NAT Router restricted by RADIUS

[Guest Curt McNamee]

I'm trying to setup a NAT router that uses RADIUS authentication to determine

which packets should be passed from the internal network out to the internet.

I have tried to do this with RRAS without luck, I get the feeling the NAT

implementation there doesn't any form of authentication. I've also tried

using ISA but that requires a special piece of software to be installed on

each client. I'm trying to just use the currently-logged-in user's

credientials as the authentication token sent to my RADIUS server.

 

Does anyone know of a way to accomplish this?

[Guest Ace Fekay [MVP]]

Re: NAT Router restricted by RADIUS

 

In news:647DA709-E60B-4A54-A2BD-BF3E83424CEE@microsoft.com,

Curt McNamee <CurtMcNamee@discussions.microsoft.com> typed:

> I'm trying to setup a NAT router that uses RADIUS authentication to

> determine which packets should be passed from the internal network

> out to the internet. I have tried to do this with RRAS without luck,

> I get the feeling the NAT implementation there doesn't any form of

> authentication. I've also tried using ISA but that requires a

> special piece of software to be installed on each client. I'm trying

> to just use the currently-logged-in user's credientials as the

> authentication token sent to my RADIUS server.

>

> Does anyone know of a way to accomplish this?

 

NAT is just a layer 4 function, that is it just translates packets. I don't

think you can get RRAS to do what you're asking. Unfortunately you'll need a

device/utility such as what ISA is capable of along with the firewall client

installed, which you've already tested.

 

For it to examine each packet, then make a decsion on how to handle each

packet based on rules, packet types, authentication, etc, requires a gateway

device, such as ISA, Checkpoint, etc. ISA can also be used for web control

only and act as a secure NAT. This way websites are controllable, but not

other type of network traffic. The firewall client and ISA being in Firewall

mode (if I remember the setting correctly), will do both.

 

ISA is also an AD-enabled application, which gives it the ability to control

access by groups or single user accounts. I don't think others are capable

of this feature other than possibly user logon to a Checkpoint, or similar,

to gain access, which I'm not even sure if this is possible, possibly with a

browser-based method, but that leads back to a Proxy server, such as ISA and

other 3rd party Proxies.

 

 

--

Regards,

Ace

 

This posting is provided "AS-IS" with no warranties or guarantees and

confers no rights.

 

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,

MVP Microsoft MVP - Directory Services

Microsoft Certified Trainer

 

For urgent issues, you may want to contact Microsoft PSS directly. Please

check http://support.microsoft.com for regional support phone numbers.

 

Infinite Diversities in Infinite Combinations

[Guest Curt McNamee]

Re: NAT Router restricted by RADIUS

 

 

 

"Ace Fekay [MVP]" wrote:

> In news:647DA709-E60B-4A54-A2BD-BF3E83424CEE@microsoft.com,

> Curt McNamee <CurtMcNamee@discussions.microsoft.com> typed:

> > I'm trying to setup a NAT router that uses RADIUS authentication to

> > determine which packets should be passed from the internal network

> > out to the internet. I have tried to do this with RRAS without luck,

> > I get the feeling the NAT implementation there doesn't any form of

> > authentication. I've also tried using ISA but that requires a

> > special piece of software to be installed on each client. I'm trying

> > to just use the currently-logged-in user's credientials as the

> > authentication token sent to my RADIUS server.

> >

> > Does anyone know of a way to accomplish this?

>

> NAT is just a layer 4 function, that is it just translates packets. I don't

> think you can get RRAS to do what you're asking. Unfortunately you'll need a

> device/utility such as what ISA is capable of along with the firewall client

> installed, which you've already tested.

>

> For it to examine each packet, then make a decsion on how to handle each

> packet based on rules, packet types, authentication, etc, requires a gateway

> device, such as ISA, Checkpoint, etc. ISA can also be used for web control

> only and act as a secure NAT. This way websites are controllable, but not

> other type of network traffic. The firewall client and ISA being in Firewall

> mode (if I remember the setting correctly), will do both.

>

> ISA is also an AD-enabled application, which gives it the ability to control

> access by groups or single user accounts. I don't think others are capable

> of this feature other than possibly user logon to a Checkpoint, or similar,

> to gain access, which I'm not even sure if this is possible, possibly with a

> browser-based method, but that leads back to a Proxy server, such as ISA and

> other 3rd party Proxies.

>

>

> --

> Regards,

> Ace

>

> This posting is provided "AS-IS" with no warranties or guarantees and

> confers no rights.

