Guest Curt McNamee Posted May 6, 2008 Posted May 6, 2008 I'm trying to setup a NAT router that uses RADIUS authentication to determine which packets should be passed from the internal network out to the internet. I have tried to do this with RRAS without luck, I get the feeling the NAT implementation there doesn't any form of authentication. I've also tried using ISA but that requires a special piece of software to be installed on each client. I'm trying to just use the currently-logged-in user's credientials as the authentication token sent to my RADIUS server. Does anyone know of a way to accomplish this?
Guest Ace Fekay [MVP] Posted May 6, 2008 Posted May 6, 2008 Re: NAT Router restricted by RADIUS In news:647DA709-E60B-4A54-A2BD-BF3E83424CEE@microsoft.com, Curt McNamee <CurtMcNamee@discussions.microsoft.com> typed: > I'm trying to setup a NAT router that uses RADIUS authentication to > determine which packets should be passed from the internal network > out to the internet. I have tried to do this with RRAS without luck, > I get the feeling the NAT implementation there doesn't any form of > authentication. I've also tried using ISA but that requires a > special piece of software to be installed on each client. I'm trying > to just use the currently-logged-in user's credientials as the > authentication token sent to my RADIUS server. > > Does anyone know of a way to accomplish this? NAT is just a layer 4 function, that is it just translates packets. I don't think you can get RRAS to do what you're asking. Unfortunately you'll need a device/utility such as what ISA is capable of along with the firewall client installed, which you've already tested. For it to examine each packet, then make a decsion on how to handle each packet based on rules, packet types, authentication, etc, requires a gateway device, such as ISA, Checkpoint, etc. ISA can also be used for web control only and act as a secure NAT. This way websites are controllable, but not other type of network traffic. The firewall client and ISA being in Firewall mode (if I remember the setting correctly), will do both. ISA is also an AD-enabled application, which gives it the ability to control access by groups or single user accounts. I don't think others are capable of this feature other than possibly user logon to a Checkpoint, or similar, to gain access, which I'm not even sure if this is possible, possibly with a browser-based method, but that leads back to a Proxy server, such as ISA and other 3rd party Proxies. -- Regards, Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP Microsoft MVP - Directory Services Microsoft Certified Trainer For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers. Infinite Diversities in Infinite Combinations
Guest Curt McNamee Posted May 6, 2008 Posted May 6, 2008 Re: NAT Router restricted by RADIUS "Ace Fekay [MVP]" wrote: > In news:647DA709-E60B-4A54-A2BD-BF3E83424CEE@microsoft.com, > Curt McNamee <CurtMcNamee@discussions.microsoft.com> typed: > > I'm trying to setup a NAT router that uses RADIUS authentication to > > determine which packets should be passed from the internal network > > out to the internet. I have tried to do this with RRAS without luck, > > I get the feeling the NAT implementation there doesn't any form of > > authentication. I've also tried using ISA but that requires a > > special piece of software to be installed on each client. I'm trying > > to just use the currently-logged-in user's credientials as the > > authentication token sent to my RADIUS server. > > > > Does anyone know of a way to accomplish this? > > NAT is just a layer 4 function, that is it just translates packets. I don't > think you can get RRAS to do what you're asking. Unfortunately you'll need a > device/utility such as what ISA is capable of along with the firewall client > installed, which you've already tested. > > For it to examine each packet, then make a decsion on how to handle each > packet based on rules, packet types, authentication, etc, requires a gateway > device, such as ISA, Checkpoint, etc. ISA can also be used for web control > only and act as a secure NAT. This way websites are controllable, but not > other type of network traffic. The firewall client and ISA being in Firewall > mode (if I remember the setting correctly), will do both. > > ISA is also an AD-enabled application, which gives it the ability to control > access by groups or single user accounts. I don't think others are capable > of this feature other than possibly user logon to a Checkpoint, or similar, > to gain access, which I'm not even sure if this is possible, possibly with a > browser-based method, but that leads back to a Proxy server, such as ISA and > other 3rd party Proxies. > > > -- > Regards, > Ace > > This posting is provided "AS-IS" with no warranties or guarantees and > confers no rights. > > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, > MVP Microsoft MVP - Directory Services > Microsoft Certified Trainer > > For urgent issues, you may want to contact Microsoft PSS directly. Please > check http://support.microsoft.com for regional support phone numbers. > > Infinite Diversities in Infinite Combinations > > Thanks for the answer I was hoping RRAS could do this, but I wasn't holding my breath. I've been playing with some captive portal packages which just require everyone to authenticate, getting those to authenticate against AD was tricky at first but they do work very well. I'm wanting a hybrid solution that will check the credentials of the current user on the windows client, compare them against an ACL, and allow them through or challenge those that don't meet the ACL requirements. I can do with ISA but I need to accomplish this without having to install an ISA specific firewall client for each client to pass credentials to the ISA server. I've setup PTPP & L2TP VPN connections that will pass (using PEAP) the currently-logged-in-user's credentials to the VPN server for approval/denial, however finding an existing product to do this for ethernet-based traffic instead of VPN-based traffic is proving to be very difficult. Thanks again for the help.
