For a long long time now I've been using freeradius to auth PEAP and EAP-TLS inbound requests from eduroam to our Tier 1 FreeRadius ( 3.0.16) servers. We now want to enable our managed laptops to connect to eduroam at a remote site using machine authentication using EAP-TTLS. I've got part of the way in that I can see an inbound request from host/<fqdn of laptop> and a failure "Login incorrect (mschap: No such user [0xC0000064]): [host/dpslap001.its.york.ac.uk] (from client yorkcc port 76 cli 80-86-F2-E0-7D-24 via TLS tunnel)" So I guess this makes sense as our machines are in a different part of our AD Tree to our users. On our clearpass system I check for a username of the form host/.....york.ac.uk/ and do an auth against different AD tree branch and everything works. I'm using winbindd on our Tier 1 FR servers. Guess I need to create another mschap instance specifically for machine auths and point it at another part of the AD tree. Assuming that's what I have to do, how do I point mschap at a different part of the AD tree for authentication? Rgds Alex
On 26 Mar 2018, at 17:12, Alex Sharaz via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I'm using winbindd on our Tier 1 FR servers. Guess I need to create another mschap instance specifically for machine auths and point it at another part of the AD tree.
I have never gotten machine authentication to work so have no idea what I'm talking about, but would that be necessary? Unless you've written some samba config to change the behaviour, I believe ntlm_auth looks at the entire tree - ntlm_auth/libwbclient are happy to authenticate any valid user regardless of position in the tree. The wiki mentions an interesting snippet of information - it suggests you might need to send "00" as the username: http://wiki.freeradius.org/guide/freeradius-active-directory-integration-how... I'd also look suspiciously at how the backslashes are being handled (packet capture and see what's really being put on the wire?), and the docs by nt_domain_hack in rlm_preprocess, which suggest you may need to mangle the username. Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
Haven't gone near the samba config for a long long time. it all worked so left well alone I'll look at the wiki A On 26 March 2018 at 17:44, Adam Bishop <Adam.Bishop@jisc.ac.uk> wrote:
On 26 Mar 2018, at 17:12, Alex Sharaz via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I'm using winbindd on our Tier 1 FR servers. Guess I need to create another mschap instance specifically for machine auths and point it at another part of the AD tree.
I have never gotten machine authentication to work so have no idea what I'm talking about, but would that be necessary?
Unless you've written some samba config to change the behaviour, I believe ntlm_auth looks at the entire tree - ntlm_auth/libwbclient are happy to authenticate any valid user regardless of position in the tree.
The wiki mentions an interesting snippet of information - it suggests you might need to send "00" as the username: http://wiki.freeradius.org/guide/freeradius-active-directory-integration-how...
I'd also look suspiciously at how the backslashes are being handled (packet capture and see what's really being put on the wire?), and the docs by nt_domain_hack in rlm_preprocess, which suggest you may need to mangle the username.
Adam Bishop
gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Currently using winbind_username = "%{Stripped-User-Name}" winbind_domain = "ITS.YORK.AC.UK" No ntlm_auth in sight ... must check what stripped username has in it for username of the form host/........ A On 26 March 2018 at 17:59, Alex Sharaz <alex.sharaz@york.ac.uk> wrote:
Haven't gone near the samba config for a long long time. it all worked so left well alone
I'll look at the wiki A
On 26 March 2018 at 17:44, Adam Bishop <Adam.Bishop@jisc.ac.uk> wrote:
On 26 Mar 2018, at 17:12, Alex Sharaz via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I'm using winbindd on our Tier 1 FR servers. Guess I need to create another mschap instance specifically for machine auths and point it at another part of the AD tree.
I have never gotten machine authentication to work so have no idea what I'm talking about, but would that be necessary?
Unless you've written some samba config to change the behaviour, I believe ntlm_auth looks at the entire tree - ntlm_auth/libwbclient are happy to authenticate any valid user regardless of position in the tree.
