2

First the set up. 15 workgroup users, and we have a Watchguard firewall with VPN. Currently using the Watchguard to authenticate users for VPN access, but the boss wants to use server 2008 as the authentication server. The watchguard allows a relay to authenticate via RADIUS or AD. My question is can we use RADIUS as the authentication server without AD services? (they want to maintain workgroup setup, with no domain controller)

Michael Pacifico
  • 21
  • 2

3 Answers3

2

Don't bother with a 2008 Server if you're just using it for RADIUS. It's a waste of money. If you don't want/need AD integration, just prop up a Linux/BSD box with FreeRADIUS or use Watchguard's built-in authentication mechanism (they have one, right?).

Adding a Windows Server just for VPN auth doesn't make a ton of sense.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
0

If I'm understanding correctly that you have local users on the Server 2008 machine and you're wanting to authenticate using those accounts, I've never seen a good way to do that. Just out of curiosity, why not go with AD services?

John
  • 9
  • 2
  • Sorry, I should've been a bit clearer. All users are local accounts, not in AD. They want to introduce Server 2008 just to authenticate for the VPN users. Reason given for not using AD services is that the users are 'adverse' to using strict account controls, and the managers afraid of pissing of the employees (programmers all) – Michael Pacifico Mar 08 '12 at 19:29
  • Why not go on and go AD but let each user be a workstation admin? Obviously there are some security implications, but from what you're saying it wouldn't be any less secure than what you're doing now. – John Mar 08 '12 at 20:08
  • sorry again, but they are local users on their own workstations, not on the server itself. i have trouble understanding why they only want to use server 2008 as only to authenticate, but not as an DC. Basically they just want a gatekeeper for the workgroup. i saw the only route previously was to set up AD, then allow guest access to all computers. – Michael Pacifico Mar 09 '12 at 00:52
  • Right, with AD you can make users workstation admins without making them server or network admins. IIRC, you can even restrict their admin rights to certain workstations with a little tinkering. I'll do some looking, but I really think your best bet since you already have Server 2008 (outside of kls's suggestion, which does have quite a bit of merit) is to go on and make the server a DC and just let all of the users be workstation admins. – John Mar 09 '12 at 02:20
0

Why not save yourself some $ and some headache and just use unix box and run a radius server on it. Create local unix accounts for everyone, and they can authenticate via radius for the VPN. It works and doesn't cost anything. It would more secure as you can block it from the net completely if you wanted. At least until you needed to upgrade.

Else, if the server 2008 will run IAS, you can use it as a radius server. We have this set up with 2003, but it is a DC. Probably would work though.

kls
  • 379
  • 1
  • 6