Improve company productivity with a Business Account.Sign Up


Non-Wireless Certificate based Network Authentication

Posted on 2010-11-12
Medium Priority
Last Modified: 2012-05-10
I am thinking about bringing this idea up to my manager. Currently there is nothing stopping a random user walking on to the campus and plugging into our private network. Opening and closing ports will be to time consuming since we have so many users. So I thought that the same concept for certificate based wireless will work for the LAN. But I am not sure were to start researching this and what type of issues will come up. Here are the questions that I need help with.

1. What system requirements are there to implement this type of infrastructure. Such as Radius server, etc...

2. When visitors come in, how will we push the certificate to them if they can't associate with the domain?

3. Will there be an issue doing this with Mac users or Linux/Unix?

4. What might be the biggest hurdle I might face implementing this?

5. Most importantly, where can I find more information on this, books, articles, anything?

Thank you for all your help.
Question by:m_travis
  • 3
  • 2

Accepted Solution

tstritof earned 2000 total points
ID: 34128533

the most important thing is what exactly would be the desired behavior of your LAN for internal users/computers and those that aren't. What type of network access or network services should be available to foreign user and what should be witheld? Please try to be as specific as possible.

To comment on your post - I think that the example of wireless access encryption is similar to VPN remote access and not to direct access to LAN. When you look at it both involve some level of physical isolation - e.g. wireless access point or VPN router/firewall. When directly plugged into LAN, well - you are directly plugged into LAN. And the name of RADIUS server itself (Remote Authentication Dial In User Service) suggests the same thing - it's remote access oriented - not local.

There are some possibilities to "secure" the network at "low level" by things like DHCP authentication and 802.1X protocol but that involves requiring such capabilities of all your clients, servers and network switches which can prove to be expensive. But more important - it can't stop some intent evil doer from finding a way around it.

Still, keep in mind that foreign computers and users plugging into your LAN don't automatically get access to any network resources unless they sucessfully authenticate and that is where you might enforce stronger security policies.

However, if you only wish to secure parts of your LAN you could set up some sort of physical isolation. This would actually mean implementing firewalls inside your network which only allow authenticated users/computers to access resources behind that firewall. You would have to:
- create an "unprotected" LAN segment (sometimes called perimeter network or DMZ) providing just basic network services like DHCP,
- put a firewall between "unprotected" LAN segment and the secure LAN segment where resources you are protecting reside, the firewall should be able to authenticate users and/or computers and allow passage only for those that sucessfully authenticate,
- ensure that foreign users have no way to gain physical access to outlets connected directly to the protected part of the LAN.

If you can't ensure the above - I have no 100% valid solution to suggest. If you can, read on :)

Regarding products able to do this task - there are various firewalls able to integrate with RADIUS servers. Microsoft offers ForeFront TMG firewall (formerly ISA server) as firewall solution, NPS service on W2K8 Server (formerly IAS service on W2K3 server) as RADIUS server solution (supports 802.1X too) and Active Directory as container of authenticated resources. They are able to service Windows clients, and also Mac/Linux clients to a certain level. The problem with both Mac/Linux is that these aren't your company's client machines which would allow you to install necessary software to better facilitate the integration. Since these are foreign computers - you don't have this option.

Other solutions exist too from various vendors but how and if they could be implemeted in your current network depends on what your current network architecture looks like, what exactly is it you want to achieve and how big is your budget.

The rollout bit is something that shouldn't be too difficult if you test the solution thoroughly. To be on the safe side you should create a limited perimeter network first for testing purposes and test it against all known client configurations. If all goes well you can extend the perimeter network to all public access outlets.

Finally, from my (bad) experience, you should turn as much attention (if not more) to your "trusted" internal users. It's amazing what people looking for ways to download stuff from internet, work from home, or perform any other "activity of intererest" are prepared to do to get what they want (one of my favorites was the user establishing unauthorized https encapsulated VPN tunnel to foreign network because standard VPN ports were blocked).

And regarding the reading material I can point you to some TecNet stuff here:
Network Policy and Access Services
and here:
802.1X Authenticated Wired Access

LVL 17

Expert Comment

ID: 34128968
Do you have to have certificates or would just username/password suffice? Using 802.1x authentication, you can give the user a temporary username and password on the network. Using mschap/chap/pap authentication, you can have radius foreward tthe request to a domain controller and do a lookup. This would be easier to implement than certificates. When the user leaves, all you have to do is disable their account in AD or wherever so that they won't have access any more.

Expert Comment

ID: 34129014

bear in mind that you also have to consider licensing aspects when assigning any user access through assigning usernames in AD. If you are covered there ignore this post.

So determine what is it exactly you are giving/denying foreign users access to in the first place. Is it internet connectivity, shared printers, access to internal shares or applications - the whole thing.

Only when you decide that start considering the strategy. Otherwise the chosen strategy defines it for you and it may not be what you wanted.

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

LVL 29

Expert Comment

ID: 34161327
There is already a technology in place to do what you are wanting to do.  There is no need to re-invent the wheel.   It works at Layer2 and if I haven't got my EEE numbers mixed up it is the 802.1X standard.   It requires a RADIUS Server and expensive Switches with the functionality designed into them.  I have never used it,...probably never will,...and so I can't say much more about them.

But here is a link that may help.

Expert Comment

ID: 34162367
:) pwindell I know I tend to "overpost a bit" but the 802.1X is something I discuss above. The wheel I'm reinventing is an experience from corporate practice (can't name no names here) but let's say it's about as big as any wheel can hope to get :)
LVL 17

Expert Comment

ID: 34173654
AD is not a requirement for 802.1x. You could use a look up in a text file for a mac address, Microsoft ADAM which is free, a SQL DB lookup if you have a SQL server, just depends on what you set your radius server to do. The end result is the same, you want to authenticate a user before opening a port up for them and that's what 802.1x is designed to do.

Featured Post

Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

The Windows Firewall provides an important layer of protection and a rich interface to configure it. Unfortunately, it lacks item level filtering. This article details my process of implementing firewall-as-code to reduce GPO bloat.
If you need to implement application level security in an Access database application or other VBA code, I strongly encourage you to take advantage of Active Directory groups.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

595 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question