Re: IAS 2003 Connection Request Policies
From: MacManMike (martinm_at_montevallo.edu)
Date: 03/23/04
- Next message: Russ H: "remote access policies greyed out"
- Previous message: James McIllece [MS]: "Re: Cached Credential Setup for PEAP MS-CHAP v2 802.1X"
- In reply to: Ashwin Palekar\(MS\): "Re: IAS 2003 Connection Request Policies"
- Messages sorted by: [ date ] [ thread ]
Date: 23 Mar 2004 07:14:40 -0800
Good suggestion but not always viable.
802.1x may be the way to go but the technology and the industry are
not there yet.
We are a University. We have student computers of all different
types. 802.1x is very difficult (at least for most students) to setup
on there machines. Besides, a free 802.1x supplicant is only
available for Windows 2000 and above and for MacOS X. What about the
students who have older computers?
Also, what about wireless devices that do not support 802.1x? What
about wireless printers, bridges, VoIP phones, etc... Any ideas
there?
A "public VLAN" is not an option. You don't want just anyone on your
network using up your bandwidth, using it as a gateway to other people
and files that you, as a Network Administrator, will have to defend
yourself against in the event of legal action.
Besides, why should Microsoft IAS be so difficult? I know of at least
two other products that will do what we want very easily (FreeRadius
for Linux and Radiator for Windows) and they are very inexpensive. We
would like to stay with a Microsoft product. We are a "Windows shop".
How difficult is the SDK development? Are there sample SDK plugins
for what we want to do? Any idea on how expensive it would be to have
someone write such a SDK?
Any help would be appreciated.
Thanks,
Michael Martin
>"Ashwin Palekar\(MS\)" <ashwinp@online.microsoft.com> wrote in message
>news:<e5IiVH2DEHA.576@TK2MSFTNGP11.phx.gbl>...
> Mike,
>
> You are right. if you are using MAC address authorization (it is technically
> not referred to as authentication since MAC address is public information
> that can be captured and used by anyone), then IAS requires that the MAC
> address is there on the account. The only way to bypass this is to write a
> IAS extension (See IAS SDK on MSDN) that decides to accept the user w/ VLAN.
>
> Remote access policies are the same in Windows 2000 and Windows 2003; and
> you should continue to use it for User or user group based policies.
>
> We do not recommend using MAC address authorization for security since it
> too easy to bypass; Plus; there is no encryption of the data link. MAC
> address authorization is simply a way to cause hinderence to naive users.
>
> Instead, you could achieve the same using 802.1x and IAS; and this option
> provides security - both authentication and encryption.
>
> 1. For authorized users create accounts in AD and give them passwords: In
> the 802.1x client connection properties page, select PEAP-MSCHAPv2 and
> unselect the option to use Winlogon credentials. On the IAS server create a
> Policy (RAP) for authorized users (condition: Windows Groups). In the
> Profile: enable PEAP-MSCHAPv2 and set the VLAN properties.
> 2. For guest users that do not have accounts in AD: In the 802.1x client
> connection properties page, configure EAP-TLS and enable an option called
> connect as guest. When this option is enabled, the client will try to
> connect as a Windows guest account. On the IAS server create a Policy (RAP)
> for unauthenticated guest users (condition: Windows group containing the
> Windows Guest account). In the Profile: enable EAP-TLS, Enable
> Unauthenticated Access; and set VLAN properties.
> 3. You will need a Certificate on the RADIUS server from a Public
> certificate authority (like Verisign).
> 4. Make sure Connection Request Policy is set to use Windows authentication
> (which is the default).
> 5. Configure the AP in such a way that if the client does not support
> 802.1x, put them on the public VLAN.
>
> Regards,
>
> Ashwin
>
> --
> --
> ===========================================================
> This posting is provided "AS IS" with no warranties and confers no rights
> ===========================================================
>
> "MacManMike" <martinm@montevallo.edu> wrote in message
> news:af9ef1fd.0403201106.6c9549b3@posting.google.com...
> > It appears that since we are using MAC authentication, technically
> > there is always "a user" (the MAC address of that client). As a
> > result, the access point sends the MAC address as the client and IAS
> > tries to authenticate that MAC address/user name in Active Directory.
> > Since the account isn't there, it denies access. Therefore, IAS
> > appears to would only work with a guest account when there is no user
> > name (such as with other authentication methods...not MAC address).
> >
> > Any ideas?
> >
> > We can setup in FreeRadius (on Linux) or Radiator (on Windows) a
> > DEFAULT that replies information for VLANs instead of a rejection
> > message. This seems doable, but how?
