hi @ all, is it possible to do following: my wireless-clients will authenticate through a ciscoAP. the client will be routed automatically to the chillispot login page. on the same server is freeradius installed. Freeradius looks in the ActiveDirectory if the user exists and has the rights to connect to the internet. if the authentication is ok, the user must surf over a ISA because there is installed websense. we have a windows domain and so we use a secure ntlm authentication. is it possible to have a transparent authentication through the isa-server. i mean if the client is in the condition that he can send the ntlm authentication, that he doestn't have to authenticate twice times. one time on the chillispot and the second on the isa server. is there any possibilty? my network, all cisco network devices (aironet 1424, catalyst 3750) (( )) wireless-clients (( )) AP - - - - - [routed network/VLANS]- - - - - freeradius/chillispot (( )) | | | | | ActiveDirectory/LDAP | ISA/Websense [ntlm authentation required] | | Firewall | Router | Internet thx
Konne <bridge_stone@gmx.net> wrote:
Freeradius looks in the ActiveDirectory if the user exists and has the rights to connect to the internet. if the authentication is ok, the user must surf over a ISA because there is installed websense.
That's not helpful. You're saying that even though you know only authenticated users access your net, you still make them authenticate again?
is it possible to have a transparent authentication through the isa-server. i mean if the client is in the condition that he can send the ntlm authentication, that he doestn't have to authenticate twice times. one time on the chillispot and the second on the isa server. is there any possibilty?
The only way to do that is if the RADIUS server can tell the isa that the user is OK, and they don't have to be authenticated. See the isa docs for if this is possible, and if possible, how. Then write a script on FreeRADIUS to send the information isa needs. In general, what you want to do is difficult, because most people don't do it. And most people don't do it because authenticating people twice is pointless/ Alan DeKok.
hi yes i know they have to authenticate two times. but in my case its not so easy. we have more than 400 pc connected to the domain (wired), so they will be authenticated transparently through the ISA. then a lot they arent in the domain (also wired). they are only authenticating against the ISA because they need only to surf the internet. now we need accesspoints. what would be the best way. we need also some filtering service (websense) which is installed on the ISA. so the new clients (wireless) have to surf through the ISA. so it isnt possible to omit the ISA authentication. i would omit the chilli authentication. whats the best and secure way to authenticate my wirelessclients. they will be MacOS, *nix, Windows2000/XP EAP-TTLS/mschapv2 ??? if its too difficult i would leave out the ISA, so the would authenticate only against the AD. thx Alan DeKok schrieb:
Konne <bridge_stone@gmx.net> wrote:
Freeradius looks in the ActiveDirectory if the user exists and has the rights to connect to the internet. if the authentication is ok, the user must surf over a ISA because there is installed websense.
That's not helpful. You're saying that even though you know only authenticated users access your net, you still make them authenticate again?
is it possible to have a transparent authentication through the isa-server. i mean if the client is in the condition that he can send the ntlm authentication, that he doestn't have to authenticate twice times. one time on the chillispot and the second on the isa server. is there any possibilty?
The only way to do that is if the RADIUS server can tell the isa that the user is OK, and they don't have to be authenticated. See the isa docs for if this is possible, and if possible, how. Then write a script on FreeRADIUS to send the information isa needs.
In general, what you want to do is difficult, because most people don't do it. And most people don't do it because authenticating people twice is pointless/
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Konne