The wiki mentions an interesting snippet of information - it suggests you might need to send "00" as the username: http://wiki.freeradius.org/guide/freeradius-active-directory-integration-how...
I'd also look suspiciously at how the backslashes are being handled (packet capture and see what's really being put on the wire?), and the docs by nt_domain_hack in rlm_preprocess, which suggest you may need to mangle the username.
Adam Bishop
gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Well its getting better, I now get Tue Mar 27 16:34:46 2018 : Auth: (24212) Login incorrect (Home Server says so):[host/dpslap001.its.york.ac.uk] (from client yorkcc port 178 cli 80-86-F2-E0-7D-24) Tue Mar 27 16:34:46 2018 : Auth: (24212) Login incorrect: [host/dpslap001.its.york.ac.uk] (from client yorkcc port 178 cli 80-86-F2-E0-7D-24) Before I got a no such user, now I'm getting a login incorrect Changes made were winbind_username = "%{%{Stripped-User-Name}:-%{%{User-Name}:-00}}" winbind_domain = "%{%{mschap:NT-Domain}:-ITS.YORK.AC.UK}" A On 27 March 2018 at 03:05, Isaac Boukris <iboukris@gmail.com> wrote:
On Mon, Mar 26, 2018 at 8:03 PM, Alex Sharaz via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Currently using
winbind_username = "%{Stripped-User-Name}" winbind_domain = "ITS.YORK.AC.UK"
Perhaps worth trying: winbind_domain = "%{%{mschap:NT-Domain}:-MYDOMAIN}"
On Tue, Mar 27, 2018 at 6:51 PM, Alex Sharaz <alex.sharaz@york.ac.uk> wrote:
Well its getting better, I now get
Tue Mar 27 16:34:46 2018 : Auth: (24212) Login incorrect (Home Server says so):[host/dpslap001.its.york.ac.uk] (from client yorkcc port 178 cli 80-86-F2-E0-7D-24) Tue Mar 27 16:34:46 2018 : Auth: (24212) Login incorrect: [host/dpslap001.its.york.ac.uk] (from client yorkcc port 178 cli 80-86-F2-E0-7D-24)
That's not necessarily better. Debugging winbind daemon could give more insights.
When we first set up FR3 with winbind, we found that machine based auth didn't work through winbind, but it did work through ntlm-auth. To solve this, we differentiate the mechanisms for each kind of authentication. In the mschap module, we have a second section called mschap_host in which ntlm-auth is called instead of winbind. I'm not sure if that's been fixed since we first set it up, but it may be worth a try for you. # MSCHAP authentication. Auth-Type MS-CHAP { if (User-Name =~ /^host\//){ mschap_host } else{ mschap } } ________________________________ From: Freeradius-Users <freeradius-users-bounces+trinkleinj=cofc.edu@lists.freeradius.org> on behalf of Isaac Boukris <iboukris@gmail.com> Sent: Tuesday, March 27, 2018 12:05:47 PM To: Alex Sharaz Cc: FreeRadius users mailing list Subject: Re: Using machine auth from a remote eduroam site On Tue, Mar 27, 2018 at 6:51 PM, Alex Sharaz <alex.sharaz@york.ac.uk> wrote:
Well its getting better, I now get
Tue Mar 27 16:34:46 2018 : Auth: (24212) Login incorrect (Home Server says so):[host/dpslap001.its.york.ac.uk] (from client yorkcc port 178 cli 80-86-F2-E0-7D-24) Tue Mar 27 16:34:46 2018 : Auth: (24212) Login incorrect: [host/dpslap001.its.york.ac.uk] (from client yorkcc port 178 cli 80-86-F2-E0-7D-24)
That's not necessarily better. Debugging winbind daemon could give more insights. - List info/subscribe/unsubscribe? See https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradi...
