|
Home > Archive > Radius Server > April 2005 > Authentication forwarding to Active Directory
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Authentication forwarding to Active Directory
|
|
| Eric J. 2005-04-11, 7:52 am |
| Hi,
i got the following problem. If a 802.1x user tries to authenticate
via EAP-TLS, the IAS aks the Active Directory if the computer account
exists and continues to perform the dot1x authentication if there is
this account in AD. That works properly if the certificates are ok and
the computer account exists.
But i also want to use my IAS as a Radius Server for device
authentication. For that i want to set up an administrator account on
the server. With that account i wanna perform a radius authentication
to log on to my switch.
But that doesnīt work. Obviously the Radius Server looks into the AD
if the device account exists. But the account is not in the AD but
directly on the server. Is there a way to avoid this ?
The only thing i found out is that i could put the servername in front
of the username at logon like this:
Username: Servername\Username
Password: ***************
But thats not really what i am searching for. Has anyone experiences
with that sort of authentication ?
Thanks in advance
Eric
| |
| Thomas K 2005-04-13, 5:59 pm |
| Hey there,
If a user tries to authenticate using 802.1x, IAS will look in AD for a user
account, not a computer account.
If you want to authenticate telnet/ssh connections to your cisco (or other)
network devices (switches & routers) using RADIUS, that is also possible
using IAS.
Is that what you're looking for?
Cheers,
/T
"Eric J." <bt_hirosaito@gmx.de> wrote in message
news:74f401d2.0504110341.189813cf@posting.google.com...
> Hi,
>
> i got the following problem. If a 802.1x user tries to authenticate
> via EAP-TLS, the IAS aks the Active Directory if the computer account
> exists and continues to perform the dot1x authentication if there is
> this account in AD. That works properly if the certificates are ok and
> the computer account exists.
>
> But i also want to use my IAS as a Radius Server for device
> authentication. For that i want to set up an administrator account on
> the server. With that account i wanna perform a radius authentication
> to log on to my switch.
> But that doesnīt work. Obviously the Radius Server looks into the AD
> if the device account exists. But the account is not in the AD but
> directly on the server. Is there a way to avoid this ?
>
> The only thing i found out is that i could put the servername in front
> of the username at logon like this:
> Username: Servername\Username
> Password: ***************
>
> But thats not really what i am searching for. Has anyone experiences
> with that sort of authentication ?
>
> Thanks in advance
> Eric
| |
| Eric J. 2005-04-20, 7:48 am |
| hi,
thanks for the answer.
but the IAS will also look for the computer account cause we are doing
a computer authentication and not a user authentication.
but my problem is i donīt want to set the account for the radius
authentication on our switches into the active directory. too many
people can have a look at the AD and its a risk if the AD wonīt be
available.
so i would like to set up a local account on the server. but how can i
manage it, that the IAS wonīt look at the AD but at its own local
accounts ?
i donīt wanna write the servername in front of the account name all
the time like i described above.
hope anyone can help me
Thanks
Eric
"Thomas K" <thomas@kuborn.be> wrote in message news:<425d6b80$0$44088$5fc3050@dreader2.news.tiscali.nl>...[vbcol=seagreen]
> Hey there,
>
> If a user tries to authenticate using 802.1x, IAS will look in AD for a user
> account, not a computer account.
>
> If you want to authenticate telnet/ssh connections to your cisco (or other)
> network devices (switches & routers) using RADIUS, that is also possible
> using IAS.
> Is that what you're looking for?
>
> Cheers,
>
> /T
>
> "Eric J." <bt_hirosaito@gmx.de> wrote in message
> news:74f401d2.0504110341.189813cf@posting.google.com...
| |
| Thomas K 2005-04-20, 5:51 pm |
| Could you please elaborate on the security risk you perceive?
In order for IAS to query its "local SAM database" instead of AD, IAS has to
be installed on a server which is not a member server in Active Directory.
For authenticating user telnet sessions to switches, I think it could work.
However, for authenticating computer eap-tls sessions to switches, I think
it won't work
/T
"Eric J." <bt_hirosaito@gmx.de> wrote in message
news:74f401d2.0504200147.d12662d@posting.google.com...[vbcol=seagreen]
> hi,
>
> thanks for the answer.
