Windows client MS-chap auto-reauthentication

Tue Oct 20 05:35:58 CEST 2009

Hello,

I tried asking the post with no response but was hoping you could assist in
my search.  I'm currently running a M$ implementation of radius (IAS) for a
small number of users/computers (roughly 300 users and 700 devices all
microsoft based).

I'm trying to prevent rogue devices from connecting to production and
obviously only allow valid users & devices.  The current setup states
members of domain computers or domain users are allowed to auth against the
radius server.  Do you know if its possible through freeradius to allow
these devices AND these users only?  We're using eap-peap-mschapv2 as our
current authentication method.  Is there a way using --require-membership-of
to combine users AND groups perhaps through some type of regular expression?
 Is this some type of limitation of peap mschapv2 that's preventing this
from happening?

As of now the os of choice is freebsd 7.2 running freeradius 2.x.

Any insight would be greatly appreciated.

Best regards,
D. Phillips

On Sun, Oct 18, 2009 at 3:07 PM, Vieri <rentorbuy at yahoo.com> wrote:

> Hello,
>
> I'm connecting Windows clients to a LAN via Linksys access points and a
> Freeradius server.
> I'm using EAP/TLS with certificates installed on the clients and in
> modules/mschap I defined:
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
>  --username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=DOMAIN
> --require-membership-of=DOMAIN\\WIFI_DATA
> --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
>
> So the Windows clients must have a certificate and login with the
> credentials of an Active Directory user member of the WIFI_DATA group.
>
> This setup works fine. However, I'm seeing a major difference between a
> Windows XP pro SP2 client and a Windows Vista:
> if the Vista client (laptop) reboots the OS then access to the LAN via WIFI
> requires the user to re-enter login username and password, as expected.
> If the XP client reboots the OS then user credentials seem to be
> automatically sent to the Radius server again, as if they were stored on the
> system (no user interaction).
>
> Can I change this behavior and require the user to re-send their login data
> each time the Windows session is closed or the OS reboots?
> I realize this is a "client-only" issue and that freeradius can't possibly
> detect the difference between the 2 cases (or can it?) but I am concerned
> that if, for example, the XP laptop is stolen (or unauthoritatively lent)
> then all the "unwanted" user needs to do to access our LAN is boot the OS,
> unless the legitimate user's password has expired. The laptop is for a
> hospital's Emergency department so it's easy to imagine that it cannot be
> under 24-hour surveillance (but usually, the legitimate users switch the
> device off when done working or the laptop automatically turns off after an
> inactivity timeout).
>
> Does anyone know:
> why XP re-authenticates automatically and how to disable it?
> why Vista doesn't behave the same way?
> if installing SP3 on XP removes this feature?
> if somethng can be done on freeradius to discriminate manual logins from
> auto-logins?
>
> I'm running freeradius 2.0.5 on Linux.
>
> Thank you,
>
> Vieri
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091019/d1fdd075/attachment.html>