Machine authentication

[George KNIGHT]

Thank you for your reply David.
I have a long way to go I guess.

Have a nice day.

/GK



On Tue, May 6, 2008 at 10:02 AM, David Mitton <david at mitton.com> wrote:

>  George,
>
>    Your message came through just fine.  But this is a voluntary list of
> users, and your question falls into an area that over hangs a long way
> outside of FreeRadius, possibly outside of the expertise in this group.   I
> know a little about this space, so FWIW:
>
> First off, Big Picture: to a certain extent, FR doesn't care if you are
> authenticating a user or a machine.  It just approves (Access-Accept) the
> wireless connect or not.  You have to configure FR so it finds, resolves and
> can authenticate the credentials supplied.
>
> In your case EAP-TLS would be appropriate.  I believe Microsoft gives you
> one of them on WinCE.   You will have to install certs on the WinCE devices
> that meet the criteria on the client and server EAP-TLS module.
>
> If you are trying to use FR to front end an Active Directory installation,
> this becomes more complicated.  (I cannot describe that to you)
>
> But even so, Remote Access authentication to AD is not a User logon, it's
> just access.  The defaults favor user credentials or certificates, but you
> can configure anything that works, doesn't have to be users.
>
> Also, WinCE "machines" are not the same as WinXP systems with their
> relationship to an Active Directory.  They are not domain members that logon
> AD users.   So this is not "machine authentication" in the AD sense.    That
> said, the EAP system in WinCE is a fairly equivalent to the XP EAP,  But I'm
> not sure if there is automatic machine connection attempt or what the source
> of credentials would be. (maybe from the registry?)  Likely if the ability
> exists, you have to define it in the EAP configuration.   This is a WinCE
> EAP client issue.
>
> Good luck,
>
> Dave.
>
>
>
> May 6, 2008 08:49:37 AM, freeradius-users at lists.freeradius.org wrote:
>
> Hi,
> I sent an email to the list yesterday but it seems it wasn't delivered.
> I'm resending it again.
>
> /GK
>
> On Mon, May 5, 2008 at 12:10 PM, George KNIGHT <georgeknight at gmail.com>
> wrote:
>
> > Hello All,
> > I've been trying to setup an environment where WinCE OS client computers
> > authenticate themselves using wireless connection to the freeradius v.2.0.3
> >  server with PEAP. The authenticator will eventually be Cisco AP1242 AP but
> > for now I am using Symbol AP300.
> >
> > The way that I want to set this up is that the computers with WinCE OS
> > will be used by users who shouldn't be asked any user name or input. All I
> > want is WinCE machines to authenticate themselves with freeradius through
> > certificates. Basically, I want machine authentication as opposed to user
> > authentication.
> >
> > Is there specific changes I have to do on conf files for this to work?
> > Or any change at the client machines?
> >
> > Thank you.
> > George Knight
> >
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080506/a0f8468f/attachment.html>