> but the IAS will also look for the computer account cause we are doing
> a computer authentication and not a user authentication.
>
> but my problem is i donīt want to set the account for the radius
> authentication on our switches into the active directory. too many
> people can have a look at the AD and its a risk if the AD wonīt be
> available.
>
> so i would like to set up a local account on the server. but how can i
> manage it, that the IAS wonīt look at the AD but at its own local
> accounts ?
> i donīt wanna write the servername in front of the account name all
> the time like i described above.
>
> hope anyone can help me
>
> Thanks
> Eric
>
>
>
>
>
> "Thomas K" <thomas@kuborn.be> wrote in message
> news:<425d6b80$0$44088$5fc3050@dreader2.news.tiscali.nl>...
| |
| Eric J. 2005-04-21, 7:52 am |
| mmhh, thats really a problem. cause our IAS has to be a member server
for the Dot1x machine authentication.
usually we would use 2 radius server. one for the dot1x authentication
and one for the radius authentication of the components.
but we still have some old CatOS switches. and there we got the
problem that these switches obviously canīt handle these two servers.
the switch doesntīt know which requests it has to send to which
server.
and we solved this problem by only using 1 server and sending all
requests (radius and dot1x) to this single one.
in IOS we configured aaa groups. one for radius and one for dot1x.
this works fine. but i didnīt find such a solution for the CatOS
switches.
or is there another way to manage this CatOS problem ?
and btw we only got 2948 XL with CatOS.
Thanks in advance
Eric
"Thomas K" <thomas@kuborn.be> wrote in message news:<4266694f$0$44108$5fc3050@dreader2.news.tiscali.nl>...[vbcol=seagreen]
> Could you please elaborate on the security risk you perceive?
>
>
>
> In order for IAS to query its "local SAM database" instead of AD, IAS has to
> be installed on a server which is not a member server in Active Directory.
>
> For authenticating user telnet sessions to switches, I think it could work.
> However, for authenticating computer eap-tls sessions to switches, I think
> it won't work
>
> /T
>
>
>
> "Eric J." <bt_hirosaito@gmx.de> wrote in message
> news:74f401d2.0504200147.d12662d@posting.google.com...
| |
| Thomas K 2005-04-21, 7:52 am |
| Indeed, radius groups are not available on catos.
You could however use proxy-radius on IAS to match user authentication
requests (for telnet) & proxy them to another radius
/T
"Eric J." <bt_hirosaito@gmx.de> wrote in message
news:74f401d2.0504210145.4a77074e@posting.google.com...[vbcol=seagreen]
> mmhh, thats really a problem. cause our IAS has to be a member server
> for the Dot1x machine authentication.
>
> usually we would use 2 radius server. one for the dot1x authentication
> and one for the radius authentication of the components.
>
> but we still have some old CatOS switches. and there we got the
> problem that these switches obviously canīt handle these two servers.
> the switch doesntīt know which requests it has to send to which
> server.
> and we solved this problem by only using 1 server and sending all
> requests (radius and dot1x) to this single one.
>
> in IOS we configured aaa groups. one for radius and one for dot1x.
> this works fine. but i didnīt find such a solution for the CatOS
> switches.
>
> or is there another way to manage this CatOS problem ?
> and btw we only got 2948 XL with CatOS.
>
> Thanks in advance
>
> Eric
>
>
> "Thomas K" <thomas@kuborn.be> wrote in message
> news:<4266694f$0$44108$5fc3050@dreader2.news.tiscali.nl>...
| |
| Eric J. 2005-04-22, 2:53 am |
| we just thought about using proxy-radius. but at the moment we try to
set up loadbalancing with a cisco CSM-Module.
and both, the proxy-radius and the loadbalancer will be little too
expensive.
but thanks for your help.
greetz Eric
"Thomas K" <thomas@kuborn.be> wrote in message news:<d481r7$13k$1@pop-news.nl.colt.net>...[vbcol=seagreen]
> Indeed, radius groups are not available on catos.
> You could however use proxy-radius on IAS to match user authentication
> requests (for telnet) & proxy them to another radius
>
> /T
>
> "Eric J." <bt_hirosaito@gmx.de> wrote in message
> news:74f401d2.0504210145.4a77074e@posting.google.com...
|
|
|
|
|