802.1x machine authentication without directory

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi all,

I've been looking into a small-scale 802.1x rollout, and have encountered
something of a problem. The systems on the network I'd be NAC-ing are XP
boxes which are members of an NT4 domain, with all users authenticated at the
domain level. (No local accounts are typically used.) I was hoping to use
machine authentication, but it seems as though most RADIUS servers only
support machine auth when they have a directory (typically AD) to confirm the
membership of the supplicants.  (This certainly appears to be the case with ACS,
and Steel-Belted radius as well, from what I can tell from the documentation.)

Obviously, I don't have an AD for these systems, despite having a PKI. (Possibly
an unusual situation.) Does anyone know of a RADIUS server or NAC product that
will support machine authentication without a domain to refer to? I see the
benefits of the directory query, but it's just not an option for this particular

(I'm more than happy to look at solutions outside the windows 802.1x support if
they work!)

Cheers for any advice,

----- Posted with Newsbin Pro 5.0 ------
        --- www.newsbin.com ---

Re: 802.1x machine authentication without directory

Quoted text here. Click to load it

If I have this straight, your only central username/password via an
NT4 domain controller?  And you'd like users to be able use those
credentials to auth to your wireless network?

Just trying to make sure we understand what you have to auth against.

Todd H.
http://www.toddh.net /

Re: 802.1x machine authentication without directory

On Mon, 30 Oct 2006 22:36:04 +0000, Todd H. wrote

Quoted text here. Click to load it
<cut down my original post>
Quoted text here. Click to load it

No worries, I wasn't entirely clear. Here's what I'm trying to do, in its

I'm trying to implement NAC on a wired network using EAP-TLS. I have a PKI,
and things on that front are working fine. If I stick with standard
user-based 802.1x authentication (using user certs, 802.1x'ing after login)
things are fine. That said, user auth doesn't really work in our model,
thanks to the lack of local accounts. We need access to the network for user
logins, and the user login can't happen before 802.1x auth. So, we looked at
machine authentication.

Unfortunately, using "machine authentication" is not so simple. It appears
that the Cisco ACS server I am using as my authentication server only
supports machine authentication if it has an AD to talk to. From what I can
tell, it's taking the machine name and machine password from the XP client
(supplicant) and performing secondary validation through that. It doesn't
want to talk to my NT domain.

What I'm trying to find is an authentication server (assumably a RADIUS
server) which can perform the basics of the cert validation in EAP-TLS, and
then either rely on a local user store for the additional windows
credentials, or just plain ignore them.

Hope that post made more sense - I was so knackered last night I could barely
see straight. =P

Here's the only comment from Cisco I've found:


Re: 802.1x machine authentication without directory

Hi Michael,

If I understand what you are trying to do correctly, you're running into
the problem that a lot of radius servers and IAS don't work on an NT4

A tip I found earlier: Funk Software's Odyssee Server is great and
simple for WLAN only use (RADIUS). Can authenticate against an NT4
domain specifically.

An other option (but I have not tried it myself, nor looked into it
in-depth) seems to be that you could plug samba 2.x in your domain with
a win2k client machine to provide the translation of NT4 domain
authentication to LDAP (which can then be used for the RADIUS). At the
very least this sounds rather tricky to set up but might be an option if
nothing else works.



michael.owen wrote:
Quoted text here. Click to load it

Re: 802.1x machine authentication without directory

On Tue, 31 Oct 2006 01:53:58 +0000, MC wrote

Quoted text here. Click to load it

Thanks for mentioning the Odysee Server, I'll have a look at it - does it
rely on using Steel-Belted RADIUS as an authentication server? I was poking
through the docs for Steel-Belted, and got the impression it still relied on
the presence of an AD for machine-auth use with Windows XP clients.


Re: 802.1x machine authentication without directory

Michael Owen wrote:
Quoted text here. Click to load it

It uses a proprietary server component that can natively authenticate to
windows 2000 and NT domain databases. Next to that it can be set up with
Steel-Belted radius to authenticate against a whole range of other
things (SQL/LDAP, TACACS+, etc).

I think the following URL will answer most of your questions:



Site Timeline