Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

inplementing radius server or some sort to authenticate users

Posted on 2013-06-19
8
Medium Priority
?
509 Views
Last Modified: 2013-07-09
I have a network that consists of 300 or so users that get Internet access only through us. I want to lock down so that not anybody can just go and plug into hp switch and get connected. The DHCP is handle by a firewall, they do not login to a Windows Domain. I would like to setup a radius server or such to authenticate them before allowing them a IP. Can i get some suggestion?


thanks in advance
0
Comment
Question by:officertango
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 39260721
802.1x sounds like what you need in order to control who can and cannot connect to the network. What type of switches are you using in your environment? You do not use Active Directory now for authentication? Would you look at implementing this and doubling up with it as a RADIUS server or just setting up a standalonee RADIUS server of some sort
0
 

Author Comment

by:officertango
ID: 39260731
Yes, I would like 802.1x authentication but am not familiar with it. I have HP Procurve switches, some layer 3 and most layer 2, all these users are on a special VLAN. These is no AD to authenticate. What is my option? It sounds like you have the info that I am looking for.


Thanks
0
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 39260851
I'm not too familiar with setting up 802.1X on HP switches, only Cisco swithces. Since you do not authenticate via AD what do they authenticate against or is there simply no usernames/passwords setup in your environment?

If you have a server I would look at freeradius.org as your Radius server. Below is a link to setting up 802.1x on HP Switches. Be sure to test this out in a test environment as you can very easily lock everyone out of your network if you simply enable it on the switches

http://h10032.www1.hp.com/ctg/Manual/c02642107.pdf

802.1x will require a connecting user to enter a username and password before being allowed to send/receive data on a network. The end users/clients also need to be 802.1x compliant and the NICS have to have it enabled or else they will plugin and never be able to authenticate. The PDF link I attached gives you some background on this technology and how it works.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:officertango
ID: 39260941
Currently right now, they plug in and get right in, as long as the port is config for the correct vlan. This is why i want to implement a login processs.
0
 

Author Comment

by:officertango
ID: 39260968
How also mention that a nic has to support 802.1x authentication, how do I verify. Most of my users have MAC or PC.
0
 

Author Comment

by:officertango
ID: 39262709
As far as radius server, does that mean everytime they turn the computer on, they are prompted to login to radius server in order to get on the network?

thanks
0
 
LVL 9

Assisted Solution

by:BigPapaGotti
BigPapaGotti earned 1000 total points
ID: 39264259
On Windows to verify if you can enable 802.1x follow the links below which detail how to enable it for each Operating System:

Windows Vista/7:
http://windows.microsoft.com/en-us/windows-vista/enable-802-1x-authentication
This will detail how to enable it from within the NIC's properties:
http://www.uio.no/english/services/it/network/student-residential-network/instructions/win7/

Windows XP:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/8021x_client_configure.mspx?mfr=true

Mac OS X:
This varies slightly from OS versions but it found under the network preferences Advanced tab. There will be an 802.1x tab that will need to have a profile created for it. Here is a link:
http://support.apple.com/kb/ht3326

You are correct that every time they would turn the computer on (the switchport changes from down to up) they would need to authenticate.

Another alternative that you could setup as opposed to 802.1x would be to setup MAC address (switchport security) this will limit which MAC addresses are allowed to connect to a specific port. So say for instance you only allow mac address 11:11:11:11 to connect to fa0/1 and a computer with mac address 22:22:22:22 plugs in to fa0/1 then the port would automatically be shut down. Then you as the administrator would have to connect to the switch and enable the port and adjust the MAC address of the allowed access.

Hope this helps
0
 
LVL 6

Accepted Solution

by:
pgstephan earned 1000 total points
ID: 39305409
It looks like you don't really manage these computers. In this case, you may wish to avoid 802.1x because of the compatibility and the complexity requiring 802.1x enabled on the user operating system.

An alternate solution will be to get the users to authenticate against a proxy server with a RADIUS server. This will now deny them from receiving an IP address from your DHCP server, but will only allow access to the internet for authorised users.
You can also enable caching on the Squid to save on your network resources and provide a better user experience.

If you have a couple of computer sitting around, I suggest you use a free proxy like Squid which will authenticate against a RADIUS server (you can use freeradius.org again).
You will also need to enable redirection on your network gateway, or simply provide the proxy details to the users and it is an easy task to configure the proxy in their browsers.

You can find here some configuration examples for Squid below which will help you.
http://wiki.squid-cache.org/ConfigExamples
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question