Radius-based windows authentication

Fri Apr 25 17:20:37 CEST 2008

2008/4/25 Phil Mayers <p.mayers at imperial.ac.uk>:
> Mike Perdide wrote:
>
> > Hello,
> >
> > I'm working on VLAN assignement with FreeRadius, with windows XP users.
> > The FreeRadius server is using openLdap, and works overs EAP-TTLS.
> > The goal of my work is for the users to be on different Vlans depending on
> their status.
> > The radius part is working fine, since the switch sets the right vlan when
> the user gives his login and password.
> >
> > My question was : is it possible to authenticate via radius at the windows
> login screen ?
> >
>
>  Is the windows machine a domain member?
>
>
>
> >
> > For now, it is using the samba database, but if I want to set up a dynamic
> vlan assignement, the network needs to be up before the samba partitions are
> mounted.
> >
>
>  This last paragraph doesn't make sense to me. I don't know what "samba
> database" and "samba partitions" are.
>
>  I think you are asking "is it possible for the client to do 802.1x with the
> username/password typed into the login box" and the answer is "yes". There
> are three ways to achieve this (that I know of).
>
>   1. Using the windows native supplicant and machine account authentication.
> Basically the process is this:
>     * machine powers on - no-one logged in
>     * machine uses its own domain account to login "host/$machinename"
>     * user presses ctrl+alt+del
>     * machine validates credentials to the domain controller, over the
> current network connection
>     * machine downloads the users profile
>     * once the profile is download, the machine does an EAP-Logoff and then
> re-authenticates using the user credentials
>     * when the user logs out, the machine does and EAP-Logoff and then logs
> back in using the machine account
>
>   2. Using cached profiles - the user logs in without a network connection
> using a cached profile, then 802.1x starts
>
>   3. Using a different supplicant which has a GINA plugin; I believe the
> Odyssey supplicant (which you have to pay for) can do this. SecureW2 (which
> is open source) may. Obviously you have to install software.
>

The Odyssey client can certainly do this but it is very important to
note that GINA is not making use of the RADIUS server to actually
authenticate the user to the Windows machine.  It is simply stopping
the windows login, taking a copy of the credentials typed into the
windows login screen and using those to authenticate using 802.1x so
that a secured port is open *before* the windows login is complete,
then once the 802.1x process is complete, it returns control of the
login process back to windows which authenticates the user either
against the local database or using the Active Directory service.

Normally, for this to work well, you would have the RADIUS server used
for the 802.1x authentication make a call to the AD servers too (using
either NTLM or LDAP).  That way, you actually have two calls made to
the AD, one by the RADIUS server and then another by the user's PC.

The dynamic VLAN assignment is almost invariably performed as part of
the 802.1x RADIUS authentication response and the actual mechanism
used depends very much on the vendor of your Authenticator (the switch
or AP).

Rgds,

Guy