Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

inplementing radius server or some sort to authenticate users

Posted on 2013-06-19
8
Medium Priority
?
510 Views
Last Modified: 2013-07-09
I have a network that consists of 300 or so users that get Internet access only through us. I want to lock down so that not anybody can just go and plug into hp switch and get connected. The DHCP is handle by a firewall, they do not login to a Windows Domain. I would like to setup a radius server or such to authenticate them before allowing them a IP. Can i get some suggestion?


thanks in advance
0
Comment
Question by:officertango
  • 4
  • 3
8 Comments
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 39260721
802.1x sounds like what you need in order to control who can and cannot connect to the network. What type of switches are you using in your environment? You do not use Active Directory now for authentication? Would you look at implementing this and doubling up with it as a RADIUS server or just setting up a standalonee RADIUS server of some sort
0
 

Author Comment

by:officertango
ID: 39260731
Yes, I would like 802.1x authentication but am not familiar with it. I have HP Procurve switches, some layer 3 and most layer 2, all these users are on a special VLAN. These is no AD to authenticate. What is my option? It sounds like you have the info that I am looking for.


Thanks
0
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 39260851
I'm not too familiar with setting up 802.1X on HP switches, only Cisco swithces. Since you do not authenticate via AD what do they authenticate against or is there simply no usernames/passwords setup in your environment?

If you have a server I would look at freeradius.org as your Radius server. Below is a link to setting up 802.1x on HP Switches. Be sure to test this out in a test environment as you can very easily lock everyone out of your network if you simply enable it on the switches

http://h10032.www1.hp.com/ctg/Manual/c02642107.pdf

802.1x will require a connecting user to enter a username and password before being allowed to send/receive data on a network. The end users/clients also need to be 802.1x compliant and the NICS have to have it enabled or else they will plugin and never be able to authenticate. The PDF link I attached gives you some background on this technology and how it works.
0
WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

 

Author Comment

by:officertango
ID: 39260941
Currently right now, they plug in and get right in, as long as the port is config for the correct vlan. This is why i want to implement a login processs.
0
 

Author Comment

by:officertango
ID: 39260968
How also mention that a nic has to support 802.1x authentication, how do I verify. Most of my users have MAC or PC.
0
 

Author Comment

by:officertango
ID: 39262709
As far as radius server, does that mean everytime they turn the computer on, they are prompted to login to radius server in order to get on the network?

thanks
0
 
LVL 9

Assisted Solution

by:BigPapaGotti
BigPapaGotti earned 1000 total points
ID: 39264259
On Windows to verify if you can enable 802.1x follow the links below which detail how to enable it for each Operating System:

Windows Vista/7:
http://windows.microsoft.com/en-us/windows-vista/enable-802-1x-authentication
This will detail how to enable it from within the NIC's properties:
http://www.uio.no/english/services/it/network/student-residential-network/instructions/win7/

Windows XP:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/8021x_client_configure.mspx?mfr=true

Mac OS X:
This varies slightly from OS versions but it found under the network preferences Advanced tab. There will be an 802.1x tab that will need to have a profile created for it. Here is a link:
http://support.apple.com/kb/ht3326

You are correct that every time they would turn the computer on (the switchport changes from down to up) they would need to authenticate.

Another alternative that you could setup as opposed to 802.1x would be to setup MAC address (switchport security) this will limit which MAC addresses are allowed to connect to a specific port. So say for instance you only allow mac address 11:11:11:11 to connect to fa0/1 and a computer with mac address 22:22:22:22 plugs in to fa0/1 then the port would automatically be shut down. Then you as the administrator would have to connect to the switch and enable the port and adjust the MAC address of the allowed access.

Hope this helps
0
 
LVL 6

Accepted Solution

by:
pgstephan earned 1000 total points
ID: 39305409
It looks like you don't really manage these computers. In this case, you may wish to avoid 802.1x because of the compatibility and the complexity requiring 802.1x enabled on the user operating system.

An alternate solution will be to get the users to authenticate against a proxy server with a RADIUS server. This will now deny them from receiving an IP address from your DHCP server, but will only allow access to the internet for authorised users.
You can also enable caching on the Squid to save on your network resources and provide a better user experience.

If you have a couple of computer sitting around, I suggest you use a free proxy like Squid which will authenticate against a RADIUS server (you can use freeradius.org again).
You will also need to enable redirection on your network gateway, or simply provide the proxy details to the users and it is an easy task to configure the proxy in their browsers.

You can find here some configuration examples for Squid below which will help you.
http://wiki.squid-cache.org/ConfigExamples
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question