I'm trying to setup a NAT router that uses RADIUS authentication to determine
which packets should be passed from the internal network out to the internet.
I have tried to do this with RRAS without luck, I get the feeling the NAT
implementation there doesn't any form of authentication. I've also tried
using ISA but that requires a special piece of software to be installed on
each client. I'm trying to just use the currently-logged-in user's
credientials as the authentication token sent to my RADIUS server.

Does anyone know of a way to accomplish this?

In news:647DA709-E60B-4A54-A2BD-BF3E83424CEE@microsoft.com,
Curt McNamee <CurtMcNamee@discussions.microsoft.com> typed:
> I'm trying to setup a NAT router that uses RADIUS authentication to
> determine which packets should be passed from the internal network
> out to the internet. I have tried to do this with RRAS without luck,
> I get the feeling the NAT implementation there doesn't any form of
> authentication. I've also tried using ISA but that requires a
> special piece of software to be installed on each client. I'm trying
> to just use the currently-logged-in user's credientials as the
> authentication token sent to my RADIUS server.
>
> Does anyone know of a way to accomplish this?

NAT is just a layer 4 function, that is it just translates packets. I don't
think you can get RRAS to do what you're asking. Unfortunately you'll need a
device/utility such as what ISA is capable of along with the firewall client
installed, which you've already tested.

For it to examine each packet, then make a decsion on how to handle each
packet based on rules, packet types, authentication, etc, requires a gateway
device, such as ISA, Checkpoint, etc. ISA can also be used for web control
only and act as a secure NAT. This way websites are controllable, but not
other type of network traffic. The firewall client and ISA being in Firewall
mode (if I remember the setting correctly), will do both.

ISA is also an AD-enabled application, which gives it the ability to control
access by groups or single user accounts. I don't think others are capable
of this feature other than possibly user logon to a Checkpoint, or similar,
to gain access, which I'm not even sure if this is possible, possibly with a
browser-based method, but that leads back to a Proxy server, such as ISA and
other 3rd party Proxies.


--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Infinite Diversities in Infinite Combinations

"Ace Fekay [MVP]" wrote:

> In news:647DA709-E60B-4A54-A2BD-BF3E83424CEE@microsoft.com,
> Curt McNamee <CurtMcNamee@discussions.microsoft.com> typed:
> > I'm trying to setup a NAT router that uses RADIUS authentication to
> > determine which packets should be passed from the internal network
> > out to the internet. I have tried to do this with RRAS without luck,
> > I get the feeling the NAT implementation there doesn't any form of
> > authentication. I've also tried using ISA but that requires a
> > special piece of software to be installed on each client. I'm trying
> > to just use the currently-logged-in user's credientials as the
> > authentication token sent to my RADIUS server.
> >
> > Does anyone know of a way to accomplish this?
>
> NAT is just a layer 4 function, that is it just translates packets. I don't
> think you can get RRAS to do what you're asking. Unfortunately you'll need a
> device/utility such as what ISA is capable of along with the firewall client
> installed, which you've already tested.
>
> For it to examine each packet, then make a decsion on how to handle each
> packet based on rules, packet types, authentication, etc, requires a gateway
> device, such as ISA, Checkpoint, etc. ISA can also be used for web control
> only and act as a secure NAT. This way websites are controllable, but not
> other type of network traffic. The firewall client and ISA being in Firewall
> mode (if I remember the setting correctly), will do both.
>
> ISA is also an AD-enabled application, which gives it the ability to control
> access by groups or single user accounts. I don't think others are capable
> of this feature other than possibly user logon to a Checkpoint, or similar,
> to gain access, which I'm not even sure if this is possible, possibly with a
> browser-based method, but that leads back to a Proxy server, such as ISA and
> other 3rd party Proxies.
>
>
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Infinite Diversities in Infinite Combinations
>
>

Thanks for the answer I was hoping RRAS could do this, but I wasn't holding
my breath.

I've been playing with some captive portal packages which just require
everyone to authenticate, getting those to authenticate against AD was tricky
at first but they do work very well. I'm wanting a hybrid solution that will
check the credentials of the current user on the windows client, compare them
against an ACL, and allow them through or challenge those that don't meet the
ACL requirements. I can do with ISA but I need to accomplish this without
having to install an ISA specific firewall client for each client to pass
credentials to the ISA server.

I've setup PTPP & L2TP VPN connections that will pass (using PEAP) the
currently-logged-in-user's credentials to the VPN server for approval/denial,
however finding an existing product to do this for ethernet-based traffic
instead of VPN-based traffic is proving to be very difficult.

Thanks again for the help.

In news4EFF139-4827-4C1A-ACEE-02648A23F821@microsoft.com,
Curt McNamee <CurtMcNamee@discussions.microsoft.com> typed:

> Thanks for the answer I was hoping RRAS could do this, but I wasn't
> holding my breath.
>
> I've been playing with some captive portal packages which just require
> everyone to authenticate, getting those to authenticate against AD
> was tricky at first but they do work very well. I'm wanting a hybrid
> solution that will check the credentials of the current user on the
> windows client, compare them against an ACL, and allow them through
> or challenge those that don't meet the ACL requirements. I can do
> with ISA but I need to accomplish this without having to install an
> ISA specific firewall client for each client to pass credentials to
> the ISA server.
>
> I've setup PTPP & L2TP VPN connections that will pass (using PEAP) the
> currently-logged-in-user's credentials to the VPN server for
> approval/denial, however finding an existing product to do this for
> ethernet-based traffic instead of VPN-based traffic is proving to be
> very difficult.
>
> Thanks again for the help.

You are welcome.

I think you realize you are fighting an uphill battle. ISA will do this. You
don't need the firewall client if you just want to control web traffic. You
can block everything else in this scenario to, unless you need to control
non-web traffic as well.

Ace

"Ace Fekay [MVP]" wrote:

> In news4EFF139-4827-4C1A-ACEE-02648A23F821@microsoft.com,
> Curt McNamee <CurtMcNamee@discussions.microsoft.com> typed:
>
> > Thanks for the answer I was hoping RRAS could do this, but I wasn't
> > holding my breath.
> >
> > I've been playing with some captive portal packages which just require
> > everyone to authenticate, getting those to authenticate against AD
> > was tricky at first but they do work very well. I'm wanting a hybrid
> > solution that will check the credentials of the current user on the
> > windows client, compare them against an ACL, and allow them through
> > or challenge those that don't meet the ACL requirements. I can do
> > with ISA but I need to accomplish this without having to install an
> > ISA specific firewall client for each client to pass credentials to
> > the ISA server.
> >
> > I've setup PTPP & L2TP VPN connections that will pass (using PEAP) the
> > currently-logged-in-user's credentials to the VPN server for
> > approval/denial, however finding an existing product to do this for
> > ethernet-based traffic instead of VPN-based traffic is proving to be
> > very difficult.
> >
> > Thanks again for the help.
>
> You are welcome.
>
> I think you realize you are fighting an uphill battle. ISA will do this. You
> don't need the firewall client if you just want to control web traffic. You
> can block everything else in this scenario to, unless you need to control
> non-web traffic as well.
>
> Ace
>
>
>

Uphill battles are my specialty :-) I need to control the flow of all
traffic.

Thanks again!

In news:F95C8E8E-0EE3-4799-B5BC-F08A8E2E8BA2@microsoft.com,
Curt McNamee <CurtMcNamee@discussions.microsoft.com> typed:
> Uphill battles are my specialty :-) I need to control the flow of all
> traffic.
>
> Thanks again!

My pleasure. I am curious, so please let me know what solution you will go
with.

Ace