Design question

Matthew Newton mcn4 at leicester.ac.uk
Thu Feb 2 23:47:33 CET 2012 

Hi,

On Wed, Feb 01, 2012 at 10:25:29PM -0600, Dan Letkeman wrote:
> We primarily use windows 7 on the machines that will authenticate, and
> they are all connected to cisco switches and access points.  If I
> understand things correctly I have the option of authenticating based
> on users, certificates or users and certificates.

In Windows, using the built-in supplicant, you have the following
choices:

PEAP/MS-CHAPv2 - "user"
EAP-TLS - certificate ("user" or "computer")
PEAP/EAP-TLS - certificate, again user or computer.

Windows barfs if you ask PEAP to supply a client certificate, so
you can't do certificate auth AND user/password at the same time.

If you install a third-party supplicant then it will likely have
many different EAP methods, read up on what you're getting first.

> In our environment I don't see the need to add users into the
> mix as almost all of the machines are shared machines where
> multiple users will authenticate on the same machines.  We also
> push applications to the machines when users are not logged into
> them so we need the computer to authenticate on its own when it
> boots up.

There are few reasons why you'd want to go to the extra config of
PEAP/EAP-TLS [0], so your basic option is EAP-TLS. With computer
auth (certificate in the computer 'personal' store, not in the
user 'personal' store), the network will come up soon after the
machine boots, before the GINA login (for wireless, assuming it's
set to automatically connect). This sounds like what you want.


> From what I understand I need to create myself a certificate and
> install that certificate into the freeradius server and into each of
> my client computers.

That will work, but you shouldn't. Create a different certificate
for each client, and for the radius server, all signed by the same
CA.

> Which EAP type should I use if I only want the computers to
> authenticate using certificates?  EAP-TLS?

See above. Built-in supplicant with EAP-TLS is probably your
easiest route.

> I am guessing I should be using WPA2/Enterprise on the clients for the
> 802.1x authentication on the Windows 7 clients?  And set it to use
> computer authentication only?

That's one way to do it - you need WPA2 enterprise (the enterprise
bit being the important word). "Computer auth only" set means it
won't go looking for certs in users personal certificate store,
which is probably what you want.

> Do I need a signed third party certificate or can I use a self signed one?

Best practise is to create your own CA & sign using that. You
really must use your own CA for client cert validation with
EAP-TLS unless you want to allow anyone on.

> Could a user not just export the certificate from the computer and
> import it into there own computer, configure there network settings
> and get on the network?

[certificate and key] Yes.

> Or is there a mechanism to keep people from doing this?  Perhaps
> a password encrypted in the certificate?

You can generally set keys as 'non-exportable'. Of couse, that's
just a flag, and doesn't actually mean that there isn't a way to
get the key out. Google will give you an answer for extracting
Windows keys after a quick search (I haven't tried it). Just
remember, the cert is on the device that the user is holding.

If you detect that a certificate has been compromised (heuristics
such as checking certificate always comes from same MAC address
might help) then you revoke the cert (CRL / OCSP) and haul the
user in...

> Is there anything else I am missing?

Coffee. Drink lots of coffee.


On Thu, Feb 02, 2012 at 11:51:39AM -0600, Dan Letkeman wrote:
> If I wanted redundancy should I just setup a secondary radius server
> with the same settings and add it to the list of servers that are
> available?

Yes. Your NAS should rotate round the available RADIUS servers if
one stops responding.

Cheers,

Matthew


[0] Am in the middle of doing PEAP/EAP-TLS myself. Wrote up why,
    and a mini "how-to" at http://q.asd.me.uk/pet

-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list