Guest Ace Fekay [MVP] Posted May 6, 2008 Posted May 6, 2008 Re: NAT Router restricted by RADIUS In news:D4EFF139-4827-4C1A-ACEE-02648A23F821@microsoft.com, Curt McNamee <CurtMcNamee@discussions.microsoft.com> typed: > Thanks for the answer I was hoping RRAS could do this, but I wasn't > holding my breath. > > I've been playing with some captive portal packages which just require > everyone to authenticate, getting those to authenticate against AD > was tricky at first but they do work very well. I'm wanting a hybrid > solution that will check the credentials of the current user on the > windows client, compare them against an ACL, and allow them through > or challenge those that don't meet the ACL requirements. I can do > with ISA but I need to accomplish this without having to install an > ISA specific firewall client for each client to pass credentials to > the ISA server. > > I've setup PTPP & L2TP VPN connections that will pass (using PEAP) the > currently-logged-in-user's credentials to the VPN server for > approval/denial, however finding an existing product to do this for > ethernet-based traffic instead of VPN-based traffic is proving to be > very difficult. > > Thanks again for the help. You are welcome. I think you realize you are fighting an uphill battle. ISA will do this. You don't need the firewall client if you just want to control web traffic. You can block everything else in this scenario to, unless you need to control non-web traffic as well. Ace
Guest Curt McNamee Posted May 6, 2008 Posted May 6, 2008 Re: NAT Router restricted by RADIUS "Ace Fekay [MVP]" wrote: > In news:D4EFF139-4827-4C1A-ACEE-02648A23F821@microsoft.com, > Curt McNamee <CurtMcNamee@discussions.microsoft.com> typed: > > > Thanks for the answer I was hoping RRAS could do this, but I wasn't > > holding my breath. > > > > I've been playing with some captive portal packages which just require > > everyone to authenticate, getting those to authenticate against AD > > was tricky at first but they do work very well. I'm wanting a hybrid > > solution that will check the credentials of the current user on the > > windows client, compare them against an ACL, and allow them through > > or challenge those that don't meet the ACL requirements. I can do > > with ISA but I need to accomplish this without having to install an > > ISA specific firewall client for each client to pass credentials to > > the ISA server. > > > > I've setup PTPP & L2TP VPN connections that will pass (using PEAP) the > > currently-logged-in-user's credentials to the VPN server for > > approval/denial, however finding an existing product to do this for > > ethernet-based traffic instead of VPN-based traffic is proving to be > > very difficult. > > > > Thanks again for the help. > > You are welcome. > > I think you realize you are fighting an uphill battle. ISA will do this. You > don't need the firewall client if you just want to control web traffic. You > can block everything else in this scenario to, unless you need to control > non-web traffic as well. > > Ace > > > Uphill battles are my specialty :-) I need to control the flow of all traffic. Thanks again!
Guest Ace Fekay [MVP] Posted May 7, 2008 Posted May 7, 2008 Re: NAT Router restricted by RADIUS In news:F95C8E8E-0EE3-4799-B5BC-F08A8E2E8BA2@microsoft.com, Curt McNamee <CurtMcNamee@discussions.microsoft.com> typed: > Uphill battles are my specialty :-) I need to control the flow of all > traffic. > > Thanks again! My pleasure. I am curious, so please let me know what solution you will go with. Ace
Recommended Posts