IAS as RADIUS

Hey guys,

I'm struggling a bit with a task given to me. The bossmans want to deny
access to anyone that plugs into our network. My first thought was TACACS+,
that got shot down when they wanted to spend no money, so my next thought
RADIUS using IAS. Setting up the switches (catalyst 2950's) is no problem
at all, however i'm having no luck with the IAS box. My biggest problem is
where to define the users. I do want a user per employee here, but i also
want extra users for guests. The trick is, i don't want to pull the users
from AD. How (if possible) do i set up users in IAS?

You need to deploy 802.1x. Your switches need to support it and each client
may need a supplicant. It will not be free by any means and I do not know of
any free solutions out there.

"the" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hey guys,
>
> I'm struggling a bit with a task given to me. The bossmans want to
deny
> access to anyone that plugs into our network. My first thought was
TACACS+,
> that got shot down when they wanted to spend no money, so my next thought
> RADIUS using IAS. Setting up the switches (catalyst 2950's) is no problem
> at all, however i'm having no luck with the IAS box. My biggest problem
is
> where to define the users. I do want a user per employee here, but i also
> want extra users for guests. The trick is, i don't want to pull the users
> from AD. How (if possible) do i set up users in IAS?
>
>

"Neteng" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> You need to deploy 802.1x. Your switches need to support it and each
> client
> may need a supplicant. It will not be free by any means and I do not know
> of
> any free solutions out there.
>

i thought the client in 802.1x was the supplicant? maybe im going about
this all wrong, so let me simplify this, is there a way to deny network
access to unauthorized users that plug into our network?
We're in a non AD enviroment, have windows and linux servers, and catalyst
2950 switches.

My impression was all i needed to do was set up my switches to talk to a
RADIUS server, wich i wanted to be IAS since it comes with windows 2k3, then
when someone plugs into an ehternet jack they would be denied access unless
they could provide valid credentials. What am i really looking at to get
this to work?

You could use MAC security on the switch ports to allow only specified
devices -- specific MAC addresses. That way no one can walk in with a
laptop, "plug in" and access you network. Use "sticky" MAC address
security to make the currently-plugged in system the allowed system. If
interested, read here -

http://www.cisco.com/en/US/products/...0801e85e4.html


the wrote:
> "Neteng" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > You need to deploy 802.1x. Your switches need to support it and each
> > client
> > may need a supplicant. It will not be free by any means and I do not know
> > of
> > any free solutions out there.
> >
>
> i thought the client in 802.1x was the supplicant? maybe im going about
> this all wrong, so let me simplify this, is there a way to deny network
> access to unauthorized users that plug into our network?
> We're in a non AD enviroment, have windows and linux servers, and catalyst
> 2950 switches.
>
> My impression was all i needed to do was set up my switches to talk to a
> RADIUS server, wich i wanted to be IAS since it comes with windows 2k3, then
> when someone plugs into an ehternet jack they would be denied access unless
> they could provide valid credentials. What am i really looking at to get
> this to work?

First, IAS is RADIUS. IAS is just MS's name for their deployment of it.
Second, RADIUS is not the solution for anything that I have read here yet.
RADIUS still requires Domain Accounts to be on the domain,...which you
already said you don't want to pull users from. If you create local
accounts on a particular server (like maybe the ISA Server) then RADIUS is
not used for that.

Let's go back to the beginning.

Define "access".
Access to what? Access from what? Access to where?
Is access simply getting an IP# from DHCP?
Is access retrieving a resource on the LAN?
Is access opeing a web page on the Net?
What is not considered "access"? (that may sound silly but it is not).

We can not figure out a way to stop something if we don't know what it is we
are trying to stop.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"the" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> "Neteng" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> You need to deploy 802.1x. Your switches need to support it and each
>> client
>> may need a supplicant. It will not be free by any means and I do not know
>> of
>> any free solutions out there.
>>
>
> i thought the client in 802.1x was the supplicant? maybe im going about
> this all wrong, so let me simplify this, is there a way to deny network
> access to unauthorized users that plug into our network?
> We're in a non AD enviroment, have windows and linux servers, and catalyst
> 2950 switches.
>
> My impression was all i needed to do was set up my switches to talk to a
> RADIUS server, wich i wanted to be IAS since it comes with windows 2k3,
> then when someone plugs into an ehternet jack they would be denied access
> unless they could provide valid credentials. What am i really looking at
> to get this to work?
>

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> You could use MAC security on the switch ports to allow only specified
> devices -- specific MAC addresses. That way no one can walk in with a
> laptop, "plug in" and access you network. Use "sticky" MAC address
> security to make the currently-plugged in system the allowed system. If
> interested, read here -


Thanks for the advice, i'm rather a fan of the ACL+ MAC filter combo,
however only on a few VLAN's can i implement this. Our engineering dept,
for instance, has customers in every week that need inet access, and surely
we can't authorize each computer everytime, it;d get to be a management
nightmare. Normally they connect to our wireless network, wich is a totally
seperate network, so there is no threat, however this weekend we had a
Korean customer come in and effectively infected 27 machines. All i can say
i thank god for backups. So one of my new project is to elimiante
unauthorized network access, this way our enigineers cant say 'oh sure just
plug in here' and have me come in to find the place in shambles monday
morning.

