Yes, you will need a CA for EAP. Ideally, you'd do a machine cert,
because machines are what you want to filter.
Are you providing hosted services to your clients, or what?
Yes, there are ISA appliances. There have been since 2004.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.akomolafe.com <x-excid://32770000/uri:http://www.akomolafe.com> -
we know IT
*-5.75, -3.23*
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
------------------------------------------------------------------------
*From:* Dan DeStefano
*Sent:* Wed 11/15/2006 5:09 AM
*To:* [email protected]
*Subject:* RE: [ActiveDir] Restrict VPN Access By Computer Name
Cool, I will test that out, thanks.
I am not too familiar with using or configuring EAP – would this
solution require installing a CA on the network? Furthermore, would
these certificates be assigned to the machine, not the user?
No, I understand the difference between IAS and ISA. I just mentioned
ISA because you said that it might be a good idea to use it. For most
of our clients, a $1500 firewall solution is overkill. We are pretty
much standardized on the Netgear FVL328, which costs under $300,
provides 100 VPN tunnels for branch offices and is compact enough to
fit in most of our clients’ wiring closets (the term “closet” being
the operative word as most of our clients do not have or need a server
room). I would prefer a firewall appliance to one installed on a
server and most ISA appliances are on the expensive side and are
designed for rack-mounting.
I can’t remember where, but I vaguely remember reading that Microsoft
would be offering a light version of ISA2006 that can be used as an
embedded solution for small business networks such as those that I
manage. It will compete with Netgear, Linksys, Firebox, etc.. Maybe I
am mistaken, but I will try to find out.
I will take your advice and wait for LH server instead of messing with
WS2k3 quarantine. I appreciate the recommendation.
Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
http://www.info-lution.com <http://www.info-lution.com/>
Office: 727 546-9143
FAX: 727 541-5888
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *Akomolafe, Deji
*Sent:* Tuesday, November 14, 2006 12:32 PM
*To:* [email protected]
*Subject:* RE: [ActiveDir] Restrict VPN Access By Computer Name
You are right, Calling-Station-Identifier (in some cases) map to the
telephone number. In 802.1x scenario, though, it's usually the MAC,
but I have also seen it map to the client's IP address. I attribute
this to some vendors not reading the RFC or just opting to do it their
way. In our situation, MS maps it to MAC.
I re-read your original message and I have another thought. Since
these are computers under your control, why not issue them
certificates and use EAP as your authentication filter?
Hope we are not mixing acronyms here, re: IAS vs. ISA.
IAS is the RADIUS server. Free with the OS.
ISA is the proxy/caching/firewall solution. $1,500.00 for Standard
edition, comes in a black box version, too. For what it does, ISA is
on of the cheapest solutions of its type in the market. I am not aware
of the "light" version you mentioned.
If you think NAP is complex, try your hands on 2K3 qtine. Also, you
can combine all the NAP roles on one server, you do not have to
separate them. The only strict requirement is that it be installed on
a LH server.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.akomolafe.com <x-excid://32770000/uri:http:/www.akomolafe.com> -
we know IT
**-5.75, -3.23**
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
------------------------------------------------------------------------
*From:* Dan DeStefano
*Sent:* Tue 11/14/2006 5:28 AM
*To:* [email protected]
*Subject:* RE: [ActiveDir] Restrict VPN Access By Computer Name
Thank you for your response.
I thought the Calling-Station-Id was used for phone numbers (that is
what the description says anyway). But you are saying that MAC
addresses can be used here as well?
Other than the above, what would the advantages of deploying IAS be?
This is a small network with 100 or so users and only a handful of
them have VPN access (right now being controlled in the user account
properties). For this reason I am not sure I can also justify the
costs of implementing ISA especially with a current firewall solution
in place. Plus, we have no ISA experts in our organization or anyone
who has even administered ISA before. Maybe this will change with the
new ISA 2006, but most ISA solutions right now are enterprise-class
and on the expensive side (for most small businesses). I heard that
ISA 2006 is supposed to have a “light” version of some sort, but that
being said, I am not sure if it would be as fully-featured and support
what you are suggesting (though I know little of it other than the
fact that it exists).
