Windows Client Authentification bevore Domain logon

Armin Krämer Kraemer.Armin at web.de
Thu Aug 25 14:21:00 CEST 2005 


Hi, i found this thred yesterday and tried it out to add this OID but it had no effekt...OK maybe i made somthing wrong. Could you describe how you added this oid to your machine zertifikate? Today i built completely new root,server and client certificates depending on the article in www.linuxjournal.com/article/8095. 

I will post here my users file: My new generated Client Certifikates uses client10 as Client Name.

Greetings Armin

 
##	Please read the documentation file ../doc/processing_users_file,#	or 'man 5 users' (after installing the server) for more information.##	This file contains authentication security and configuration#	information for each user. Accounting requests are NOT processed#	through this file. Instead, see 'acct_users', in this directory.##	The first field is the user's name and can be up to#	253 characters in length. This is followed (on the same line) with#	the list of authentication requirements for that user. This can#	include password, comm server name, comm server port number, protocol#	type (perhaps set by the "hints" file), and huntgroup name (set by#	the "huntgroups" file).##	If you are not sure why a particular reply is being sent by the#	server, then run the server in debugging mode (radiusd -X), and#	you will see which entries in this file are matched.##	When an authentication request is received from the comm server,#	these values are tested. Only the first match is use!
 d unless the#	"Fall-Through" variable is set to "Yes".##	A special user named "DEFAULT" matches on all usernames.#	You can have several DEFAULT entries. All entries are processed#	in the order they appear in this file. The first entry that#	matches the login-request will stop processing unless you use#	the Fall-Through variable.##	If you use the database support to turn this file into a .db or .dbm#	file, the DEFAULT entries _have_ to be at the end of this file and#	you can't have multiple entries for one username.##	You don't need to specify a password if you set Auth-Type += System#	on the list of authentication requirements. The RADIUS server#	will then check the system password file.##	Indented (with the tab character) lines following the first#	line indicate the configuration values to be passed back to#	the comm server to allow the initiation of a user session.#	This can include things like the PPP configuration values#	or the host to log the user onto.##	You can incl!
 ude another `users' file with `$INCLUDE users.other'###	For a list of 
RADIUS attributes, and links to their definitions,#	see:##	http://www.freeradius.org/rfc/attributes.html### Deny access for a specific user. Note that this entry MUST# be before any other 'Auth-Type' attribute which results in the user# being authenticated.## Note that there is NO 'Fall-Through' attribute, so the user will not# be given any additional resources.##lameuser	Auth-Type := Reject#	Reply-Message = "Your account has been disabled."## Deny access for a group of users.## Note that there is NO 'Fall-Through' attribute, so the user will not# be given any additional resources.##DEFAULT	Group == "disabled", Auth-Type := Reject#	Reply-Message = "Your account has been disabled."### This is a complete entry for "steve". Note that there is no Fall-Through# entry so that no DEFAULT entry will be used, and the user will NOT# get any attributes in addition to the ones listed here.##steve	Auth-Type := Local, User-Password == "testing"#	Service-Type = Framed-User,#	Framed-Protoco!
 l = PPP,#	Framed-IP-Address = 172.16.3.33,#	Framed-IP-Netmask = 255.255.255.0,#	Framed-Routing = Broadcast-Listen,#	Framed-Filter-Id = "std.ppp",#	Framed-MTU = 1500,#	Framed-Compression = Van-Jacobsen-TCP-IP#test Auth-Type := Local, User-Password == "testing"#	Service-Type = Framed-User,#	Framed-Protocol = PPP,#	Framed-IP-Address = 172.16.3.33,#	Framed-IP-Netmask = 255.255.255.0,#	Framed-Routing = Broadcast-Listen,#	Framed-Filter-Id = "std.ppp",#	Framed-MTU = 1500,#	Framed-Compression = Van-Jacobsen-TCP-IP#DEFAULT Auth-Type := EAP-TLS #Local, User-Password == "whatever"# Reply-Message = "Default Client",# Tunnel-Medium-Type = 6,# Tunnel-Private-Group-Id = 1,# Tunnel-Type = 13Client1	Auth-Type := EAP-TLS #Local, User-Password == "whatever"	Reply-Message = "Hello,%u Willkommen im Netzwerk der Firma Metaldyne",	Tunnel-Medium-Type = 6,	Tunnel-Private-Group-Id = 1,	Tunnel-Type = 13host/Client10	Auth-Type := EAP-TLS #Local, User-Password == "whatever" Reply-Message = "Client10",	!
 Tunnel-Medium-Type = 6,	Tunnel-Private-Group-Id = 1,	Tunnel-Type = 13W
orkstation3	Auth-Type := EAP-TLS #Local, User-Password == "whatever" Reply-Message = "client3", Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 1, Tunnel-Type = 13## This is an entry for a user with a space in their name.# Note the double quotes surrounding the name.##"John Doe"	Auth-Type := Local, User-Password == "hello"#	Reply-Message = "Hello, %u"## Dial user back and telnet to the default host for that port##Deg	Auth-Type := Local, User-Password == "ge55ged"#	Service-Type = Callback-Login-User,#	Login-IP-Host = 0.0.0.0,#	Callback-Number = "9,5551212",#	Login-Service = Telnet,#	Login-TCP-Port = Telnet## Another complete entry. After the user "dialbk" has logged in, the# connection will be broken and the user will be dialed back after which# he will get a connection to the host "timeshare1".##dialbk	Auth-Type := Local, User-Password == "callme"#	Service-Type = Callback-Login-User,#	Login-IP-Host = timeshare1,#	Login-Service = PortMaster,#	Callback-Number = "9,1-800-555-!
 1212"## user "swilson" will only get a static IP number if he logs in with# a framed protocol on a terminal server in Alphen (see the huntgroups file).## Note that by setting "Fall-Through", other attributes will be added from# the following DEFAULT entries##swilson	Service-Type == Framed-User, Huntgroup-Name == "alphen"#	Framed-IP-Address = 192.168.1.65,#	Fall-Through = Yes## If the user logs in as 'username.shell', then authenticate them# against the system database, give them shell access, and stop processing# the rest of the file.##DEFAULT	Suffix == ".shell", Auth-Type := System#	Service-Type = Login-User,#	Login-Service = Telnet,#	Login-IP-Host = your.shell.machine## The rest of this file contains the several DEFAULT entries.# DEFAULT entries match with all login names.# Note that DEFAULT entries can also Fall-Through (see first entry).# A name-value pair from a DEFAULT entry will _NEVER_ override# an already existing name-value pair.### First setup all accounts to be !
 checked against the UNIX /etc/passwd.# (Unless a password was already 
given earlier in this file).##DEFAULT	Auth-Type = System#	Fall-Through = 1## Set up different IP address pools for the terminal servers.# Note that the "+" behind the IP address means that this is the "base"# IP address. The Port-Id (S0, S1 etc) will be added to it.##DEFAULT	Service-Type == Framed-User, Huntgroup-Name == "alphen"#	Framed-IP-Address = 192.168.1.32+,#	Fall-Through = Yes#DEFAULT	Service-Type == Framed-User, Huntgroup-Name == "delft"#	Framed-IP-Address = 192.168.2.32+,#	Fall-Through = Yes## Defaults for all framed connections.#DEFAULT	Service-Type == Framed-User	Framed-IP-Address = 255.255.255.254,	Framed-MTU = 576,	Service-Type = Framed-User,	Fall-Through = Yes## Default for PPP: dynamic IP address, PPP mode, VJ-compression.# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected#	by the terminal server in which case there may not be a "P" suffix.#	The terminal server sends "Framed-Protocol = PPP" for auto PPP.#DEFAULT	Framed-Protocol == PPP	Fr!
 amed-Protocol = PPP,	Framed-Compression = Van-Jacobson-TCP-IP## Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.#DEFAULT	Hint == "CSLIP"	Framed-Protocol = SLIP,	Framed-Compression = Van-Jacobson-TCP-IP## Default for SLIP: dynamic IP address, SLIP mode.#DEFAULT	Hint == "SLIP"	Framed-Protocol = SLIP## Last default: rlogin to our main server.##DEFAULT#	Service-Type = Login-User,#	Login-Service = Rlogin,#	Login-IP-Host = shellbox.ispdomain.com# ## # Last default: shell on the local terminal server.# ## DEFAULT# Service-Type = Shell-User# On no match, the user is denied access.

