RADIUS realms?

[Rogue]

I'm looking at doing a lot of RADIUS authentication on my network in the very near future, but I'm not sure I understand the whole realms concept.

My assumption thus far is that I can create a functional realm for different functions. My situation dictates that I should setup three realms:

1) Netadmin realm - this will authenticate the network admins for switch and router management through the CLI

2) VPN realm - this will authenticate all VPN users on my network against an Active Directory database

3) 802.1x realm - this will authenticate all physical ports on the network against an Active Directory database for users plugging into my network

So am I correct? Is a realm under RADIUS similar to an OU in AD where it has it's own users, permissions, properties, etc?

 

[Joemonkey]

Did you ever find your answers? RADIUS is hard for me to learn how to configure, and I would really like to set up what you have listed third. Wouldn't that require some settings on the switch as well?

 

[Rogue]

No, you're the only person that's responded in any way to me. I've managed to get RADIUS functioning using Microsoft IAS service on a Windows 2003 server. My Cisco VPN clients authenticate against it, however, that has been a nightmare process to setup and understand in itself.

I have not managed to get the 802.1x to work though and that's my main goal with RADIUS in the enterprise.

 

[wkinney]

perhaps if you have linux experience, this could be an option and of some help:
http://www-128.ibm.com/developerworks/linux/library/l-radius/

 

[Joemonkey]

Originally posted by: wkinney
perhaps if you have linux experience, this could be an option and of some help:
http://www-128.ibm.com/developerworks/linux/library/l-radius/

I think we both already have Windows RADIUS servers set up on Server 2003, correct me if i'm wrong Rogue.

We had RADIUS working properly with our WAPs, but had to turn it off because so many people's cards couldn't do WPA/PSK

 

[Joemonkey]

So far I have found this word document, it seems a little helpful.

 

[Rogue]

I got an answer today from an Infoblox engineer. Realms are not what I thought they were. Realms are used in the event of multiple domains and users in each domain needing separate access to the same devices. For example, if I were a web host and hosted multiple domains (abc.com and xyz.com), I would setup a realm for each domain and delegate user accounts and permissions per domain. So someone could login as user@abc.com and have their permissions set separately from user@xyz.com for accessing the same device (server, VPN, etc.). It helped me to understand better.

Yes, I do already run IAS on Win2k3 server for my VPN. In addition to my desire for network management, vpn authentication and wired port authentication, I would also like to tie into a PKI infrastructure as well at some point. Ideally, I would like to create a certificate for every machine on my network and authenticate using those if at all possible. Anyone have PKI experience as well?

 

[Woodie]

Yes. Long, steep learning curve.

We use PKI for web-preauthentication (40,000+ users), in addition to using it for IPSEC VPN (~10,000 users) and SSL-VPN (~35,000 users) primary authentication.

The "What is a PKI?" lecture takes me about an hour to explain face-to-face...I don't have anywhere near the time to write it up. However, if you have specific questions, I'd be happy to give them a shot.

 

[Rogue]

Originally posted by: Woodie
Yes. Long, steep learning curve.

We use PKI for web-preauthentication (40,000+ users), in addition to using it for IPSEC VPN (~10,000 users) and SSL-VPN (~35,000 users) primary authentication.

The "What is a PKI?" lecture takes me about an hour to explain face-to-face...I don't have anywhere near the time to write it up. However, if you have specific questions, I'd be happy to give them a shot.

Here's my main question. I setup a CA on my network, which would most likely be a Windows server. Next, how do I publish or create a certificate for each computer on the network? Is it a matter of the CA parsing the AD for computer objects, creating a certificate for each and then what? How do you install/publish the certificate to each machine en masse? That may be a large question, but if you could even break the surface for me, I might catch on.

 

[Woodie]

Sry for the delay in responding...darn work interfering w/ my posting again.

Windows Certificate Authority (CA)..first off:
You must use an "enterprise" type ca, which means that the CA will tie in to the AD.
Enterprise CA's use "Certificate Templates" which are stored in the AD, and define all the attributes of the certificates to be issued. If you wish to change *any* of the parameters of a "cert template", you're going to need 2K3 Ent Edition for your CA.
In order to install the CA, you'll need Domain Admin or Ent Admin privileges. If you're going to install the CA in anything other than the root domain of your forest, let me know...there's a gotcha.

Second thing:
For a reasonably secure PKI (Public Key Infrastructure), you're going to create 2 CAs:
Root CA: Any os, on a secured device, that is OFF the network. MS recommends a non-domain member Laptop, stored in a safe/vault when not in use. I picked an old desktop, power it up about 3x per year, stored in a locked room. This can use merely W2K or 2K3 regular server (it's not an "enterprise"-type ca, so it doesn't need any networking.) All this CA does is sign the certs of the Subordinate CAs.
Subordinate CA: 2K3 (reg or ent ed), on a domain member server w/ IIS installed. Note: Once you install the CA on the server, you cannot change the domain membership or even the server name, for the lifetime of that CA (typically 10+ years)...so plan ahead! This CA will sign the certs you actually issue to all the devices/users on your network.

 

[Woodie]

More...I think you're going to end up creating several CAs, as you go through the learning curve. If you have a test forest, do it there first!

Gotchas: Non-MS devices typically can't handle certs w/ keys longer than 2048. So, make sure none of your CA's have key-lengths longer than 2048. DAMHIK. (think networking equipment)

Cert Enrollment:
Machine certs can be configured by GPO or by cert template ACLs. (There are Q articles that describe how to do this under 2K domains, and 2K3 should be easier.)
Default Domain GPO or Default Domain Controller GPO will trigger all your ADs to query the Ent CA for "Domain Controller" certificates...make sure you either: ACL the Domain Controller template so "Enterprise Domain Controllers" has NO access (not even read) or that the CA is configured (and ACLed) to issue and permit Ent DCs to "enroll" in Domain Controller certs.
Supposedly under 2K3, you can automate User cert enrollment, but we haven't done that yet. I'm trying to figure that out right now, using custom cert templates, and automated renewal w/ a combo of template configuration and GPOs. I'm not there yet!