Im;re reveiwng my 802.1x, i was never really familiar with it anyway,
but from what i gather windows is a client (supplicant), my switches are
802.1x compliant (making them the authenticator), and im under the
impression i should be able to use IAS as my authentication server. so im
kinda back to square one, i'm thinking i might give free radius a shot just
to have something UnR here in the lab for testing and refinement. If anyone
has any idea's let me know.

The "supplicant" is a piece of software on the client PC. Windows XP is the
only MS OS that comes with a 802.1x supplicant (but a poor one). 802.1x was
developed to prevent unauthorized PC's from being placed on the network.
Note I said PC's, not users. Do you want to prevent non-corporate PC's from
being on the network and/or unauthorized people from getting on the network?
MAC ACL's would be horrible to manage so I would try and stay away from
that.


"the" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> "Neteng" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > You need to deploy 802.1x. Your switches need to support it and each
> > client
> > may need a supplicant. It will not be free by any means and I do not
know
> > of
> > any free solutions out there.
> >
>
> i thought the client in 802.1x was the supplicant? maybe im going about
> this all wrong, so let me simplify this, is there a way to deny network
> access to unauthorized users that plug into our network?
> We're in a non AD enviroment, have windows and linux servers, and catalyst
> 2950 switches.
>
> My impression was all i needed to do was set up my switches to talk to a
> RADIUS server, wich i wanted to be IAS since it comes with windows 2k3,
then
> when someone plugs into an ehternet jack they would be denied access
unless
> they could provide valid credentials. What am i really looking at to get
> this to work?
>
>

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> First, IAS is RADIUS. IAS is just MS's name for their deployment of it.
> Second, RADIUS is not the solution for anything that I have read here yet.
> RADIUS still requires Domain Accounts to be on the domain,...which you
> already said you don't want to pull users from. If you create local
> accounts on a particular server (like maybe the ISA Server) then RADIUS is
> not used for that.
>
> Let's go back to the beginning.
>
> Define "access".
> Access to what? Access from what? Access to where?
> Is access simply getting an IP# from DHCP?
> Is access retrieving a resource on the LAN?
> Is access opeing a web page on the Net?
> What is not considered "access"? (that may sound silly but it is not).
>
> We can not figure out a way to stop something if we don't know what it is
> we are trying to stop.
>

Let's define access as haveing access to any resource. web, network,
anything. if they are unauthorized, i want it to be like they're not even
plugged into to that ethernet port. Ideally, i'd like a group that once
granted access is only allowed out of port 80(and maybe 443, or mail ports
if they need it). this way they cant wreak havok on our network, but they'd
be able to browse and read mail as needed. But i need to get a system in
place to restrict access all together before i can get fancy and try to give
them limited access.


From Neteng:
>The "supplicant" is a piece of software on the client PC. Windows XP is the
>only MS OS that comes with a 802.1x supplicant (but a poor one). 802.1x was
>developed to prevent unauthorized PC's from being placed on the network.
>Note I said PC's, not users. Do you want to prevent non-corporate PC's from
>being on the network and/or unauthorized people from getting on the
>network?
>MAC ACL's would be horrible to manage so I would try and stay away from
>that.


Ah ok, i get you on the supplicant thing now. I dont anticpate anyone
trying to plug into our network with a pre-XP machine, however if i have to
configure 802.1x on each PC trying to plug into our network that could be as
much of a management nightmare as MAC filtering.
Preventing unauthroized PC's from being placed on the network is exactly
what im going for, i'd much rather these outside users use one of our
workstations, but i think you and i both know that isn't going to happen.
i'm compltely open to idea's, if you have any links that will get me going
that'd would be much appreciated.

