Re: authenticate proxy requests with AD computer accounts

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: FenderAxe (fa_at_axe.com)
Date: 03/09/05 

Date: 9 Mar 2005 07:30:31 GMT

"TD" <TD@blahspam.com> wrote in
news:CeoXd.33029$rD4.3333166@phobos.telenet-ops.be:

> Hi,
>
> We have 2 squid proxyservers running in our 2000 domain.
> I would like to block internet access if the client computer doesn't
> have a computeraccount in the domain.
>
> Is this possible with radius, IAS radius in particular? Is there a way
> to automatically issue valid certificates to computers that have an
> account in AD?
> And to authenticate them through those certificates on the
> proxyservers? I know squid supports radius...
> Offcourse the non-domain computers should not be able to
> obtain/install a valid certificate.
>
> Thanks alot for your help or advice.
>
> Best regards,
> TD.
>
>
>
Not clear what your network access servers are -- VPN? Dial-up? Wireless?

You can autoenroll certificates to domain member computers using
Certificate Services in W2K w/IAS, I believe. You can use EAP-TLS to
authenticate with the certs, but to do this internally (as opposed to
remote access connections through VPN or wireless connections locally, as I
said it isn't clear what you are trying to do) I think you have to deploy
802.1X authenticating switches. You might need Server 2003, not sure.

To manage internet access you should use VLANS and IAS remote access
policy. There're whitepapers at the IAS technology center sites.

The proxy servers only forward messages (eg connection requests) to other
RADIUS servers for authentication & authorization. RADIUS is used between
NAS and proxy, NAS and RADIUS server, and proxy to RADIUS server. You can
do what you want to, but you need to study up, it isn't trivial.

x-- 100 Proof News - http://www.100ProofNews.com
x-- 3,500+ Binary NewsGroups, and over 90,000 other groups
x-- Access to over 1 Terabyte per Day - $8.95/Month
x-- UNLIMITED DOWNLOAD

Relevant Pages

  • Re: IPSEC with non-domain Server
    ... Certificates are not the "most secure", rather, they are one of the 2 "more ... > authenticate computers and protect traffic integrity and confidentiality ... > Attacks on IPSec and Other Security Concerns ...
    (microsoft.public.security)
  • Re: Adding the Certificate Templates to the Certification Authority
    ... > The link below for Windows 2003 WIFI has a bunch of articles. ... > to use PEAP which does not require certificates on the clients. ... > required to gain access to the WAP which can keep unauthorized computers ... >> the certificate templates to the CA, ...
    (microsoft.public.security)
  • Re: IPSEC with non-domain Server
    ... leaves him the choice of PSK or certificates. ... > then the ability to authenticate with IKE is possible with anyone that can ... > layer server isolation and assign specific computers to the "access this ... >> use it in clear text in the registry and is could be easily recoverable ...
    (microsoft.public.security)
  • Re: Control RAS/VPN with AD computer accounts
    ... One way would be to use l2tp and issue computer certificates to domain ... certificates for computer authentication or else the VPN connection fails. ... you can use one of your Windows Server domain computers as an Enterprise ...
    (microsoft.public.win2000.security)
  • authenticate proxy requests with AD computer accounts
    ... We have 2 squid proxyservers running in our 2000 domain. ... Is this possible with radius, ... automatically issue valid certificates to computers that have an account in ... Offcourse the non-domain computers should not be able to obtain/install a ...
    (microsoft.public.internet.radius)