Thanks for that Jason, I do something similar to differentiate between UoY and HYMS, I’ll try it out Rgds A Sent from my iPhone
On 27 Mar 2018, at 17:19, Trinklein, Jason R <trinkleinj@cofc.edu> wrote:
When we first set up FR3 with winbind, we found that machine based auth didn't work through winbind, but it did work through ntlm-auth. To solve this, we differentiate the mechanisms for each kind of authentication. In the mschap module, we have a second section called mschap_host in which ntlm-auth is called instead of winbind. I'm not sure if that's been fixed since we first set it up, but it may be worth a try for you.
# MSCHAP authentication. Auth-Type MS-CHAP { if (User-Name =~ /^host\//){ mschap_host } else{ mschap } } From: Freeradius-Users <freeradius-users-bounces+trinkleinj=cofc.edu@lists.freeradius.org> on behalf of Isaac Boukris <iboukris@gmail.com> Sent: Tuesday, March 27, 2018 12:05:47 PM To: Alex Sharaz Cc: FreeRadius users mailing list Subject: Re: Using machine auth from a remote eduroam site
On Tue, Mar 27, 2018 at 6:51 PM, Alex Sharaz <alex.sharaz@york.ac.uk> wrote:
Well its getting better, I now get
Tue Mar 27 16:34:46 2018 : Auth: (24212) Login incorrect (Home Server says so):[host/dpslap001.its.york.ac.uk] (from client yorkcc port 178 cli 80-86-F2-E0-7D-24) Tue Mar 27 16:34:46 2018 : Auth: (24212) Login incorrect: [host/dpslap001.its.york.ac.uk] (from client yorkcc port 178 cli 80-86-F2-E0-7D-24)
That's not necessarily better. Debugging winbind daemon could give more insights. - List info/subscribe/unsubscribe? See https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradi...
On Tue, Mar 27, 2018 at 6:51 PM, Alex Sharaz <alex.sharaz@york.ac.uk> wrote:
Well its getting better, I now get
Tue Mar 27 16:34:46 2018 : Auth: (24212) Login incorrect (Home Server says so):[host/dpslap001.its.york.ac.uk] (from client yorkcc port 178 cli 80-86-F2-E0-7D-24) Tue Mar 27 16:34:46 2018 : Auth: (24212) Login incorrect: [host/dpslap001.its.york.ac.uk] (from client yorkcc port 178 cli 80-86-F2-E0-7D-24)
Before I got a no such user, now I'm getting a login incorrect
Changes made were winbind_username = "%{%{Stripped-User-Name}:-%{%{User-Name}:-00}}" winbind_domain = "%{%{mschap:NT-Domain}:-ITS.YORK.AC.UK}"
A
On 27 March 2018 at 03:05, Isaac Boukris <iboukris@gmail.com> wrote:
On Mon, Mar 26, 2018 at 8:03 PM, Alex Sharaz via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Currently using
winbind_username = "%{Stripped-User-Name}" winbind_domain = "ITS.YORK.AC.UK"
BTW, the default configuration is: winbind_username = "%{mschap:User-Name}" This pulls out the first fqdn component and appends a dollar sign at the end - so it may help.
Hi, On Fri, Mar 30, 2018 at 8:32 PM, Isaac Boukris <iboukris@gmail.com> wrote:
On 27 March 2018 at 03:05, Isaac Boukris <iboukris@gmail.com> wrote:
On Mon, Mar 26, 2018 at 8:03 PM, Alex Sharaz via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
winbind_username = "%{Stripped-User-Name}" winbind_domain = "ITS.YORK.AC.UK"
BTW, the default configuration is: winbind_username = "%{mschap:User-Name}"
This pulls out the first fqdn component and appends a dollar sign at the end - so it may help.
