802.1x machine authentication without directory

Hi all,

I've been looking into a small-scale 802.1x rollout, and have encountered
something of a problem. The systems on the network I'd be NAC-ing are XP
boxes which are members of an NT4 domain, with all users authenticated at the
domain level. (No local accounts are typically used.) I was hoping to use
machine authentication, but it seems as though most RADIUS servers only
support machine auth when they have a directory (typically AD) to confirm the
membership of the supplicants. (This certainly appears to be the case with ACS,
and Steel-Belted radius as well, from what I can tell from the documentation.)

Obviously, I don't have an AD for these systems, despite having a PKI. (Possibly
an unusual situation.) Does anyone know of a RADIUS server or NAC product that
will support machine authentication without a domain to refer to? I see the
benefits of the directory query, but it's just not an option for this particular
situation.

(I'm more than happy to look at solutions outside the windows 802.1x support if
they work!)

Cheers for any advice,
Michael

----- Posted with Newsbin Pro 5.0 ------
--- www.newsbin.com ---

michael.owen <michael.owen@hushmail.com> writes:
> Hi all,
>
> I've been looking into a small-scale 802.1x rollout, and have encountered
> something of a problem. The systems on the network I'd be NAC-ing are XP
> boxes which are members of an NT4 domain, with all users authenticated at the
> domain level. (No local accounts are typically used.) I was hoping to use
> machine authentication, but it seems as though most RADIUS servers only
> support machine auth when they have a directory (typically AD) to confirm the
> membership of the supplicants. (This certainly appears to be the case with ACS,
> and Steel-Belted radius as well, from what I can tell from the documentation.)
>
> Obviously, I don't have an AD for these systems, despite having a PKI. (Possibly
> an unusual situation.) Does anyone know of a RADIUS server or NAC product that
> will support machine authentication without a domain to refer to? I see the
> benefits of the directory query, but it's just not an option for this particular
> situation.
>
> (I'm more than happy to look at solutions outside the windows 802.1x support if
> they work!)
>
> Cheers for any advice,
> Michael

If I have this straight, your only central username/password via an
NT4 domain controller? And you'd like users to be able use those
credentials to auth to your wireless network?

Just trying to make sure we understand what you have to auth against.

--
Todd H.
http://www.toddh.net/

Hi Michael,

If I understand what you are trying to do correctly, you're running into
the problem that a lot of radius servers and IAS don't work on an NT4
domain.

A tip I found earlier: Funk Software's Odyssee Server is great and
simple for WLAN only use (RADIUS). Can authenticate against an NT4
domain specifically.

An other option (but I have not tried it myself, nor looked into it
in-depth) seems to be that you could plug samba 2.x in your domain with
a win2k client machine to provide the translation of NT4 domain
authentication to LDAP (which can then be used for the RADIUS). At the
very least this sounds rather tricky to set up but might be an option if
nothing else works.

HTH

MC


michael.owen wrote:
> Hi all,
>
> I've been looking into a small-scale 802.1x rollout, and have encountered
> something of a problem. The systems on the network I'd be NAC-ing are XP
> boxes which are members of an NT4 domain, with all users authenticated at the
> domain level. (No local accounts are typically used.) I was hoping to use
> machine authentication, but it seems as though most RADIUS servers only
> support machine auth when they have a directory (typically AD) to confirm the
> membership of the supplicants.

On Mon, 30 Oct 2006 22:36:04 +0000, Todd H. wrote
(in article <84fyd55t4b.fsf@ripco.com>):

> michael.owen <michael.owen@hushmail.com> writes:
>> Hi all,
>>
<cut down my original post>
>>
>> Cheers for any advice,
>> Michael
>
> If I have this straight, your only central username/password via an
> NT4 domain controller? And you'd like users to be able use those
> credentials to auth to your wireless network?
>
> Just trying to make sure we understand what you have to auth against.

No worries, I wasn't entirely clear. Here's what I'm trying to do, in its
entirety:

I'm trying to implement NAC on a wired network using EAP-TLS. I have a PKI,
and things on that front are working fine. If I stick with standard
user-based 802.1x authentication (using user certs, 802.1x'ing after login)
things are fine. That said, user auth doesn't really work in our model,
thanks to the lack of local accounts. We need access to the network for user
logins, and the user login can't happen before 802.1x auth. So, we looked at
machine authentication.

Unfortunately, using "machine authentication" is not so simple. It appears
that the Cisco ACS server I am using as my authentication server only
supports machine authentication if it has an AD to talk to. From what I can
tell, it's taking the machine name and machine password from the XP client
(supplicant) and performing secondary validation through that. It doesn't
want to talk to my NT domain.

What I'm trying to find is an authentication server (assumably a RADIUS
server) which can perform the basics of the cert validation in EAP-TLS, and
then either rely on a local user store for the additional windows
credentials, or just plain ignore them.

Hope that post made more sense - I was so knackered last night I could barely
see straight. =P

Here's the only comment from Cisco I've found:
http://www.informit.com/articles/art...&seqNum=3&rl=1

Cheers,
Mike

On Tue, 31 Oct 2006 01:53:58 +0000, MC wrote
(in article <4546acb7$0$753$5fc3050@dreader2.news.tiscali.nl>) :

> Hi Michael,
>
> If I understand what you are trying to do correctly, you're running into
> the problem that a lot of radius servers and IAS don't work on an NT4
> domain.
>
> A tip I found earlier: Funk Software's Odyssee Server is great and
> simple for WLAN only use (RADIUS). Can authenticate against an NT4
> domain specifically.
>
> An other option (but I have not tried it myself, nor looked into it
> in-depth) seems to be that you could plug samba 2.x in your domain with
> a win2k client machine to provide the translation of NT4 domain
> authentication to LDAP (which can then be used for the RADIUS). At the
> very least this sounds rather tricky to set up but might be an option if
> nothing else works.
>
> HTH
>
> MC

Thanks for mentioning the Odysee Server, I'll have a look at it - does it
rely on using Steel-Belted RADIUS as an authentication server? I was poking
through the docs for Steel-Belted, and got the impression it still relied on
the presence of an AD for machine-auth use with Windows XP clients.

Cheers,
Mike

Michael Owen wrote:
> Thanks for mentioning the Odysee Server, I'll have a look at it - does it
> rely on using Steel-Belted RADIUS as an authentication server? I was poking
> through the docs for Steel-Belted, and got the impression it still relied on
> the presence of an AD for machine-auth use with Windows XP clients.

It uses a proprietary server component that can natively authenticate to
windows 2000 and NT domain databases. Next to that it can be set up with
Steel-Belted radius to authenticate against a whole range of other
things (SQL/LDAP, TACACS+, etc).

I think the following URL will answer most of your questions:

http://www.dst.com.sg/p_funk_ds_odys_sc.html


MC.