Windows client MS-chap auto-reauthentication

Vieri rentorbuy at yahoo.com
Sun Oct 18 21:07:40 CEST 2009 

Hello,

I'm connecting Windows clients to a LAN via Linksys access points and a Freeradius server.
I'm using EAP/TLS with certificates installed on the clients and in modules/mschap I defined:

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key  --username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=DOMAIN --require-membership-of=DOMAIN\\WIFI_DATA --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

So the Windows clients must have a certificate and login with the credentials of an Active Directory user member of the WIFI_DATA group.

This setup works fine. However, I'm seeing a major difference between a Windows XP pro SP2 client and a Windows Vista:
if the Vista client (laptop) reboots the OS then access to the LAN via WIFI requires the user to re-enter login username and password, as expected.
If the XP client reboots the OS then user credentials seem to be automatically sent to the Radius server again, as if they were stored on the system (no user interaction).

Can I change this behavior and require the user to re-send their login data each time the Windows session is closed or the OS reboots?
I realize this is a "client-only" issue and that freeradius can't possibly detect the difference between the 2 cases (or can it?) but I am concerned that if, for example, the XP laptop is stolen (or unauthoritatively lent) then all the "unwanted" user needs to do to access our LAN is boot the OS, unless the legitimate user's password has expired. The laptop is for a hospital's Emergency department so it's easy to imagine that it cannot be under 24-hour surveillance (but usually, the legitimate users switch the device off when done working or the laptop automatically turns off after an inactivity timeout).

Does anyone know:
why XP re-authenticates automatically and how to disable it?
why Vista doesn't behave the same way?
if installing SP3 on XP removes this feature?
if somethng can be done on freeradius to discriminate manual logins from auto-logins?
 
I'm running freeradius 2.0.5 on Linux.

Thank you,

Vieri

More information about the Freeradius-Users mailing list