticated resources. They are able to service Windows clients, and also Mac/Linux clients to a certain level. The problem with both Mac/Linux is that these aren't your company's client machines which would allow you to install necessary software to better facilitate the integration. Since these are foreign computers - you don't have this option.

Other solutions exist too from various vendors but how and if they could be implemeted in your current network depends on what your current network architecture looks like, what exactly is it you want to achieve and how big is your budget.

The rollout bit is something that shouldn't be too difficult if you test the solution thoroughly. To be on the safe side you should create a limited perimeter network first for testing purposes and test it against all known client configurations. If all goes well you can extend the perimeter network to all public access outlets.

Finally, from my (bad) experience, you should turn as much attention (if not more) to your "trusted" internal users. It's amazing what people looking for ways to download stuff from internet, work from home, or perform any other "activity of intererest" are prepared to do to get what they want (one of my favorites was the user establishing unauthorized https encapsulated VPN tunnel to foreign network because standard VPN ports were blocked).

And regarding the reading material I can point you to some TecNet stuff here:
Network Policy and Access Services
and here:
802.1X Authenticated Wired Access

LVL 17

Expert Comment

ID: 34128968
Do you have to have certificates or would just username/password suffice? Using 802.1x authentication, you can give the user a temporary username and password on the network. Using mschap/chap/pap authentication, you can have radius foreward tthe request to a domain controller and do a lookup. This would be easier to implement than certificates. When the user leaves, all you have to do is disable their account in AD or wherever so that they won't have access any more.

Expert Comment

ID: 34129014

bear in mind that you also have to consider licensing aspects when assigning any user access through assigning usernames in AD. If you are covered there ignore this post.

So determine what is it exactly you are giving/denying foreign users access to in the first place. Is it internet connectivity, shared printers, access to internal shares or applications - the whole thing.

Only when you decide that start considering the strategy. Otherwise the chosen strategy defines it for you and it may not be what you wanted.

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

LVL 29

Expert Comment

ID: 34161327
There is already a technology in place to do what you are wanting to do.  There is no need to re-invent the wheel.   It works at Layer2 and if I haven't got my EEE numbers mixed up it is the 802.1X standard.   It requires a RADIUS Server and expensive Switches with the functionality designed into them.  I have never used it,...probably never will,...and so I can't say much more about them.

But here is a link that may help.

Expert Comment

ID: 34162367
:) pwindell I know I tend to "overpost a bit" but the 802.1X is something I discuss above. The wheel I'm reinventing is an experience from corporate practice (can't name no names here) but let's say it's about as big as any wheel can hope to get :)
LVL 17

Expert Comment

ID: 34173654
AD is not a requirement for 802.1x. You could use a look up in a text file for a mac address, Microsoft ADAM which is free, a SQL DB lookup if you have a SQL server, just depends on what you set your radius server to do. The end result is the same, you want to authenticate a user before opening a port up for them and that's what 802.1x is designed to do.

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question