<div dir="ltr"><div><div>An issue that I've experienced when proxying requests from FR to NPS is that NPS will not return the user-name attribute in the accept packet. This impacts your accounting data as well as any user specific information your AP may be displaying. Instead of showing you the inner identity, your accounting data or AP will display the outer identity, also know as the anonymous identity. This may be an issue for some environments.<br><br></div>There is a way to update the accept packet post proxy and add the user-name attribute, but I've yet to get it working in the 3.0.x branch.<br><br></div>#!Chris<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Dec 17, 2014 at 1:10 PM, Philippe MARASSE <span dir="ltr"><<a href="mailto:philippe.marasse@ch-poitiers.fr" target="_blank">philippe.marasse@ch-poitiers.fr</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">My 2p<br>
<br>
In our organization, I've configured FR 3.0.x for our wireless clients :<br>
- PCs in AD domain (EAP-PEAP / MS-ChapV2)<br>
- Mac and other devices (EAP-TLS)<br>
<br>
We only use computer authentication, pushed by GPO. WiFI profile is also pushed by GPO. We have Windows 7 clients only.<br>
<br>
AD members are proxyed by FR to NPS service, others are handled directly by FR, I find this configuration quite easy to do as AD members announce themselves as host/computer.domain.<br>
<br>
It works fine for half a year now...<br>
<br>
Regards.<br>
<br>
Le 15/12/2014 17:38, Tim Reimers a écrit :<div class="HOEnZb"><div class="h5"><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
That's what I'm aiming to do<br>
<br>
Thanks for confirming that NPSs can run as separate servers from being _on_ the Domain Controllers.<br>
Much documentation exists indicating NPS on the DC, but I hadn't yet had time to check and wonder if it could run on it's own VM or as part of a VM doing other tasks.<br>
<br>
Good also to see your thoughts on FR talking nicely to NPSs on the back end and being more flexible.<br>
That's the other reason I'd decided to do FR between the APs and the (possible) NPSs server.<br>
it gives me the ability to allow/disallow certain things independently of Active Directory, such as for devices that cannot do AD or that we don't want to integrate into AD.<br>
<br>
thanks, Tim<br>
<br>
______________________________<u></u>__________<br>
From: freeradius-users-bounces+<u></u>treimers=<a href="mailto:ashevillenc.gov@lists.freeradius.org" target="_blank">ashevillenc.gov@<u></u>lists.freeradius.org</a> [freeradius-users-bounces+<u></u>treimers=<a href="mailto:ashevillenc.gov@lists.freeradius.org" target="_blank">ashevillenc.gov@<u></u>lists.freeradius.org</a>] on behalf of Caines, Max [<a href="mailto:Max.Caines@wlv.ac.uk" target="_blank">Max.Caines@wlv.ac.uk</a>]<br>
Sent: Monday, December 15, 2014 5:16 AM<br>
To: FreeRadius users mailing list<br>
Subject: RE: FreeRadius and WPA2-Enterprise machine authentication - With ActiveDirectory interconnection..<br>
<br>
If you are running NPS on your DCs, I can see why you might not want to expose them to wireless clients. Here we have two separate NPS servers. Anyway, FR is much more flexible than NPS as a front-end, and talks better to NRPS. We're running NPS as a proxy behind it<br>
<br>
Regards<br>
<br>
Max<br>
<br>
-----Original Message-----<br>
From: freeradius-users-bounces+max.<u></u>caines=<a href="mailto:wlv.ac.uk@lists.freeradius.org" target="_blank">wlv.ac.uk@lists.<u></u>freeradius.org</a> [mailto:<a href="mailto:freeradius-users-bounces%2Bmax.caines" target="_blank">freeradius-users-<u></u>bounces+max.caines</a>=<a href="mailto:wlv.ac.uk@lists.freeradius.org" target="_blank">wlv.ac.uk@<u></u>lists.freeradius.org</a>] On Behalf Of Tim Reimers<br>
Sent: 12 December 2014 19:47<br>
To: FreeRadius users mailing list<br>
Subject: RE: FreeRadius and WPA2-Enterprise machine authentication - With ActiveDirectory interconnection..<br>
<br>
The Network Policy Server route is what Meraki describes, although they want to have the Meraki access points talk directly to the NPS server, not with FreeRadius in between.<br>
<br>
However, what we want to do is use Freeradius as a go-between for a couple of reasons -<br>
- One, it allows us to specially define non-AD devices and allow them<br>
- Second, it stops the wireless users and APs on the DMZ from talking directly to our domain controllers, which is a desired security stance from our network users..<br>
<br>
-----Original Message-----<br>