FYI, I've just tested machine authentication (with samba git master) using the default config of: winbind_username = "%{mschap:User-Name}" winbind_domain = "%{mschap:NT-Domain}" And it worked ok for both a computer from the local domain and one from a child domain. I think it should work fine as long as DNS suffix of the machine matches its domain (like: HOST/hostname.child.domain.com) as that's how 'mschap:NT-Domain' guesses the domain name. Otherwise, if you have mapping knowledge from DNS suffix to domain names, then you can set 'winbind_domain' manually instead of using 'mschap:NT-Domain', however leave 'winbind_username' set to 'mschap:User-Name'. Otherwise, the only way I can think of to reliably lookup machine's name and domain from its service-principal is using global catalog service (in local domain). Example on my lab machine member of domain ACME.COM, and looking up a service from child domain CDOM.ACME.COM, coming with DNS suffix of 'local.net': $ ldapsearch -h wdc.acme.com -D administrator@ACME.COM -p 3268 servicePrincipalName=HOST/IEWIN7C.local.net sAMAccountName distinguishedName msDS-PrincipalName canonicalName -W # LDAPv3 # base <> (default) with scope subtree # filter: servicePrincipalName=HOST/IEWIN7C.local.net # requesting: sAMAccountName distinguishedName msDS-PrincipalName canonicalName dn: CN=IEWIN7C,CN=Computers,DC=CDOM,DC=acme,DC=com distinguishedName: CN=IEWIN7C,CN=Computers,DC=CDOM,DC=acme,DC=com sAMAccountName: IEWIN7C$ canonicalName: CDOM.acme.com/Computers/IEWIN7C msDS-PrincipalName: CDOM\IEWIN7C$ HTH
o.k. had some success with machine auth. Setting up winbind with winbind_username = "%{mschap:User-Name}" winbind_domain = "ITS.YORK.AC.UK" I managed to get auths to work but the client was reauthenticating every second! Using ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=ITS.YORK.AC.UK --username=%{mschap:User-Name} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" and the 1 sec reauths stop and I've got a session. On 31 March 2018 at 02:07, Isaac Boukris <iboukris@gmail.com> wrote:
Hi,
On Fri, Mar 30, 2018 at 8:32 PM, Isaac Boukris <iboukris@gmail.com> wrote:
On 27 March 2018 at 03:05, Isaac Boukris <iboukris@gmail.com> wrote:
On Mon, Mar 26, 2018 at 8:03 PM, Alex Sharaz via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
winbind_username = "%{Stripped-User-Name}" winbind_domain = "ITS.YORK.AC.UK"
BTW, the default configuration is: winbind_username = "%{mschap:User-Name}"
This pulls out the first fqdn component and appends a dollar sign at the end - so it may help.
FYI, I've just tested machine authentication (with samba git master) using the default config of: winbind_username = "%{mschap:User-Name}" winbind_domain = "%{mschap:NT-Domain}"
And it worked ok for both a computer from the local domain and one from a child domain.
I think it should work fine as long as DNS suffix of the machine matches its domain (like: HOST/hostname.child.domain.com) as that's how 'mschap:NT-Domain' guesses the domain name. Otherwise, if you have mapping knowledge from DNS suffix to domain names, then you can set 'winbind_domain' manually instead of using 'mschap:NT-Domain', however leave 'winbind_username' set to 'mschap:User-Name'.
Otherwise, the only way I can think of to reliably lookup machine's name and domain from its service-principal is using global catalog service (in local domain).
Example on my lab machine member of domain ACME.COM, and looking up a service from child domain CDOM.ACME.COM, coming with DNS suffix of 'local.net':
$ ldapsearch -h wdc.acme.com -D administrator@ACME.COM -p 3268 servicePrincipalName=HOST/IEWIN7C.local.net sAMAccountName distinguishedName msDS-PrincipalName canonicalName -W # LDAPv3 # base <> (default) with scope subtree # filter: servicePrincipalName=HOST/IEWIN7C.local.net # requesting: sAMAccountName distinguishedName msDS-PrincipalName canonicalName
dn: CN=IEWIN7C,CN=Computers,DC=CDOM,DC=acme,DC=com distinguishedName: CN=IEWIN7C,CN=Computers,DC=CDOM,DC=acme,DC=com sAMAccountName: IEWIN7C$ canonicalName: CDOM.acme.com/Computers/IEWIN7C msDS-PrincipalName: CDOM\IEWIN7C$
HTH
Sort of cancel that, the 1 sec reauth is the client. (course it couldn't be the server end). Log in as user, and a machine auth happens and everything is .o.k Let the machine hibernate and I can see auths every second. Wake up screen and manually connect and everything is o.k. again A On 4 April 2018 at 14:08, Alex Sharaz <alex.sharaz@york.ac.uk> wrote:
o.k. had some success with machine auth.
