FreeRadius and WPA2-Enterprise machine authentication - With ActiveDirectory interconnection..

Caines, Max Max.Caines at wlv.ac.uk
Mon Dec 15 11:16:05 CET 2014


If you are running NPS on your DCs, I can see why you might not want to expose them to wireless clients. Here we have two separate NPS servers. Anyway, FR is much more flexible than NPS as a front-end, and talks better to NRPS. We're running NPS as a proxy behind it

Regards

Max

-----Original Message-----
From: freeradius-users-bounces+max.caines=wlv.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+max.caines=wlv.ac.uk at lists.freeradius.org] On Behalf Of Tim Reimers
Sent: 12 December 2014 19:47
To: FreeRadius users mailing list
Subject: RE: FreeRadius and WPA2-Enterprise machine authentication - With ActiveDirectory interconnection..

The Network Policy Server route is what Meraki describes, although they want to have the Meraki access points talk directly to the NPS server, not with FreeRadius in between.

However, what we want to do is use Freeradius as a go-between for a couple of reasons -
- One, it allows us to specially define non-AD devices and allow them
- Second, it stops the wireless users and APs on the DMZ from talking directly to our domain controllers, which is a desired security stance from our network users..

-----Original Message-----
From: freeradius-users-bounces+treimers=ashevillenc.gov at lists.freeradius.org [mailto:freeradius-users-bounces+treimers=ashevillenc.gov at lists.freeradius.org] On Behalf Of Caines, Max
Sent: Friday, December 12, 2014 2:42 PM
To: FreeRadius users mailing list
Subject: RE: FreeRadius and WPA2-Enterprise machine authentication - With ActiveDirectory interconnection..

There are two ways to authenticate to AD from FreeRadius. One is to use Winbind/Samba, as described in that document. The other is to proxy the requests to NPS servers. It's mostly a question of which you find simpler. NPS can be badly behaved; it's quite prone to discarding packets without replying, which leads to other RADIUS servers marking it as dead. However, the Eduroam site has some useful notes on making it a better citizen (see https://community.ja.net/groups/eduroam/article/improving-reliability-microsoft-nps-authentication-provider-eduroam), and we've been running it successfully for several years. I found it easier to set up proxying to NPS than to install Samba and set up Winbind/NTLM; you might feel differently. 

I thought I had seen a document about proxying from FR to NPS in the pst, but I'm afraid I can't track it down

Regards

Max
________________________________________
From: freeradius-users-bounces+max.caines=wlv.ac.uk at lists.freeradius.org [freeradius-users-bounces+max.caines=wlv.ac.uk at lists.freeradius.org] on behalf of Tim Reimers [treimers at ashevillenc.gov]
Sent: 12 December 2014 15:54
To: FreeRadius users mailing list
Subject: RE: FreeRadius and WPA2-Enterprise machine authentication - With       ActiveDirectory interconnection..

Is this the correct document to follow?

http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO


-----Original Message-----
From: freeradius-users-bounces+treimers=ashevillenc.gov at lists.freeradius.org [mailto:freeradius-users-bounces+treimers=ashevillenc.gov at lists.freeradius.org] On Behalf Of Tim Reimers
Sent: Friday, December 12, 2014 10:28 AM
To: FreeRadius users mailing list
Subject: RE: FreeRadius and WPA2-Enterprise machine authentication - With ActiveDirectory interconnection..

Thanks Max and Alan --

Can someone point me to the best and newest documentation to use in setting this up?
I see docs that refer to Freeradius 1.X and 2.X, but I'm not sure if everything in those is accurate for 3.0

thanks, Tim

-----Original Message-----
From: freeradius-users-bounces+treimers=ashevillenc.gov at lists.freeradius.org [mailto:freeradius-users-bounces+treimers=ashevillenc.gov at lists.freeradius.org] On Behalf Of Caines, Max
Sent: Friday, December 12, 2014 8:43 AM
To: FreeRadius users mailing list
Subject: RE: FreeRadius and WPA2-Enterprise machine authentication - With ActiveDirectory interconnection..

As I understand it, when you configure 802.1x authentication on Windows, provided you tick the relevant box, Windows will authenticate twice, using the computer account and then the user account. Only after that does domain authentication direct to a DC kick in. It is possible to omit either stage, but I think only group policy can force use of the computer account only

Regards

Max

-----Original Message-----
From: freeradius-users-bounces+max.caines=wlv.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+max.caines=wlv.ac.uk at lists.freeradius.org] On Behalf Of Franks Andy (RLZ) IT Systems Engineer
Sent: 12 December 2014 11:43
To: FreeRadius users mailing list
Subject: RE: FreeRadius and WPA2-Enterprise machine authentication - With ActiveDirectory interconnection..

I wouldn't contradict anything others have said about this one, they know their stuff more than me, but we *sort of* do this - user auth using 802.1x plus mac address auth with macs stored in AD. Most wireless controllers I've seen will support 802.1x + MAC , and do it as 2 separate authentication transactions. Some will also let you decide the order the transactions appear in.
Mac auth isn't great on its own, but in addition to 802.1x you are authing the user/whole computer with certs and the computer with mac addresses.
Just my 2p, possibly off track or wrong practice though!
Andy

-----Original Message-----
From:
freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradiu
s.org] On Behalf Of Tim Reimers
Sent: 11 December 2014 20:17
To: freeradius-users at lists.freeradius.org
Subject: FreeRadius and WPA2-Enterprise machine authentication - With ActiveDirectory interconnection..


Hi everyone -

I'm trying to design something here that I'm sure has been done before, but AFAIK, it crosses through a few different howto documents, and being new to this, I'm just not certain that I have pieced together all the relevant HOWTo docs and not missed a point at which the design won't communicate the needed information.

The plan is to authenticate wireless users AND their computers. (so that a user cannot BYOD to the secure network; only laptops joined to the domain will work)

I know that WPA2-Enterprise is what I need, to be able to have rotating keys, use Radius for authentication, etc.
I know that WPA2-Enterprise requires certificates to validate the machines

I already have a Microsoft CA server running in my AD environment, with the GPO needed to push out workstation certificate enrollment and so on, for other applications.

My question is -
Can FreeRadius (3.0.1) on centos 7
be configured to do the machine authentication using certs from the Microsoft CA server?
Meraki is the wireless infrastructure, if that helps.

Thanks, Tim

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Scanned by iCritical.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- 
Scanned by iCritical.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- 
Scanned by iCritical.


More information about the Freeradius-Users mailing list