Device & User Authentication with RADIUS and Active Directory

We have the User Authentication via a RADIUS server to AD working with PEAP for the WLANs. How can one do device Authentication to AD via 802.1X on the RFS-7000 at the same time?  Machine certs? How do you do this?
Charles Brugger
Here is the issue with the

Here is the issue with the registry setting. The customer only wants authorized computers, so if someone uses their personal PC to access, then they may not be running XP SP1. Also, they could change the registry settings to bypass this. Also, there is an XP setting to validate or nonvalidate server certs which is user configurable. Basically they do not want any PC or device on the network that has not been blessed and ignore any settings on any non-blessed PC. Thanks for the posting.
Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Satish Shivarudrappa
Can you please elaborate what

Can you please elaborate what you mean by device Authentication to AD via 802.1X on the RFS-7000 at the same time.
Is it like a particular user as to work from a particular host connecting to switch and not from any other?
For the working setup of radius with AD, are you using peap-gtc on the onboard radius server?



Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Charles Brugger
My understandng is that each

My understandng is that each device gets a SID when it authenticates to a Domain Controller. This can be done automatically via the domain controller or one can put a machine/client certificate on the device (in this case an XP PC). The customer wants to not only authenticate the user, but also the device ( XP PC) at the same time.  They are able to authenticate the user via PEAP/CHAP onto the WLAN using an IAS server that then communicates to AD, but how do they authenticate the device. You can do this on the wired side using 802.1X, how do you do this with the RFS-7000? How would this be triggered? Is this something the NAC would handle?  In order to setup user based security with  IAS (external RADIUS), that one must first define all the settings under Security Menu with all the necessary settings. Then I can create the Security Policy for the WLAN and just point to the same external RADIUS.

But this would only do User authentication. How would I also do device/client/ authentication?
Vote: 
Vote up!
Vote down!

Points: 1

You voted ‘up’


Robert Caporino
Chuck Checkout the following

Chuck

Checkout the following links on Microsofts website.

http://technet2.microsoft.com/windowsserver/en/library/5506eeef-9e91-4cab-8e1e-3efb504d1b471033.mspx?mfr=true


http://technet2.microsoft.com/windowsserver/en/library/dac646dd-b8ff-46a4-9129-18584c3a02cb1033.mspx?mfr=true

The RFS 7000 is just passing the credentials on to the RADIUS server. As long as the RADIUS server is set up correctly and the Machine is registered in AD they should get authenticated.

Vote: 
Vote up!
Vote down!

Points: 1

You voted ‘up’


Charles Brugger
New information. The customer

New information. The customer wants device/machine certification to happen even if the Validate Server Certificate box in XP is unchecked (Under Smart Card or other Certificate Properties), since this is under user control. Aruba sents both the user and device validation request to the RADIUS server (user first, then device), however it appears that Aruba is ignoring it. We only send the user validation request to the RADIUS server and not device validation request.
Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Kumar Puttaswamy
What do you mean by device

What do you mean by device validation and how is it being configured on the host/wireless supplicant.
In the earlier post it has been mentioned peap and now you are asking about using the smart card and other certificates option. These two are different type of EAP authentications so can you be more specific about how the supplicant is  being configured.
Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Channareddy Ireddy
Hi, Check this document in

Hi,

Check this document in this link, http://www.juniper.net/solutions/literature/app_note/350115.pdf

This document gives an idea about machine authentication using certificates and how you can achive it using Funk Odyssey supplicant and Windows 2003 CA.

-Channareddy
Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


John Sellin
Authenticate Machines very

Authenticate Machines very much the same way you athenticate the user. Create your Remote Access Policy (RAP) on the Windows 2003 Server. Create a group on the AD. Issue computer certificates to the appropriate computers. Add those computers to the appropriate group. Add that group to the RAP allow rule.
If you want to base authentication on users and computers as well create a group for the Wireless users. Add the appropriate users to the group.
Add that group to the RAP Rule with an AND and you will have machine based authentication.
Vote: 
Vote up!
Vote down!

Points: 1

You voted ‘up’


Channareddy Ireddy
Hi, No extra settings are

Hi,

No extra settings are required on our switch to perform Machine authentication using certificates as long as your are using external radius server like IAS.

If you are using Windows XP machine and Windows XP (WZC) supplicant you have to make some registry setting changes. Edit suitably Windows 2003 CA to issue machine certificate to have CN.

If you are using Funk Odyssey no change in regisrty settings are required.

-Channareddy
 
This link will guide you how you can achive this and how it will work

http://technet2.microsoft.com/windowsserver/en/library/8e74974f-c951-48ce-8235-
02f4ed8e74921033.mspx?mfr=true


Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Charles Brugger
Customer wants to ensure that


Customer wants to ensure that when an PC connects to the network that they are not allowed on unless they pass both User Authentication (User Name and Password) and machine Authentication (Computer Name or Cert) using PEAP if possible.


They do not want anybody getting on the network until they pass both forms of Authentication.

Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Mark Mann
Hi Charles, Here's where I

Hi Charles,

Here's where I believe a NAC solution comes into play.  Example things I've read sofar regarding NAC:

Goals of Network Access Control

Because NAC represents an emerging category of security products, its definition is both evolving and controversial. The overarching goals of the concept can be distilled to:





Mitigation of zero-day attacks
The key value proposition of NAC solutions is the ability to prevent end-stations that lack antivirus, patches, or host intrusion prevention software from accessing the network and placing other computers at risk of cross-contamination of network worms.
Policy enforcement
NAC solutions allow network operators to define policies, such as the types of computers or roles of users allowed to access areas of the network, and enforce them in switches, routers, and network middleboxes.
Identity and access management
Where conventional IP networks enforce access policies in terms of IP addresses, NAC environments attempt to do so based on authenticated user identities, at least for user end-stations such as laptops and desktop computers.



Hope this helps.

Mark

Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Mark Mann
Hi Charles,Forgot to also add
Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Log in to post comments