Non-Wireless Certificate based Network Authentication
I am thinking about bringing this idea up to my manager. Currently there is nothing stopping a random user walking on to the campus and plugging into our private network. Opening and closing ports will be to time consuming since we have so many users. So I thought that the same concept for certificate based wireless will work for the LAN. But I am not sure were to start researching this and what type of issues will come up. Here are the questions that I need help with.
1. What system requirements are there to implement this type of infrastructure. Such as Radius server, etc...
2. When visitors come in, how will we push the certificate to them if they can't associate with the domain?
3. Will there be an issue doing this with Mac users or Linux/Unix?
4. What might be the biggest hurdle I might face implementing this?
5. Most importantly, where can I find more information on this, books, articles, anything?
Thank you for all your help.
1. What system requirements are there to implement this type of infrastructure. Such as Radius server, etc...
2. When visitors come in, how will we push the certificate to them if they can't associate with the domain?
3. Will there be an issue doing this with Mac users or Linux/Unix?
4. What might be the biggest hurdle I might face implementing this?
5. Most importantly, where can I find more information on this, books, articles, anything?
Thank you for all your help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
mikecr
Do you have to have certificates or would just username/password suffice? Using 802.1x authentication, you can give the user a temporary username and password on the network. Using mschap/chap/pap authentication, you can have radius foreward tthe request to a domain controller and do a lookup. This would be easier to implement than certificates. When the user leaves, all you have to do is disable their account in AD or wherever so that they won't have access any more.
Hi,
bear in mind that you also have to consider licensing aspects when assigning any user access through assigning usernames in AD. If you are covered there ignore this post.
So determine what is it exactly you are giving/denying foreign users access to in the first place. Is it internet connectivity, shared printers, access to internal shares or applications - the whole thing.
Only when you decide that start considering the strategy. Otherwise the chosen strategy defines it for you and it may not be what you wanted.
Regards,
Tomislav
bear in mind that you also have to consider licensing aspects when assigning any user access through assigning usernames in AD. If you are covered there ignore this post.
So determine what is it exactly you are giving/denying foreign users access to in the first place. Is it internet connectivity, shared printers, access to internal shares or applications - the whole thing.
Only when you decide that start considering the strategy. Otherwise the chosen strategy defines it for you and it may not be what you wanted.
Regards,
Tomislav
There is already a technology in place to do what you are wanting to do. There is no need to re-invent the wheel. It works at Layer2 and if I haven't got my EEE numbers mixed up it is the 802.1X standard. It requires a RADIUS Server and expensive Switches with the functionality designed into them. I have never used it,...probably never will,...and so I can't say much more about them.
But here is a link that may help.
http://en.wikipedia.org/wiki/IEEE_802.1X
But here is a link that may help.
http://en.wikipedia.org/wiki/IEEE_802.1X
:) pwindell I know I tend to "overpost a bit" but the 802.1X is something I discuss above. The wheel I'm reinventing is an experience from corporate practice (can't name no names here) but let's say it's about as big as any wheel can hope to get :)
AD is not a requirement for 802.1x. You could use a look up in a text file for a mac address, Microsoft ADAM which is free, a SQL DB lookup if you have a SQL server, just depends on what you set your radius server to do. The end result is the same, you want to authenticate a user before opening a port up for them and that's what 802.1x is designed to do.