> >
> > Thanks,
> >
> > Micha
> >
> >>"James McIllece [MS]" <jamesmci@online.microsoft.com> wrote in message
> >>news:<Xns94B18295FDEA6jamesmcionlinemicros@207.46.248.16>...
> >> Hi Michael --
> >>
> >> I'm sending you an email that explains the IAS pipeline so that it is
> >> clearer for you. (Not posting that info here as it is fairly lengthy.)
> >>
> >> Make sure you enable the Guest account in Active Directory or guest
> >> access
> >> won't work. To enable the guest account, open the Active Directory Users
> >> and Computers snap-in, and then double-click Users. Right-click the
> >> account
> >> named Guest, and then click Enable Account.
> >>
> >> On a RAP, enable guest access by opening the RAP, clicking "Edit
> >> Profile,"
> >> and on the Authentication tab check the checkbox in "Unauthenticated
> >> access."
> >>
> >>
> >> martinm@montevallo.edu (MacManMike) wrote in
> >> news:af9ef1fd.0403181804.1a28d76e@posting.google.com:
> >>
> >> > Thanks so much for the info...
> >> > From what I can tell, I am doing what you are asking. The problem is
> >> > in this step...
> >> >
> >> > 2. Enable unauthenticated access on the appropriate remote access
> >> > policy
> >> > for MAC address-based authentication, and enable PAP.
> >> >
> >> > Is this what would allow those whom I have not created a Windows
> >> > account gain access to the "guest" VLAN? I figured out where to do
> >> > this in the CRPs (Connection Request Policies)...but not the RAPs
> >> > (Remote Access Policies).
> >> >
> >> > As I have it configured now, the CRP looks at the time (set for all
> >> > times) and then says use Windows authentication on the local server.
> >> > This sends the authentication to the RAP (correct???)
> >> >
> >> > I can get the RAP to look at the Windows group and if an account exist
> >> > with name of the MAC address (and password of the MAC), it sends the
> >> > information to the Access Point necessary to put the client in the
> >> > correct VLAN. The problem is when a user's MAC address is not in
> >> > Active Directory.
> >> >
> >> > I need a RAP that basically says, "I don't have it in Active Directory
> >> > so send it to VLAN X."
> >> >
> >> > Suggestions???
> >> >
> >> > Thanks,
> >> >
> >> > Michael Martin
> >> >
> >> >>"James McIllece [MS]" <jamesmci@online.microsoft.com> wrote in message
> >> >> news:<Xns94B073BF43E8Djamesmcionlinemicros@207.46.248.16>...
> >> >> Hi Michael --
> >> >>
> >> >> IAS always processes both remote access policies and connection
> >> >> request policies, but it can only process policies of either type if
> >> >> they are configured.
> >> >>
> >> >> The best advice I can give you without seeing your setup is to use
> >> >> the default Connection Request Policy as it is.
> >> >>
> >> >> Then configure your remote access policies as you described in your
> >> >> first post:
> >> >>
> >> >> >> > What I would like is policies similar to this...
> >> >> >> > 1. (A Policy) Is your MAC address in group A --> send to VLAN A
> >> >> >> > 2. (B Policy) Is your MAC address in group B --> send to VLAN B
> >> >> >> > 3. (Default Policy) Everyone --> send to VLAN X
> >> >>
> >> >> Here is some info, provided between the sets of asterisks (*), on MAC
> >> >> address authorization:
> >> >>
> >> >> ****************
> >> >>
> >> >> MAC address authorization
> >> >>
> >> >> Media Access Control (MAC) address authorization functions in the
> >> >> same way as ANI authorization, but it is used for wireless clients
> >> >> and clients connecting to your network by using an 802.1X
> >> >> authenticating switch. MAC address authorization is based on the MAC
> >> >> address of the network adapter installed in the user's client
> >> >> computer.
> >> >>
> >> >> Like ANI authorization, MAC address authorization uses the
> >> >> Calling-Station- ID attribute instead of user name and password or
> >> >> certificate-based credentials to identify the user during the
> >> >> connection attempt
> >> >>
> >> >> MAC address authorization is performed when the user does not type in
> >> >> any user name or password, and refuses to use any valid
> >> >> authentication method. In this case, IAS receives Calling-Station-ID,
> >> >> and no user name and password. To support MAC address authorization,
> >> >> the Active Directory must have user accounts with MAC addresses as
> >> >> user names.
> >> >>
> >> >> MAC address authorization is enabled when you do the following:
> >> >>
> >> >> 1. Enable MAC address authorization on access servers (such as
> >> >> wireless APs).
> >> >> 2. Enable unauthenticated access on the appropriate remote access
> >> >> policy for MAC address-based authentication, and enable PAP.
