Emulate AD-based machine authentication

Thu Feb 20 23:08:48 CET 2020

I was able to track down the problem a bit and wanted to share my findings
for the next guy.

It seems that Windows 10 (didn't test older OSes) will automatically trust
a certificate presented to it by a radius server *if* the certificate is
signed by a CA that exists in the systems CA store (GoDaddy, Thawte,
Verisign, etc...) when doing machine-based authentication.  In my
environment, our NPS (Microsoft) server was using a GoDaddy certificate
while my freeradius server was using a self-signed cert.

As soon as we dropped the self-signed certificate in the trusted cert store
of the laptop, machine authentication "just worked".  As an aside, it also
looks like at some point windows has stopped displaying any information
about the certificate presented for wireless authentication except for the
thumbprint, which is a departure from older versions that displayed a lot
more information about it.

On Wed, Feb 19, 2020 at 7:52 AM Munroe Sollog <mus3 at lehigh.edu> wrote:

> Interesting, thanks for the help.
>
> On Wed, Feb 19, 2020 at 4:00 AM Josef Vybíhal <josef.vybihal at gmail.com>
> wrote:
>
>> Hi,
>> if winbind works for you, the "machine auth" should too. When windows
>> supplicant is set to do machine auth, it uses username in form of
>> 'host/hostname.your.domain'. Internaly in AD, it's an object similar to
>> user account, with additional class(es). It has it's own samaccountname.
>> userprincipalname. Also it has password, which is changed by default every
>> 30 days (
>>
>> https://docs.microsoft.com/cs-cz/archive/blogs/askds/machine-account-password-process-2
>> ).
>>
>> Here is example machine auth request from debug log.
>> (0) Received Access-Request Id 114 from 172.24.254.250:32774 to
>> 172.24.1.6:1812 length 344
>> (0)   User-Name = "host/PROBOOK.ABC.cz"
>> (0)   Chargeable-User-Identity = 0x00
>> (0)   Location-Capable = Civic-Location
>> (0)   Calling-Station-Id = "20-10-7a-01-77-fe"
>> (0)   Called-Station-Id = "3c-ce-73-6d-3a-50:ABC"
>> (0)   NAS-Port = 1
>> (0)   Cisco-AVPair = "audit-session-id=ac19646400016f415c666ce9"
>> (0)   Acct-Session-Id = "5c666ce9/20:10:7a:01:77:fe/96853"
>> (0)   Cisco-AVPair = "mDNS=true"
>> (0)   NAS-IP-Address = 172.25.100.100
>> (0)   NAS-Identifier = "CT2504_100.100"
>> (0)   Airespace-Wlan-Id = 1
>> (0)   Service-Type = Framed-User
>> (0)   Framed-MTU = 1300
>> (0)   NAS-Port-Type = Wireless-802.11
>> (0)   Tunnel-Type:0 = VLAN
>> (0)   Tunnel-Medium-Type:0 = IEEE-802
>> (0)   Tunnel-Private-Group-Id:0 = "666"
>> (0)   EAP-Message = 0x...
>> (0)   Message-Authenticator = 0x...
>>
>> Run your radiusd in radiusd -X and set windows to do machine auth, and you
>> will see something similar as above.
>>
>>
>> The in post-auth you can for example do some checking like
>> if ( &User-Name =~ /^host\/.*$/) {
>>   update reply {
>>     ...
>>   }
>> ...
>>
>>
>> Hope that helps,
>>
>> P.
>>
>>
>>
>>
>> On Tue, Feb 18, 2020 at 4:28 PM Munroe Sollog <mus3 at lehigh.edu> wrote:
>>
>> > I am trying to replace our current Microsoft NPS server with
>> freeradius.  I
>> > was able to follow the docs and use winbind to get PEAP-mschap user
>> > authentication working flawlessly.  The last piece of this puzzle is,
>> NPS
>> > has a "magic checkbox" that enables machine-based authentication.  I
>> have
>> > been trying to figure out what that checkbox does, without much luck.
>> >
>> > My best guess is that it's using the Active Directory certificates to do
>> > EAP-TLS auth, but that is just my guess.  Has anyone ever tried to
>> > replicate this feature? or have any insight?  I realize this isn't
>> strictly
>> > a freeradius question, but thought I would ask.
>> >
>> >
>> >
>> > --
>> > Munroe Sollog
>> > Senior Network Engineer
>> > munroe at lehigh.edu
>> > -
>> > List info/subscribe/unsubscribe? See
>> > http://www.freeradius.org/list/users.html
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>
>
> --
> Munroe Sollog
> Senior Network Engineer
> munroe at lehigh.edu
>

-- 
Munroe Sollog
Senior Network Engineer
munroe at lehigh.edu