There is nothing to configure for the supplicant, it's all configured on
your switches. Once dot1x is setup and working, you can deploy Cisco NAC and
that controls network access and resources. Google for dot1x and you'll find
more than enough to read. Were implementing dot1x with Cisco ACS on the
backend. I know your looking at IAS and that should work too.

http://www.tek-tips.com/viewthread.c...1239274&page=7
http://www.cisco.com/en/US/products/....shtml#install


"the" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> "Phillip Windell" <@.> wrote in message
> news:(E-Mail Removed)...
> > First, IAS is RADIUS. IAS is just MS's name for their deployment of it.
> > Second, RADIUS is not the solution for anything that I have read here
yet.
> > RADIUS still requires Domain Accounts to be on the domain,...which you
> > already said you don't want to pull users from. If you create local
> > accounts on a particular server (like maybe the ISA Server) then RADIUS
is
> > not used for that.
> >
> > Let's go back to the beginning.
> >
> > Define "access".
> > Access to what? Access from what? Access to where?
> > Is access simply getting an IP# from DHCP?
> > Is access retrieving a resource on the LAN?
> > Is access opeing a web page on the Net?
> > What is not considered "access"? (that may sound silly but it is not).
> >
> > We can not figure out a way to stop something if we don't know what it
is
> > we are trying to stop.
> >
>
> Let's define access as haveing access to any resource. web, network,
> anything. if they are unauthorized, i want it to be like they're not even
> plugged into to that ethernet port. Ideally, i'd like a group that once
> granted access is only allowed out of port 80(and maybe 443, or mail ports
> if they need it). this way they cant wreak havok on our network, but
they'd
> be able to browse and read mail as needed. But i need to get a system in
> place to restrict access all together before i can get fancy and try to
give
> them limited access.
>
>
> From Neteng:
> >The "supplicant" is a piece of software on the client PC. Windows XP is
the
> >only MS OS that comes with a 802.1x supplicant (but a poor one). 802.1x
was
> >developed to prevent unauthorized PC's from being placed on the network.
> >Note I said PC's, not users. Do you want to prevent non-corporate PC's
from
> >being on the network and/or unauthorized people from getting on the
> >network?
> >MAC ACL's would be horrible to manage so I would try and stay away from
> >that.
>
>
> Ah ok, i get you on the supplicant thing now. I dont anticpate anyone
> trying to plug into our network with a pre-XP machine, however if i have
to
> configure 802.1x on each PC trying to plug into our network that could be
as
> much of a management nightmare as MAC filtering.
> Preventing unauthroized PC's from being placed on the network is
exactly
> what im going for, i'd much rather these outside users use one of our
> workstations, but i think you and i both know that isn't going to happen.
> i'm compltely open to idea's, if you have any links that will get me going
> that'd would be much appreciated.
>
>

"the" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Let's define access as haveing access to any resource. web, network,
> anything. if they are unauthorized, i want it to be like they're not even
> plugged into to that ethernet port.

Ok, but that doesn't clarify it. They can be plugged into the port, even get
an IP#, even use a valid user account, and *still* not be able to use
printers, file shares, or have web access.

> Ideally, i'd like a group that once granted access is only allowed out of
> port 80(and maybe 443, or mail ports if they need it). this way they cant
> wreak havok on our network, but they'd be able to browse and read mail as
> needed.

That's easy. Create accounts for them, or just one special account for all
of them to use. Let's call the account "Vendors" (or whatever you want).
Then create a new Globab Group for them, let's call it "Temp Vendors" (or
whatever you want). Add the account Vendors to the group "Temp Vendors".
Set the Temp Vendors group as the Primary Group for that account. Now remove
the account from the "Domain Users" group.

There....now you have an account and a group which have permission to
absolutely nothing,...except for things the "Everyone Group" has access to,
but that was always your responsibility to limit access to the Everyone
Group long before this issue ever came along.

Mail Access depends on where the mail server is at. If it is on the Internet
then the Firewall or Proxy controls that as well. If it is on the LAN then
they already don't have access to it because they have no mailbox. no
mailbox=no mail server access.

Internet Access is just simply done at the Firewall or Proxy Device.

Good high-end proxy servers like ISA Server allow/deny based on user
accounts, so that of easly solved,...you don't give their account access to
anything,...which is already the default anyway,...problem solved.

But lesser nat-based firewall only restrict by Source IP, Protocol, and Dest
IP.

So you have to choose one option:
1. stop using DHCP
2. control where in the building they are able to connect in,...make those
wall jacks a particular subnet that the Nat Device can allow/deny
3. use one of the expensive quarentine solutions the other guys have been
trying to describe to you.

> But i need to get a system in place to restrict access all together
> before i can get fancy and try to give them limited access.

No that is not true. It doesn't work like that. There is no one "system"
that will do that. There many many many forms and methods of access control
for different things and they all have to be coordinated together into a
full security system. You either do it and do it right, or you don't. That
is why the people who can do this, and do it correctly make the $$$$ (or at
least they should).

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com