From: freeradius-users-bounces+<u></u>treimers=<a href="mailto:ashevillenc.gov@lists.freeradius.org" target="_blank">ashevillenc.gov@<u></u>lists.freeradius.org</a> [mailto:<a href="mailto:freeradius-users-bounces%2Btreimers" target="_blank">freeradius-users-<u></u>bounces+treimers</a>=<a href="mailto:ashevillenc.gov@lists.freeradius.org" target="_blank">ashevillenc.<u></u>gov@lists.freeradius.org</a>] On Behalf Of Caines, Max<br>
Sent: Friday, December 12, 2014 2:42 PM<br>
To: FreeRadius users mailing list<br>
Subject: RE: FreeRadius and WPA2-Enterprise machine authentication - With ActiveDirectory interconnection..<br>
<br>
There are two ways to authenticate to AD from FreeRadius. One is to use Winbind/Samba, as described in that document. The other is to proxy the requests to NPS servers. It's mostly a question of which you find simpler. NPS can be badly behaved; it's quite prone to discarding packets without replying, which leads to other RADIUS servers marking it as dead. However, the Eduroam site has some useful notes on making it a better citizen (see <a href="https://community.ja.net/groups/eduroam/article/improving-reliability-microsoft-nps-authentication-provider-eduroam" target="_blank">https://community.ja.net/<u></u>groups/eduroam/article/<u></u>improving-reliability-<u></u>microsoft-nps-authentication-<u></u>provider-eduroam</a>), and we've been running it successfully for several years. I found it easier to set up proxying to NPS than to install Samba and set up Winbind/NTLM; you might feel differently.<br>
<br>
I thought I had seen a document about proxying from FR to NPS in the pst, but I'm afraid I can't track it down<br>
<br>
Regards<br>
<br>
Max<br>
______________________________<u></u>__________<br>
From: freeradius-users-bounces+max.<u></u>caines=<a href="mailto:wlv.ac.uk@lists.freeradius.org" target="_blank">wlv.ac.uk@lists.<u></u>freeradius.org</a> [freeradius-users-bounces+max.<u></u>caines=<a href="mailto:wlv.ac.uk@lists.freeradius.org" target="_blank">wlv.ac.uk@lists.<u></u>freeradius.org</a>] on behalf of Tim Reimers [<a href="mailto:treimers@ashevillenc.gov" target="_blank">treimers@ashevillenc.gov</a>]<br>
Sent: 12 December 2014 15:54<br>
To: FreeRadius users mailing list<br>
Subject: RE: FreeRadius and WPA2-Enterprise machine authentication - With ActiveDirectory interconnection..<br>
<br>
Is this the correct document to follow?<br>
<br>
<a href="http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO" target="_blank">http://wiki.freeradius.org/<u></u>guide/FreeRADIUS-Active-<u></u>Directory-Integration-HOWTO</a><br>
<br>
<br>
-----Original Message-----<br>
From: freeradius-users-bounces+<u></u>treimers=<a href="mailto:ashevillenc.gov@lists.freeradius.org" target="_blank">ashevillenc.gov@<u></u>lists.freeradius.org</a> [mailto:<a href="mailto:freeradius-users-bounces%2Btreimers" target="_blank">freeradius-users-<u></u>bounces+treimers</a>=<a href="mailto:ashevillenc.gov@lists.freeradius.org" target="_blank">ashevillenc.<u></u>gov@lists.freeradius.org</a>] On Behalf Of Tim Reimers<br>
Sent: Friday, December 12, 2014 10:28 AM<br>
To: FreeRadius users mailing list<br>
Subject: RE: FreeRadius and WPA2-Enterprise machine authentication - With ActiveDirectory interconnection..<br>
<br>
Thanks Max and Alan --<br>
<br>
Can someone point me to the best and newest documentation to use in setting this up?<br>
I see docs that refer to Freeradius 1.X and 2.X, but I'm not sure if everything in those is accurate for 3.0<br>
<br>
thanks, Tim<br>
<br>
-----Original Message-----<br>
From: freeradius-users-bounces+<u></u>treimers=<a href="mailto:ashevillenc.gov@lists.freeradius.org" target="_blank">ashevillenc.gov@<u></u>lists.freeradius.org</a> [mailto:<a href="mailto:freeradius-users-bounces%2Btreimers" target="_blank">freeradius-users-<u></u>bounces+treimers</a>=<a href="mailto:ashevillenc.gov@lists.freeradius.org" target="_blank">ashevillenc.<u></u>gov@lists.freeradius.org</a>] On Behalf Of Caines, Max<br>
Sent: Friday, December 12, 2014 8:43 AM<br>
To: FreeRadius users mailing list<br>
Subject: RE: FreeRadius and WPA2-Enterprise machine authentication - With ActiveDirectory interconnection..<br>
<br>
As I understand it, when you configure 802.1x authentication on Windows, provided you tick the relevant box, Windows will authenticate twice, using the computer account and then the user account. Only after that does domain authentication direct to a DC kick in. It is possible to omit either stage, but I think only group policy can force use of the computer account only<br>
<br>
Regards<br>
<br>
Max<br>
<br>
-----Original Message-----<br>
From: freeradius-users-bounces+max.<u></u>caines=<a href="mailto:wlv.ac.uk@lists.freeradius.org" target="_blank">wlv.ac.uk@lists.<u></u>freeradius.org</a> [mailto:<a href="mailto:freeradius-users-bounces%2Bmax.caines" target="_blank">freeradius-users-<u></u>bounces+max.caines</a>=<a href="mailto:wlv.ac.uk@lists.freeradius.org" target="_blank">wlv.ac.uk@<u></u>lists.freeradius.org</a>] On Behalf Of Franks Andy (RLZ) IT Systems Engineer<br>
Sent: 12 December 2014 11:43<br>
To: FreeRadius users mailing list<br>
Subject: RE: FreeRadius and WPA2-Enterprise machine authentication - With ActiveDirectory interconnection..<br>
<br>
I wouldn't contradict anything others have said about this one, they know their stuff more than me, but we *sort of* do this - user auth using 802.1x plus mac address auth with macs stored in AD. Most wireless controllers I've seen will support 802.1x + MAC , and do it as 2 separate authentication transactions. Some will also let you decide the order the transactions appear in.<br>
Mac auth isn't great on its own, but in addition to 802.1x you are authing the user/whole computer with certs and the computer with mac addresses.<br>
Just my 2p, possibly off track or wrong practice though!<br>
Andy<br>
<br>
-----Original Message-----<br>
From:<br>
freeradius-users-bounces+andy.<u></u>franks=<a href="mailto:sath.nhs.uk@lists.freeradius.org" target="_blank">sath.nhs.uk@lists.<u></u>freeradius.org</a><br>
[mailto:<a href="mailto:freeradius-users-bounces%2Bandy.franks" target="_blank">freeradius-users-<u></u>bounces+andy.franks</a>=sath.nhs.<u></u>uk@lists.freeradiu<br>
<a href="http://s.org" target="_blank">s.org</a>] On Behalf Of Tim Reimers<br>
Sent: 11 December 2014 20:17<br>
To: <a href="mailto:freeradius-users@lists.freeradius.org" target="_blank">freeradius-users@lists.<u></u>freeradius.org</a><br>
Subject: FreeRadius and WPA2-Enterprise machine authentication - With ActiveDirectory interconnection..<br>
<br>
<br>
Hi everyone -<br>
<br>
I'm trying to design something here that I'm sure has been done before, but AFAIK, it crosses through a few different howto documents, and being new to this, I'm just not certain that I have pieced together all the relevant HOWTo docs and not missed a point at which the design won't communicate the needed information.<br>
<br>
The plan is to authenticate wireless users AND their computers. (so that a user cannot BYOD to the secure network; only laptops joined to the domain will work)<br>
<br>
I know that WPA2-Enterprise is what I need, to be able to have rotating keys, use Radius for authentication, etc.<br>
I know that WPA2-Enterprise requires certificates to validate the machines<br>
<br>
I already have a Microsoft CA server running in my AD environment, with the GPO needed to push out workstation certificate enrollment and so on, for other applications.<br>
<br>
My question is -<br>
Can FreeRadius (3.0.1) on centos 7<br>
be configured to do the machine authentication using certs from the Microsoft CA server?<br>
Meraki is the wireless infrastructure, if that helps.<br>
<br>
Thanks, Tim<br>
<br>
-<br>
List info/subscribe/unsubscribe? See<br>
<a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/<u></u>list/users.html</a><br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/<u></u>list/users.html</a><br>
--<br>
Scanned by iCritical.<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/<u></u>list/users.html</a><br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/<u></u>list/users.html</a><br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/<u></u>list/users.html</a><br>
--<br>
Scanned by iCritical.<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/<u></u>list/users.html</a><br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/<u></u>list/users.html</a><br>
--<br>
Scanned by iCritical.<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/<u></u>list/users.html</a><br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/<u></u>list/users.html</a><br>
</blockquote>
<br></div></div><span class="HOEnZb"><font color="#888888">
-- <br>
Philippe MARASSE<br>
<br>
Responsable pôle Infrastructures - DSIO<br>
Centre Hospitalier Henri Laborit<br>
CS 10587 - 370 avenue Jacques Coeur<br>
86021 Poitiers Cedex<br>
Tel : 05.49.44.57.19<br>
<br>
<br>
</font></span><br>-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br></blockquote></div></div>