Re: 802.1x machine authentication without directory

On Mon, 30 Oct 2006 22:36:04 +0000, Todd H. wrote
(in article <84fyd55t4b.fsf@xxxxxxxxx>):

michael.owen <michael.owen@xxxxxxxxxxxx> writes:
Hi all,

<cut down my original post>

Cheers for any advice,
Michael

If I have this straight, your only central username/password via an
NT4 domain controller? And you'd like users to be able use those
credentials to auth to your wireless network?

Just trying to make sure we understand what you have to auth against.

No worries, I wasn't entirely clear. Here's what I'm trying to do, in its
entirety:

I'm trying to implement NAC on a wired network using EAP-TLS. I have a PKI,
and things on that front are working fine. If I stick with standard
user-based 802.1x authentication (using user certs, 802.1x'ing after login)
things are fine. That said, user auth doesn't really work in our model,
thanks to the lack of local accounts. We need access to the network for user
logins, and the user login can't happen before 802.1x auth. So, we looked at
machine authentication.

Unfortunately, using "machine authentication" is not so simple. It appears
that the Cisco ACS server I am using as my authentication server only
supports machine authentication if it has an AD to talk to. From what I can
tell, it's taking the machine name and machine password from the XP client
(supplicant) and performing secondary validation through that. It doesn't
want to talk to my NT domain.

What I'm trying to find is an authentication server (assumably a RADIUS
server) which can perform the basics of the cert validation in EAP-TLS, and
then either rely on a local user store for the additional windows
credentials, or just plain ignore them.

Hope that post made more sense - I was so knackered last night I could barely
see straight. =P

Here's the only comment from Cisco I've found:
http://www.informit.com/articles/article.asp?p=653377&seqNum=3&rl=1

Cheers,
Mike

.