topic Re: Authentication for educational site, before being controlled by PAN in General Topics

Authentication for educational site, before being controlled by PAN

KatanaNZ — Thu, 29 Apr 2010 00:36:28 GMT

What I'm after is a system that acts as a RADIUS server to authenticate both wired and wireless users over the network via EAP. The network will then authenticate the user and allow them access to specific VLANs, depending on the user and what machine they are logged on to.

Some possible scenarios:
Staff Member without admin rights:
- If they logon to a School-managed Library fixed PC, they should get access to the Staff-Managed VLAN.
- If they logon to an unmanaged personal laptop that they've brought in from home, they should get access to the Staff-Unmanaged VLAN.

Student without admin rights:
- If they logon to a School -managed Library fixed PC, they should get access to the Student-Managed VLAN.
- If they logon to their assigned School-managed student laptop, they should get access to the Student-Managed VLAN.
- If they logon to another School-managed student laptop, they should be disallowed access.

Student with admin rights on their Kristin-managed student laptop only:
- If they logon to a School-managed Library fixed PC, they should get access to the Student-Managed VLAN.
- If they logon to their assigned School-managed student laptop (with admin rights), they should get access to the Student-SemiManaged VLAN.
- If they logon to another School-managed student laptop, they should be disallowed access.
- If they logon to an unmanaged personal laptop that they've brought in from home, they should get access to the Student-Unmanaged VLAN.

Guest who has registered with School:
- If they logon to a School-managed Library fixed PC, they should get access to the Guest VLAN.
- If they logon to an unmanaged personal laptop that they've brought in, they should get access to the Guest VLAN.

Intruder who hasn't registered with School:
- If they logon to any personal laptop, and try to plug in to our network, they should be disallowed access.

Up to 1/2 of the student owned systems will be Apple Macs, just to make things interesting.

The RADIUS server will use something like PEAP/EAP-MSCHAPv2. On School-managed machines joined to the School AD domain, the authentication will happen automatically and the user won't have to enter any usernames/passwords. For an unmanaged machine, the user will be prompted to enter their AD username and password (or a guest username and password).

So we would need to have info on the user (mainly coming from AD) and the device they are connecting from. We'd need to either be able to point the RADIUS server at an existing database, or be able to automatically sync the RADIUS server database with our asset database or CMDB.

We also need to be able to get the log information of which user was logged on to which MAC address (real time), so that we can convert this to an IP address via DHCP logs, and then send the IP-to-user info to Palo Alto. We don't want a user on their unmanaged home machine entering a password once for the RADIUS server, then again for Palo Alto's captive portal.

I suppose we are most similar to a tertiary network in the US where students bring in their own devices and enter a
username and password to be allowed on to the network, before something like Palo Alto takes over and does firewalling of appropriate content.

Anyone know of a solution that is capable of this?

Re: Authentication for educational site, before being controlled by PAN

rmonvon — Thu, 29 Apr 2010 02:30:11 GMT

Thank you for providing your requirements in details.

If those groups of devices (School-managed Library fixed PCs, unmanaged personal laptops, School-managed student laptops, etc) are separated by IP subnets or VLANs, then it is very likely that Palo Alto Networks can help meet your needs. If not, some network changes may be required. However, it is best that you contact your Palo Alto sales team for the design to ensure success.

Some of your requests can be administered at the machine PCs/Macs levels. For examples:

Student without admin rights:

if they logon to another School-managed student laptop, they should be disallowed access.

A: you can restrict the account login of each assigned student machine to the specific student & nwk admins only.

Student with admin rights on their Kristin-managed student laptop only:

If they logon to another School-managed student laptop, they should be disallowed access.

A: Same as above, you can restrict the account login of each assigned student machine to the specific student & nwk admins only.

Cheers,

Re: Authentication for educational site, before being controlled by PAN

KatanaNZ — Tue, 04 May 2010 09:42:47 GMT

Hi,

So thats actually the problem. Due to the dynamic nature of the environment, its getting the device to authenticate to the correct VLAN that is causing us a headache.

Once the VLAN is assigned its plain sailing.

SteveR

Re: Authentication for educational site, before being controlled by PAN

abarnett — Thu, 22 Jul 2010 04:40:13 GMT

Hi Steve,

I'm not sure if you've found a solution yet, but what you are describing sounds like Network Access Control. I don't know if Palo Alto recommends any particular NAC vendor, but there are several out there. Usually these solutions will do exactly what you are looking for: Identify user/machine based on your choice of credentials then place them in the correct VLAN (the NAC product does this by communicating directly with the LAN switch).

A couple I'd recommend checking out:

Bradford Networks (www.bradfordnetworks.com)

Forescout (www.forescout.com)

good luck!

Andrew

Re: Authentication for educational site, before being controlled by PAN

James — Thu, 22 Jul 2010 10:43:13 GMT

I agree - looks like a NAC product is required.

You can then tie the NAC into Palo Alto's User-ID. So long as the Radius server used for EAP/PEAP has the user and IP credentials, it can then feed this information into the XML API of the User-ID Agent. So you end up with NAC and also IAC

Thanks

James