>

> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,

> MVP Microsoft MVP - Directory Services

> Microsoft Certified Trainer

>

> For urgent issues, you may want to contact Microsoft PSS directly. Please

> check http://support.microsoft.com for regional support phone numbers.

>

> Infinite Diversities in Infinite Combinations

>

>

 

Thanks for the answer I was hoping RRAS could do this, but I wasn't holding

my breath.

 

I've been playing with some captive portal packages which just require

everyone to authenticate, getting those to authenticate against AD was tricky

at first but they do work very well. I'm wanting a hybrid solution that will

check the credentials of the current user on the windows client, compare them

against an ACL, and allow them through or challenge those that don't meet the

ACL requirements. I can do with ISA but I need to accomplish this without

having to install an ISA specific firewall client for each client to pass

credentials to the ISA server.

 

I've setup PTPP & L2TP VPN connections that will pass (using PEAP) the

currently-logged-in-user's credentials to the VPN server for approval/denial,

however finding an existing product to do this for ethernet-based traffic

instead of VPN-based traffic is proving to be very difficult.

 

Thanks again for the help.

[Guest Ace Fekay [MVP]]

Re: NAT Router restricted by RADIUS

 

In news:D4EFF139-4827-4C1A-ACEE-02648A23F821@microsoft.com,

Curt McNamee <CurtMcNamee@discussions.microsoft.com> typed:

> Thanks for the answer I was hoping RRAS could do this, but I wasn't

> holding my breath.

>

> I've been playing with some captive portal packages which just require

> everyone to authenticate, getting those to authenticate against AD

> was tricky at first but they do work very well. I'm wanting a hybrid

> solution that will check the credentials of the current user on the

> windows client, compare them against an ACL, and allow them through

> or challenge those that don't meet the ACL requirements. I can do

> with ISA but I need to accomplish this without having to install an

> ISA specific firewall client for each client to pass credentials to

> the ISA server.

>

> I've setup PTPP & L2TP VPN connections that will pass (using PEAP) the

> currently-logged-in-user's credentials to the VPN server for

> approval/denial, however finding an existing product to do this for

> ethernet-based traffic instead of VPN-based traffic is proving to be

> very difficult.

>

> Thanks again for the help.

 

You are welcome.

 

I think you realize you are fighting an uphill battle. ISA will do this. You

don't need the firewall client if you just want to control web traffic. You

can block everything else in this scenario to, unless you need to control

non-web traffic as well.

 

Ace

[Guest Curt McNamee]

Re: NAT Router restricted by RADIUS

 

 

 

"Ace Fekay [MVP]" wrote:

> In news:D4EFF139-4827-4C1A-ACEE-02648A23F821@microsoft.com,

> Curt McNamee <CurtMcNamee@discussions.microsoft.com> typed:

>

> > Thanks for the answer I was hoping RRAS could do this, but I wasn't

> > holding my breath.

> >

> > I've been playing with some captive portal packages which just require

> > everyone to authenticate, getting those to authenticate against AD

> > was tricky at first but they do work very well. I'm wanting a hybrid

> > solution that will check the credentials of the current user on the

> > windows client, compare them against an ACL, and allow them through

> > or challenge those that don't meet the ACL requirements. I can do

> > with ISA but I need to accomplish this without having to install an

> > ISA specific firewall client for each client to pass credentials to

> > the ISA server.

> >

> > I've setup PTPP & L2TP VPN connections that will pass (using PEAP) the

> > currently-logged-in-user's credentials to the VPN server for

> > approval/denial, however finding an existing product to do this for

> > ethernet-based traffic instead of VPN-based traffic is proving to be

> > very difficult.

> >

> > Thanks again for the help.

>

> You are welcome.

>

> I think you realize you are fighting an uphill battle. ISA will do this. You

> don't need the firewall client if you just want to control web traffic. You

> can block everything else in this scenario to, unless you need to control

> non-web traffic as well.

>

> Ace

>

>

>

 

Uphill battles are my specialty :-) I need to control the flow of all

traffic.

 

Thanks again!

[Guest Ace Fekay [MVP]]

Re: NAT Router restricted by RADIUS

 

In news:F95C8E8E-0EE3-4799-B5BC-F08A8E2E8BA2@microsoft.com,

Curt McNamee <CurtMcNamee@discussions.microsoft.com> typed:

> Uphill battles are my specialty :-) I need to control the flow of all

> traffic.

>

> Thanks again!

 

My pleasure. I am curious, so please let me know what solution you will go

with.

 

Ace