Solved

inplementing radius server or some sort to authenticate users

Posted on 2013-06-19
8
500 Views
Last Modified: 2013-07-09
I have a network that consists of 300 or so users that get Internet access only through us. I want to lock down so that not anybody can just go and plug into hp switch and get connected. The DHCP is handle by a firewall, they do not login to a Windows Domain. I would like to setup a radius server or such to authenticate them before allowing them a IP. Can i get some suggestion?


thanks in advance
0
Comment
Question by:officertango
  • 4
  • 3
8 Comments
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 39260721
802.1x sounds like what you need in order to control who can and cannot connect to the network. What type of switches are you using in your environment? You do not use Active Directory now for authentication? Would you look at implementing this and doubling up with it as a RADIUS server or just setting up a standalonee RADIUS server of some sort
0
 

Author Comment

by:officertango
ID: 39260731
Yes, I would like 802.1x authentication but am not familiar with it. I have HP Procurve switches, some layer 3 and most layer 2, all these users are on a special VLAN. These is no AD to authenticate. What is my option? It sounds like you have the info that I am looking for.


Thanks
0
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 39260851
I'm not too familiar with setting up 802.1X on HP switches, only Cisco swithces. Since you do not authenticate via AD what do they authenticate against or is there simply no usernames/passwords setup in your environment?

If you have a server I would look at freeradius.org as your Radius server. Below is a link to setting up 802.1x on HP Switches. Be sure to test this out in a test environment as you can very easily lock everyone out of your network if you simply enable it on the switches

http://h10032.www1.hp.com/ctg/Manual/c02642107.pdf

802.1x will require a connecting user to enter a username and password before being allowed to send/receive data on a network. The end users/clients also need to be 802.1x compliant and the NICS have to have it enabled or else they will plugin and never be able to authenticate. The PDF link I attached gives you some background on this technology and how it works.
0
 

Author Comment

by:officertango
ID: 39260941
Currently right now, they plug in and get right in, as long as the port is config for the correct vlan. This is why i want to implement a login processs.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:officertango
ID: 39260968
How also mention that a nic has to support 802.1x authentication, how do I verify. Most of my users have MAC or PC.
0
 

Author Comment

by:officertango
ID: 39262709
As far as radius server, does that mean everytime they turn the computer on, they are prompted to login to radius server in order to get on the network?

thanks
0
 
LVL 9

Assisted Solution

by:BigPapaGotti
BigPapaGotti earned 250 total points
ID: 39264259
On Windows to verify if you can enable 802.1x follow the links below which detail how to enable it for each Operating System:

Windows Vista/7:
http://windows.microsoft.com/en-us/windows-vista/enable-802-1x-authentication
This will detail how to enable it from within the NIC's properties:
http://www.uio.no/english/services/it/network/student-residential-network/instructions/win7/

Windows XP:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/8021x_client_configure.mspx?mfr=true

Mac OS X:
This varies slightly from OS versions but it found under the network preferences Advanced tab. There will be an 802.1x tab that will need to have a profile created for it. Here is a link:
http://support.apple.com/kb/ht3326

You are correct that every time they would turn the computer on (the switchport changes from down to up) they would need to authenticate.

Another alternative that you could setup as opposed to 802.1x would be to setup MAC address (switchport security) this will limit which MAC addresses are allowed to connect to a specific port. So say for instance you only allow mac address 11:11:11:11 to connect to fa0/1 and a computer with mac address 22:22:22:22 plugs in to fa0/1 then the port would automatically be shut down. Then you as the administrator would have to connect to the switch and enable the port and adjust the MAC address of the allowed access.

Hope this helps
0
 
LVL 6

Accepted Solution

by:
pgstephan earned 250 total points
ID: 39305409
It looks like you don't really manage these computers. In this case, you may wish to avoid 802.1x because of the compatibility and the complexity requiring 802.1x enabled on the user operating system.

An alternate solution will be to get the users to authenticate against a proxy server with a RADIUS server. This will now deny them from receiving an IP address from your DHCP server, but will only allow access to the internet for authorised users.
You can also enable caching on the Squid to save on your network resources and provide a better user experience.

If you have a couple of computer sitting around, I suggest you use a free proxy like Squid which will authenticate against a RADIUS server (you can use freeradius.org again).
You will also need to enable redirection on your network gateway, or simply provide the proxy details to the users and it is an easy task to configure the proxy in their browsers.

You can find here some configuration examples for Squid below which will help you.
http://wiki.squid-cache.org/ConfigExamples
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Access point 6 64
Outlook keeps opened file locked 2 56
Unifi AP 4 56
Blocking content from YouTube in McAfee WebGateway 2 31
You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques. This attack comes as a nightmare trifecta for email filtering services; sent from a familiar contact, using authentic tone and verbi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now