Re: Lock down LAN
- From: "James McIllece [MS]" <jamesmci@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 26 Apr 2006 15:57:10 -0700
Yes, you can do this, however you need more than just IAS -- you need to
install 802.1X authenticating switches as network access servers on your
LAN. When you use these switches and configure them as RADIUS clients to
the RADIUS server (IAS), users are authenticated and authorized before the
switch opens the port. Because of this, the client computer does not
receive an IP address until after the authentication process -- and if
authentication fails, the client computer does not receive an IP address
and the user cannot access the network.
As for deploying a Public Key Infrastructure (PKI) by installing and
deploying certificates with your own CA -- this works great, especially if
you use Group Policy and Cert services to autoenroll certificates to domain
member computers.
But if you have people accessing your LAN from home or other locations with
computers that are not domain members, it gets a little more complicated.
Here is a good whitepaper on how to set it all up:
"Deployment of IEEE 802.1X for Wired Networks Using Microsoft Windows" at
http://www.microsoft.com/downloads/details.aspx?FamilyID=05951071-6b20-
4cef-9939-47c397ffd3dd&DisplayLang=en
=?Utf-8?B?SHV0Y2g=?= <Hutch@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:520C7153-37B0-4217-AE1A-3616620BCA65@xxxxxxxxxxxxx:
Hi All,
Not sure if I completely understand RADIUS, but from what I have read,
it appears that we can use it to lock down our LAN.
We have a number of branches, etc., none of which are overly secure.
Anyone could walk in, plug into our network, get an IP, and they are
off. What we would like to do, is put a RADIUS server online, that
would screen all such requests....if the computer in question does not
have a valid certificate, then no access.
In theory, I think this is possible. However, I don't have the first
clue on how to implement.
We are running a 2003 AD domain, with Exchange 2003, and have about
350+ users. All desktops are running Windows XP SP1 or higher. We
have a checkpoint firewall, for our internet access. All branches
come to a central location (main office) for AD authentication, IP
addressing, etc.
I am planning on setting up our own internal CA, so that would look
after the cert for RADIUS as well.
At some point in time, we may also want to setup wireless, but that is
not key at present.
Thanks,
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- Prev by Date: Re: multihomed IAS
- Next by Date: Re: Using Radius or PKI to centrally manage support engineer Logins to clients' networks
- Previous by thread: IAS & server performance
- Next by thread: IAS basic question
- Index(es):
Relevant Pages
|
Loading
