• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Access based on authenticated computers

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Access based on authenticated computers Page: [1]
Login
Message << Older Topic   Newer Topic >>
Access based on authenticated computers - 2.Dec.2009 5:09:20 PM   
FCTurtle

 

Posts: 5
Joined: 2.Dec.2009
Status: offline
Hello,

Is there a way to create an access rule based on computers authentification rather than user authentification, maybe using the firewall client ?

We have computers on DHCP, but for some reason i cannot use DHCP reservation.

Is there any way to do so ?

Thank you,
Post #: 1
RE: Access based on authenticated computers - 2.Dec.2009 6:04:17 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
No.

How do you want to authenticate computers ?

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to FCTurtle)
Post #: 2
RE: Access based on authenticated computers - 3.Dec.2009 3:27:35 AM   
FCTurtle

 

Posts: 5
Joined: 2.Dec.2009
Status: offline
in a domain, the computer has a password. You can use this password to authenticate computers.

I thought the firewall client would permit to build access list based on computers in some ways.

(in reply to elmajdal)
Post #: 3
RE: Access based on authenticated computers - 3.Dec.2009 3:37:57 AM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
That password is for a user, not for a computer.

The user using that password, can log on to any computer in that domain.



_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to FCTurtle)
Post #: 4
RE: Access based on authenticated computers - 3.Dec.2009 4:32:51 PM   
FCTurtle

 

Posts: 5
Joined: 2.Dec.2009
Status: offline
No. In a domain, a computer itself has a password like any user.

The computer need to use that password to authenticate itself on the domain so he can be trusted to open user sessions. That's a fact.

The computer renew its password every 7 days by default as far as I can remeber. In some case, you can freeze that password change by a GPO so it never change.

We have deployed a wifi solution with 802.1X and to avoid user to authenticate themselves, we are using the computer password instead, we are authenticating the computer. 1st, we create a SSL channel by the controler certificate, then we use the MPPE encryption and the computer login (name) / password to authenticate it on the network and allow the network traffic for it.


I wish we could use the same with ISA Server. So we can authenticate computers and then create rules based on authenticated computers, DHCP is then not a problem in that case.

(in reply to elmajdal)
Post #: 5
Access based on authenticated computers - 29.Dec.2009 1:52:39 AM   
divakaran12kannur

 

Posts: 2
Joined: 28.Dec.2009
Status: offline
I have same problem in our isa server its connected to domain and we are using dhcp network how can i allow perticular user to access internet.

waiting replay

(in reply to FCTurtle)
Post #: 6
RE: Access based on authenticated computers - 29.Dec.2009 1:50:57 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
quote:

ORIGINAL: FCTurtle

No. In a domain, a computer itself has a password like any user.

The computer need to use that password to authenticate itself on the domain so he can be trusted to open user sessions. That's a fact.


Can you tell me how you create a password for a computer ?

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to FCTurtle)
Post #: 7
RE: Access based on authenticated computers - 29.Dec.2009 6:37:40 PM   
FCTurtle

 

Posts: 5
Joined: 2.Dec.2009
Status: offline
quote:

ORIGINAL: elmajdal
Can you tell me how you create a password for a computer ?


You can't do it by yourself.

The machine (computer) account password is automaticaly negociated by the machine itself.

The only thing you can do is to "freeze" the password change or modify the password age using GPO. By default, every 7 days the machine will renegociate a new password.

I've found a technet article dealing about the GPO setting to freeze the password age for machines accounts :

http://technet.microsoft.com/en-us/library/cc785826(WS.10).aspx

If you play with some OS Streaming technologies like Ardence for example, you can create situations where the password of the machine doesnt match with the account registered in the domain controller, so you can see that the machine is not trusted to open user domain sessions, you have a specific error message for this issue and you need to reset the password on the domain controller and reboot the machine to force the renewal of the machine password.

And with some WIFI technolgy (we have Aruba controllers) you can use the machine account (name and password) to create trusted connections to the firewall to get access to specific VLANs or apply specific security rules for these computers.

But now I'm quite sure ISA Server is not able to do that. It appears ISA is only working with domain user authentification.

(in reply to elmajdal)
Post #: 8
RE: Access based on authenticated computers - 29.Dec.2009 11:25:11 PM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
Sounds like IPsec is the best answer.

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to FCTurtle)
Post #: 9
RE: Access based on authenticated computers - 30.Dec.2009 12:36:27 AM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
Also, SSL certificates might also work...

[never mind...SSL certificate authentication is only for proxy chaining scenarios!]

< Message edited by richardhicks -- 30.Dec.2009 12:43:06 AM >


_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to FCTurtle)
Post #: 10
RE: Access based on authenticated computers - 4.Jan.2010 8:29:49 AM   
FCTurtle

 

Posts: 5
Joined: 2.Dec.2009
Status: offline
I'm interested by your IPSec solution.

How would you do that ?

Thank you,

(in reply to richardhicks)
Post #: 11

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Access based on authenticated computers Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts