On Thu, Feb 2, 2012 at 4:47 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
Hi,
On Wed, Feb 01, 2012 at 10:25:29PM -0600, Dan Letkeman wrote:
We primarily use windows 7 on the machines that will authenticate, and they are all connected to cisco switches and access points. If I understand things correctly I have the option of authenticating based on users, certificates or users and certificates.
In Windows, using the built-in supplicant, you have the following choices:
PEAP/MS-CHAPv2 - "user" EAP-TLS - certificate ("user" or "computer") PEAP/EAP-TLS - certificate, again user or computer.
Windows barfs if you ask PEAP to supply a client certificate, so you can't do certificate auth AND user/password at the same time.
If you install a third-party supplicant then it will likely have many different EAP methods, read up on what you're getting first.
In our environment I don't see the need to add users into the mix as almost all of the machines are shared machines where multiple users will authenticate on the same machines. We also push applications to the machines when users are not logged into them so we need the computer to authenticate on its own when it boots up.
There are few reasons why you'd want to go to the extra config of PEAP/EAP-TLS [0], so your basic option is EAP-TLS. With computer auth (certificate in the computer 'personal' store, not in the user 'personal' store), the network will come up soon after the machine boots, before the GINA login (for wireless, assuming it's set to automatically connect). This sounds like what you want.
From what I understand I need to create myself a certificate and install that certificate into the freeradius server and into each of my client computers.
That will work, but you shouldn't. Create a different certificate for each client, and for the radius server, all signed by the same CA.
This would be a nightmare to manage. We have 2000+ clients. I see the advantage, if the certificate was compromised that this would be important, but how in the world would you manage this?
Which EAP type should I use if I only want the computers to authenticate using certificates? EAP-TLS?
See above. Built-in supplicant with EAP-TLS is probably your easiest route.
I am guessing I should be using WPA2/Enterprise on the clients for the 802.1x authentication on the Windows 7 clients? And set it to use computer authentication only?
That's one way to do it - you need WPA2 enterprise (the enterprise bit being the important word). "Computer auth only" set means it won't go looking for certs in users personal certificate store, which is probably what you want.
Do I need a signed third party certificate or can I use a self signed one?
Best practise is to create your own CA & sign using that. You really must use your own CA for client cert validation with EAP-TLS unless you want to allow anyone on.
Could a user not just export the certificate from the computer and import it into there own computer, configure there network settings and get on the network?
[certificate and key] Yes.
Or is there a mechanism to keep people from doing this? Perhaps a password encrypted in the certificate?
You can generally set keys as 'non-exportable'. Of couse, that's just a flag, and doesn't actually mean that there isn't a way to get the key out. Google will give you an answer for extracting Windows keys after a quick search (I haven't tried it). Just remember, the cert is on the device that the user is holding.
If you detect that a certificate has been compromised (heuristics such as checking certificate always comes from same MAC address might help) then you revoke the cert (CRL / OCSP) and haul the user in...
Is there anything else I am missing?
Coffee. Drink lots of coffee.
On Thu, Feb 02, 2012 at 11:51:39AM -0600, Dan Letkeman wrote:
If I wanted redundancy should I just setup a secondary radius server with the same settings and add it to the list of servers that are available?
Yes. Your NAS should rotate round the available RADIUS servers if one stops responding.
Cheers,
Matthew
[0] Am in the middle of doing PEAP/EAP-TLS myself. Wrote up why, and a mini "how-to" at http://q.asd.me.uk/pet
Very nice. This will be helpful.
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html