Solved

inplementing radius server or some sort to authenticate users

Posted on 2013-06-19
8
503 Views
Last Modified: 2013-07-09
I have a network that consists of 300 or so users that get Internet access only through us. I want to lock down so that not anybody can just go and plug into hp switch and get connected. The DHCP is handle by a firewall, they do not login to a Windows Domain. I would like to setup a radius server or such to authenticate them before allowing them a IP. Can i get some suggestion?


thanks in advance
0
Comment
Question by:officertango
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 39260721
802.1x sounds like what you need in order to control who can and cannot connect to the network. What type of switches are you using in your environment? You do not use Active Directory now for authentication? Would you look at implementing this and doubling up with it as a RADIUS server or just setting up a standalonee RADIUS server of some sort
0
 

Author Comment

by:officertango
ID: 39260731
Yes, I would like 802.1x authentication but am not familiar with it. I have HP Procurve switches, some layer 3 and most layer 2, all these users are on a special VLAN. These is no AD to authenticate. What is my option? It sounds like you have the info that I am looking for.


Thanks
0
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 39260851
I'm not too familiar with setting up 802.1X on HP switches, only Cisco swithces. Since you do not authenticate via AD what do they authenticate against or is there simply no usernames/passwords setup in your environment?

If you have a server I would look at freeradius.org as your Radius server. Below is a link to setting up 802.1x on HP Switches. Be sure to test this out in a test environment as you can very easily lock everyone out of your network if you simply enable it on the switches

http://h10032.www1.hp.com/ctg/Manual/c02642107.pdf

802.1x will require a connecting user to enter a username and password before being allowed to send/receive data on a network. The end users/clients also need to be 802.1x compliant and the NICS have to have it enabled or else they will plugin and never be able to authenticate. The PDF link I attached gives you some background on this technology and how it works.
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 

Author Comment

by:officertango
ID: 39260941
Currently right now, they plug in and get right in, as long as the port is config for the correct vlan. This is why i want to implement a login processs.
0
 

Author Comment

by:officertango
ID: 39260968
How also mention that a nic has to support 802.1x authentication, how do I verify. Most of my users have MAC or PC.
0
 

Author Comment

by:officertango
ID: 39262709
As far as radius server, does that mean everytime they turn the computer on, they are prompted to login to radius server in order to get on the network?

thanks
0
 
LVL 9

Assisted Solution

by:BigPapaGotti
BigPapaGotti earned 250 total points
ID: 39264259
On Windows to verify if you can enable 802.1x follow the links below which detail how to enable it for each Operating System:

Windows Vista/7:
http://windows.microsoft.com/en-us/windows-vista/enable-802-1x-authentication
This will detail how to enable it from within the NIC's properties:
http://www.uio.no/english/services/it/network/student-residential-network/instructions/win7/

Windows XP:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/8021x_client_configure.mspx?mfr=true

Mac OS X:
This varies slightly from OS versions but it found under the network preferences Advanced tab. There will be an 802.1x tab that will need to have a profile created for it. Here is a link:
http://support.apple.com/kb/ht3326

You are correct that every time they would turn the computer on (the switchport changes from down to up) they would need to authenticate.

Another alternative that you could setup as opposed to 802.1x would be to setup MAC address (switchport security) this will limit which MAC addresses are allowed to connect to a specific port. So say for instance you only allow mac address 11:11:11:11 to connect to fa0/1 and a computer with mac address 22:22:22:22 plugs in to fa0/1 then the port would automatically be shut down. Then you as the administrator would have to connect to the switch and enable the port and adjust the MAC address of the allowed access.

Hope this helps
0
 
LVL 6

Accepted Solution

by:
pgstephan earned 250 total points
ID: 39305409
It looks like you don't really manage these computers. In this case, you may wish to avoid 802.1x because of the compatibility and the complexity requiring 802.1x enabled on the user operating system.

An alternate solution will be to get the users to authenticate against a proxy server with a RADIUS server. This will now deny them from receiving an IP address from your DHCP server, but will only allow access to the internet for authorised users.
You can also enable caching on the Squid to save on your network resources and provide a better user experience.

If you have a couple of computer sitting around, I suggest you use a free proxy like Squid which will authenticate against a RADIUS server (you can use freeradius.org again).
You will also need to enable redirection on your network gateway, or simply provide the proxy details to the users and it is an easy task to configure the proxy in their browsers.

You can find here some configuration examples for Squid below which will help you.
http://wiki.squid-cache.org/ConfigExamples
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
Smart phones, smart watches, Bluetooth-connected devices—the IoT is all around us. In this article, we take a look at the security implications of our highly connected world.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question