> >> >> 3. Create a user account for each MAC address for which you want
> >> >> to provide MAC address authorization. The name of the user account
> >> >> must match the MAC address of the network adapter installed in the
> >> >> computer that the user is connecting from. The user account password
> >> >> must be set to the RADIUS shared secret used between the RADIUS
> >> >> client (such as an AP) and the IAS server.
> >> >> 4. Set the User Identity Attribute registry value to 31 on the
> >> >> authenticating server.
> >> >> To always use the MAC address as the user identity, set the Override
> >> >> User- Name registry value to 1 on the IAS server.
> >> >>
> >> >> *******************
> >> >>
> >> >> Keep in mind that you need to create Windows Groups in Active
> >> >> Directory to perform authorization by group. (You can use another
> >> >> user accounts db but it must be LDAP compliant.)
> >> >>
> >> >> James
> >> >>
> >> >>
> >> >> martinm@montevallo.edu (MacManMike) wrote in
> >> >> news:af9ef1fd.0403181012.129fb9bc@posting.google.com:
> >> >>
> >> >> > BUT...I have tried to use the Remote Access Policies but it seems
> >> >> > to only want to use the Connection Request Policies. How do you
> >> >> > get IAS 2003 to use the Remote Access Policies?
> >> >> >
> >> >> > Michael Martin
> >> >> >
> >> >> >
> >> >> >> "James McIllece [MS]" <jamesmci@online.microsoft.com> wrote in
> >> >> >> message
> >> >> >> news:<Xns94AD8CA567B3Djamesmcionlinemicros@207.46.248.16>...
> >> >> >> Hi Michael --
> >> >> >>
> >> >> >> Connection request policies are primarily used when configuring
> >> >> >> your IAS server as a proxy server that forwards connection
> >> >> >> requests to other IAS servers.
> >> >> >>
> >> >> >> You can accomplish what you want to do if you configure Remote
> >> >> >> Access Policies rather than CRP's.
> >> >> >>
> >> >> >>
> >> >> >> martinm@montevallo.edu (MacManMike) wrote in
> >> >> >> news:af9ef1fd.0403120657.4b849e00@posting.google.com:
> >> >> >>
> >> >> >> > We have been working with IAS 2003 and doing some testing.
> >> >> >> > Besides being a good bit different that IAS 2000, we now have
> >> >> >> > added complications when working with authentication by wireless
> >> >> >> > access points.
> >> >> >> >
> >> >> >> > In IAS 2000, Remote Access Policies were used and you could
> >> >> >> > assign policies to Windows-based groups.
> >> >> >> >
> >> >> >> > Now in IAS 2003, it appears that Connection Request Policies are
> >> >> >> > used instead and there is no option for assigning policies to a
> >> >> >> > specific group of users.
> >> >> >> >
> >> >> >> > Am I missing something? Is there a way to use Windows groups
> >> >> >> > with connection request policies?
> >> >> >> >
> >> >> >> > What we are trying to do is basically use MAC authentication and
> >> >> >> > allow access to everyone BUT based on their MAC address send
> >> >> >> > specific VLAN information to the access point to direct them to
> >> >> >> > the proper network VLAN. In IAS 2003, we have been able to get
> >> >> >> > it to allow access to everyone and assign everyone to a specific
> >> >> >> > VLAN. BUT, it seems to be an all or nothing proposition since
> >> >> >> > there are no groups.
> >> >> >> >
> >> >> >> > What I would like is policies similar to this...
> >> >> >> > 1. (A Policy) Is your MAC address in group A --> send to VLAN A
> >> >> >> > 2. (B Policy) Is your MAC address in group B --> send to VLAN B
> >> >> >> > 3. (Default Policy) Everyone --> send to VLAN X
> >> >> >> >
> >> >> >> > That way it would try to go down the list, match policies, and
> >> >> >> > if they weren't in a specific group it would send everyone to
> >> >> >> > another ("guest") VLAN.
> >> >> >> >
> >> >> >> > I can get Linux FreeRadius to work but not IAS and, for various
> >> >> >> > reasons, I would like to stay on the Windows platform.
> >> >> >> >
> >> >> >> > Any suggestions?????
> >> >> >> >
> >> >> >> > Thanks,
> >> >> >> >
> >> >> >> > Michael Martin
- Next message: Russ H: "remote access policies greyed out"
- Previous message: James McIllece [MS]: "Re: Cached Credential Setup for PEAP MS-CHAP v2 802.1X"
- In reply to: Ashwin Palekar\(MS\): "Re: IAS 2003 Connection Request Policies"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