 

FreeRadius users mailing list <freeradius-users at lists.freeradius.org> schrieb am 25.08.05 13:28:44:




I also found using machine certificates to be hit and miss (some
machines they'd be picked up, others they wouldn't - all XP SP2 with
appropriate patches).

And then I stumbled on this

http://lists.cistron.nl/pipermail/freeradius-users/2004-July/034141.html

1.3.6.1.4.1.311.17.2

After I started adding that OID to my machine certs, everything
started working wonderfully.

I shook my fist at Microsoft that day!

Cheers,

Ben
On 8/25/05, Steven Atkinson <atn at fallibroome.cheshire.sch.uk> wrote:
> Armin,
> 
> At 15:40 24/08/05, you wrote:
> 
> >Ok, the hole day i tried to get it to work but this time when i install
> >the certificate as a machine zertifikate the radius authentifikation log
> >ends up with this log below.
> >
> >The Certificates where generated with openssl and all works fine as User
> >certificates but not as computer zertificate. I set the Registry Patch
> >which was diescribed in the mailing list to a value of 2.
> 
> As Ben has suggested in another email, there are some required extensions
> to the certificates to enable Windows to authenticate. How did you make
> your certificates, I followed the instructions in
> http://www.linuxjournal.com/article/8095.
> 
> Steve Atkinson
> 
> 
> Fallibroome High School
> Priory Lane
> Macclesfield
> Cheshire
> SK10 4AF
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20050825/9b8a5383/attachment.html>

More information about the Freeradius-Users mailing list