<div>
Do you have to have certificates or would just username/password suffice? Using 802.1x authentication, you can give the user a temporary username and password on the network. Using mschap/chap/pap authentication, you can have radius foreward tthe request to a domain controller and do a lookup. This would be easier to implement than certificates. When the user leaves, all you have to do is disable their account in AD or wherever so that they won't have access any more.
</div>


<div>
Hi,<br />
<br />
bear in mind that you also have to consider licensing aspects when assigning any user access through assigning usernames in AD. If you are covered there ignore this post.<br />
<br />
So determine what is it exactly you are giving/denying foreign users access to in the first place. Is it internet connectivity, shared printers, access to internal shares or applications - the whole thing.<br />
<br />
Only when you decide that start considering the strategy. Otherwise the chosen strategy defines it for you and it may not be what you wanted.<br />
<br />
Regards,<br />
Tomislav
</div>


<div>
There is already a technology in place to do what you are wanting to do. &nbsp;There is no need to re-invent the wheel. &nbsp; It works at Layer2 and if I haven't got my EEE numbers mixed up it is the 802.1X standard. &nbsp; It requires a RADIUS Server and expensive Switches with the functionality designed into them. &nbsp;I have never used it,...probably never will,...and so I can't say much more about them.<br />
<br />
But here is a link that may help.<br />
<a href="http://en.wikipedia.org/wiki/IEEE_802.1X" rel="ugc">http://en.wikipedia.org/wiki/IEEE_802.1X</a>
</div>


<div>
:) pwindell I know I tend to &quot;overpost a bit&quot; but the 802.1X is something I discuss above. The wheel I'm reinventing is an experience from corporate practice (can't name no names here) but let's say it's about as big as any wheel can hope to get :)
</div>


<div>
AD is not a requirement for 802.1x. You could use a look up in a text file for a mac address, Microsoft ADAM which is free, a SQL DB lookup if you have a SQL server, just depends on what you set your radius server to do. The end result is the same, you want to authenticate a user before opening a port up for them and that's what 802.1x is designed to do. 
</div>


<div>
<div class="content wysiwyg-content">
I am thinking about bringing this idea up to my manager. Currently there is nothing stopping a random user walking on to the campus and plugging into our private network. Opening and closing ports will be to time consuming since we have so many users. So I thought that the same concept for certificate based wireless will work for the LAN. But I am not sure were to start researching this and what type of issues will come up. Here are the questions that I need help with.<br />
<br />
1. What system requirements are there to implement this type of infrastructure. Such as Radius server, etc...<br />
<br />
2. When visitors come in, how will we push the certificate to them if they can't associate with the domain?<br />
<br />
3. Will there be an issue doing this with Mac users or Linux/Unix?<br />
<br />
4. What might be the biggest hurdle I might face implementing this?<br />
<br />
5. Most importantly, where can I find more information on this, books, articles, anything?<br />
<br />
Thank you for all your help.
</div>
</div>


I am thinking about bringing this idea up to my manager. Currently there is nothing stopping a random user walking on to the campus and plugging into our private network. Opening and closing ports will be to time consuming since we have so many users. So I thought that the same concept for certificate based wireless will work for the LAN. But I am not sure were to start researching this and what type of issues will come up. Here are the questions that I need help with.

1. What system requirements are there to implement this type of infrastructure. Such as Radius server, etc...

2. When visitors come in, how will we push the certificate to them if they can't associate with the domain?

3. Will there be an issue doing this with Mac users or Linux/Unix?

4. What might be the biggest hurdle I might face implementing this?

5. Most importantly, where can I find more information on this, books, articles, anything?

Thank you for all your help.

Non-Wireless Certificate based Network Authentication

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Active Directory

Network Operations includes asset management, help-desk supervision, security and user policies, infrastructure administration and anything else that affects the operation of your network. Discussions will include those of best practices in platforms, configurations, performance, security and accounting.

Network Operations

Network design and methodology, also known as network architecture, is the design of a communication network. It is a framework for the specification of a network's physical components and their functional organization and configuration, its operational principles and procedures, as well as data formats used in its operation. In telecommunication, the specification of a network architecture may also include a detailed description of products and services delivered via a communications network, as well as detailed rate and billing structures under which services are compensated.