Thanks for the advice about ws2k3 quarantine, I guess we won’t waste
our time with it. I have read about Longhorn NAP and it looks great.
But it also looks a bit complex, requiring a bit more infrastructure
than most small businesses need or can afford.
Have you ever tried restricting VPN access by MAC address?
Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
http://www.info-lution.com <http://www.info-lution.com/>
Office: 727 546-9143
FAX: 727 541-5888
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *Akomolafe, Deji
*Sent:* Tuesday, November 14, 2006 1:45 AM
*To:* [email protected]
*Subject:* RE: [ActiveDir] Restrict VPN Access By Computer Name
Call-Station-Identifier is a much more stable and reliable filter - it
is the Client's MAC address. "Client Friendly Name" is optional and
may not be sent in many VPN negotiation. The identifier will very
likely be sent (I don't want to say ALWAYS since I don't have any
relevant doc that say that, but I am yet to see a negotiation that
does not include the identifier. Unfortunately, in order to use the
identifier as a filter, you will have to create a policy for each
device. I don't see how you can wildcard it. So, depending on how many
clients you are talking here, well....
Yes, if I were you, I'd bring in RADIUS. Better, I'll bring in
something like ISA 2006. With ISA, you should be able to create a
Computer Set that includes the names or IPs of the Clients in
question, and you can use that to filter your inbound VPN connection
requests. I don't have such configuration, but it makes sense in my head.
Also, if you haven't started messing with that 2K3 quarantine
thingamabob yet, thank your stars. You don't want to. Not now the NAP
in Longhorn is so close at hand. I'd recommend that you encourage your
techs to concentrate on learning NAP instead. I just took a quick look
around in NAP, and I can see where what you are trying to do here can
be easily accomplished.
Hope I haven't thoroughly confused you yet.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.akomolafe.com <x-excid://32770000/uri:http:/www.akomolafe.com> -
we know IT
**-5.75, -3.23**
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
------------------------------------------------------------------------
*From:* Dan DeStefano
*Sent:* Mon 11/13/2006 9:54 PM
*To:* [email protected]
*Subject:* [ActiveDir] Restrict VPN Access By Computer Name
I was wondering if there is a way to restrict client VPN connections
via computer name. The reason for this is that we only want clients
connecting from approved devices for which they do not have
administrative privileges. In other words, we do not want people
VPNing into our network from their possibly virus and spyware-infested
home PCs. I know that a clever user could rename his/her home PC, but
this is probably not too likely and that type of user is probably
likely to be conscious of updated antivirus/spyware software.
I saw a setting in Remote Access Policies called Client Friendly Name
(IAS). Is this the setting I am looking for? If so, do I have to set
up an IAS server? If not, is there another way I can accomplish my
goal. I know that WS2k3 R2 has a quarantine feature, but I am not
familiar with it, though it looks like a bit of a PITA to set up and I
am looking for a quick way to fix this problem. We will probably
eventually use the new quarantine feature after our techs have had a
chance to learn and test it a bit. I think another problem with this
feature is for small business networks that have just a single SBS server.
Any help would be greatly appreciated.
Thanks,
Dan DeStefano
**Info-lution Corporation**
[EMAIL PROTECTED]
http://www.info-lution.com <http://www.info-lution.com/>
Office: 727 546-9143
FAX: 727 541-5888
If you have received this message in error please notify the sender,
disregard any content and remove it from your possession.
Dan DeStefano
**Info-lution Corporation**
[EMAIL PROTECTED]
http://www.info-lution.com <http://www.info-lution.com/>
Office: 727 546-9143
FAX: 727 541-5888
If you have received this message in error please notify the sender,
disregard any content and remove it from your possession.
Dan DeStefano
*Info-lution Corporation*
[EMAIL PROTECTED]
http://www.info-lution.com <http://www.info-lution.com/>
Office: 727 546-9143
FAX: 727 541-5888
If you have received this message in error please notify the sender,
disregard any content and remove it from your possession.
