Solved

inplementing radius server or some sort to authenticate users

Posted on 2013-06-19
8
506 Views
Last Modified: 2013-07-09
I have a network that consists of 300 or so users that get Internet access only through us. I want to lock down so that not anybody can just go and plug into hp switch and get connected. The DHCP is handle by a firewall, they do not login to a Windows Domain. I would like to setup a radius server or such to authenticate them before allowing them a IP. Can i get some suggestion?


thanks in advance
0
Comment
Question by:officertango
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 39260721
802.1x sounds like what you need in order to control who can and cannot connect to the network. What type of switches are you using in your environment? You do not use Active Directory now for authentication? Would you look at implementing this and doubling up with it as a RADIUS server or just setting up a standalonee RADIUS server of some sort
0
 

Author Comment

by:officertango
ID: 39260731
Yes, I would like 802.1x authentication but am not familiar with it. I have HP Procurve switches, some layer 3 and most layer 2, all these users are on a special VLAN. These is no AD to authenticate. What is my option? It sounds like you have the info that I am looking for.


Thanks
0
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 39260851
I'm not too familiar with setting up 802.1X on HP switches, only Cisco swithces. Since you do not authenticate via AD what do they authenticate against or is there simply no usernames/passwords setup in your environment?

If you have a server I would look at freeradius.org as your Radius server. Below is a link to setting up 802.1x on HP Switches. Be sure to test this out in a test environment as you can very easily lock everyone out of your network if you simply enable it on the switches

http://h10032.www1.hp.com/ctg/Manual/c02642107.pdf

802.1x will require a connecting user to enter a username and password before being allowed to send/receive data on a network. The end users/clients also need to be 802.1x compliant and the NICS have to have it enabled or else they will plugin and never be able to authenticate. The PDF link I attached gives you some background on this technology and how it works.
0
WordPress Tutorial 1: Installation & Setup

WordPress is a very popular option for running your web site and can be used to get your content online quickly for the world to see. This guide will walk you through installing the WordPress server software and the initial setup process.

 

Author Comment

by:officertango
ID: 39260941
Currently right now, they plug in and get right in, as long as the port is config for the correct vlan. This is why i want to implement a login processs.
0
 

Author Comment

by:officertango
ID: 39260968
How also mention that a nic has to support 802.1x authentication, how do I verify. Most of my users have MAC or PC.
0
 

Author Comment

by:officertango
ID: 39262709
As far as radius server, does that mean everytime they turn the computer on, they are prompted to login to radius server in order to get on the network?

thanks
0
 
LVL 9

Assisted Solution

by:BigPapaGotti
BigPapaGotti earned 250 total points
ID: 39264259
On Windows to verify if you can enable 802.1x follow the links below which detail how to enable it for each Operating System:

Windows Vista/7:
http://windows.microsoft.com/en-us/windows-vista/enable-802-1x-authentication
This will detail how to enable it from within the NIC's properties:
http://www.uio.no/english/services/it/network/student-residential-network/instructions/win7/

Windows XP:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/8021x_client_configure.mspx?mfr=true

Mac OS X:
This varies slightly from OS versions but it found under the network preferences Advanced tab. There will be an 802.1x tab that will need to have a profile created for it. Here is a link:
http://support.apple.com/kb/ht3326

You are correct that every time they would turn the computer on (the switchport changes from down to up) they would need to authenticate.

Another alternative that you could setup as opposed to 802.1x would be to setup MAC address (switchport security) this will limit which MAC addresses are allowed to connect to a specific port. So say for instance you only allow mac address 11:11:11:11 to connect to fa0/1 and a computer with mac address 22:22:22:22 plugs in to fa0/1 then the port would automatically be shut down. Then you as the administrator would have to connect to the switch and enable the port and adjust the MAC address of the allowed access.

Hope this helps
0
 
LVL 6

Accepted Solution

by:
pgstephan earned 250 total points
ID: 39305409
It looks like you don't really manage these computers. In this case, you may wish to avoid 802.1x because of the compatibility and the complexity requiring 802.1x enabled on the user operating system.

An alternate solution will be to get the users to authenticate against a proxy server with a RADIUS server. This will now deny them from receiving an IP address from your DHCP server, but will only allow access to the internet for authorised users.
You can also enable caching on the Squid to save on your network resources and provide a better user experience.

If you have a couple of computer sitting around, I suggest you use a free proxy like Squid which will authenticate against a RADIUS server (you can use freeradius.org again).
You will also need to enable redirection on your network gateway, or simply provide the proxy details to the users and it is an easy task to configure the proxy in their browsers.

You can find here some configuration examples for Squid below which will help you.
http://wiki.squid-cache.org/ConfigExamples
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses
Course of the Month3 days, 13 hours left to enroll

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question