CurtMcNamee
Mon May 05 22:18:00 PDT 2008
"Ace Fekay [MVP]" wrote:
> In news:647DA709-E60B-4A54-A2BD-BF3E83424CEE@microsoft.com,
> Curt McNamee <CurtMcNamee@discussions.microsoft.com> typed:
> > I'm trying to setup a NAT router that uses RADIUS authentication to
> > determine which packets should be passed from the internal network
> > out to the internet. I have tried to do this with RRAS without luck,
> > I get the feeling the NAT implementation there doesn't any form of
> > authentication. I've also tried using ISA but that requires a
> > special piece of software to be installed on each client. I'm trying
> > to just use the currently-logged-in user's credientials as the
> > authentication token sent to my RADIUS server.
> >
> > Does anyone know of a way to accomplish this?
>
> NAT is just a layer 4 function, that is it just translates packets. I don't
> think you can get RRAS to do what you're asking. Unfortunately you'll need a
> device/utility such as what ISA is capable of along with the firewall client
> installed, which you've already tested.
>
> For it to examine each packet, then make a decsion on how to handle each
> packet based on rules, packet types, authentication, etc, requires a gateway
> device, such as ISA, Checkpoint, etc. ISA can also be used for web control
> only and act as a secure NAT. This way websites are controllable, but not
> other type of network traffic. The firewall client and ISA being in Firewall
> mode (if I remember the setting correctly), will do both.
>
> ISA is also an AD-enabled application, which gives it the ability to control
> access by groups or single user accounts. I don't think others are capable
> of this feature other than possibly user logon to a Checkpoint, or similar,
> to gain access, which I'm not even sure if this is possible, possibly with a
> browser-based method, but that leads back to a Proxy server, such as ISA and
> other 3rd party Proxies.
>
>
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check
http://support.microsoft.com for regional support phone numbers.
>
> Infinite Diversities in Infinite Combinations
>
>
Thanks for the answer I was hoping RRAS could do this, but I wasn't holding
my breath.
I've been playing with some captive portal packages which just require
everyone to authenticate, getting those to authenticate against AD was tricky
at first but they do work very well. I'm wanting a hybrid solution that will
check the credentials of the current user on the windows client, compare them
against an ACL, and allow them through or challenge those that don't meet the
ACL requirements. I can do with ISA but I need to accomplish this without
having to install an ISA specific firewall client for each client to pass
credentials to the ISA server.
I've setup PTPP & L2TP VPN connections that will pass (using PEAP) the
currently-logged-in-user's credentials to the VPN server for approval/denial,
however finding an existing product to do this for ethernet-based traffic
instead of VPN-based traffic is proving to be very difficult.
Thanks again for the help.