Setting up winbind with
winbind_username = "%{mschap:User-Name}" winbind_domain = "ITS.YORK.AC.UK"
I managed to get auths to work but the client was reauthenticating every second!
Using
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=ITS.YORK.AC.UK --username=%{mschap:User-Name} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
and the 1 sec reauths stop and I've got a session.
On 31 March 2018 at 02:07, Isaac Boukris <iboukris@gmail.com> wrote:
Hi,
On Fri, Mar 30, 2018 at 8:32 PM, Isaac Boukris <iboukris@gmail.com> wrote:
On 27 March 2018 at 03:05, Isaac Boukris <iboukris@gmail.com> wrote:
On Mon, Mar 26, 2018 at 8:03 PM, Alex Sharaz via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
winbind_username = "%{Stripped-User-Name}" winbind_domain = "ITS.YORK.AC.UK"
BTW, the default configuration is: winbind_username = "%{mschap:User-Name}"
This pulls out the first fqdn component and appends a dollar sign at the end - so it may help.
FYI, I've just tested machine authentication (with samba git master) using the default config of: winbind_username = "%{mschap:User-Name}" winbind_domain = "%{mschap:NT-Domain}"
And it worked ok for both a computer from the local domain and one from a child domain.
I think it should work fine as long as DNS suffix of the machine matches its domain (like: HOST/hostname.child.domain.com) as that's how 'mschap:NT-Domain' guesses the domain name. Otherwise, if you have mapping knowledge from DNS suffix to domain names, then you can set 'winbind_domain' manually instead of using 'mschap:NT-Domain', however leave 'winbind_username' set to 'mschap:User-Name'.
Otherwise, the only way I can think of to reliably lookup machine's name and domain from its service-principal is using global catalog service (in local domain).
Example on my lab machine member of domain ACME.COM, and looking up a service from child domain CDOM.ACME.COM, coming with DNS suffix of 'local.net':
$ ldapsearch -h wdc.acme.com -D administrator@ACME.COM -p 3268 servicePrincipalName=HOST/IEWIN7C.local.net sAMAccountName distinguishedName msDS-PrincipalName canonicalName -W # LDAPv3 # base <> (default) with scope subtree # filter: servicePrincipalName=HOST/IEWIN7C.local.net # requesting: sAMAccountName distinguishedName msDS-PrincipalName canonicalName
dn: CN=IEWIN7C,CN=Computers,DC=CDOM,DC=acme,DC=com distinguishedName: CN=IEWIN7C,CN=Computers,DC=CDOM,DC=acme,DC=com sAMAccountName: IEWIN7C$ canonicalName: CDOM.acme.com/Computers/IEWIN7C msDS-PrincipalName: CDOM\IEWIN7C$
HTH
Hi, On Wed, Apr 4, 2018 at 5:24 PM, Alex Sharaz <alex.sharaz@york.ac.uk> wrote:
Sort of cancel that, the 1 sec reauth is the client. (course it couldn't be the server end). Log in as user, and a machine auth happens and everything is .o.k
Let the machine hibernate and I can see auths every second. Wake up screen and manually connect and everything is o.k. again
Not sure I understand what's happening, but server debug - preferably along with samba ones, could help (and working-debugs if ntlm_auth works ok).. Also take a look at mschap configuration file, there is an option worth trying: winbind_retry_with_normalised_username Isaac
hi, just a quick point that whilst host/ works locally, these are not legitimate for global eduroam usage - they dont have correct realm syntax for proxying around the world so the auth will work at home but not away - unless you specify a 2nd profile (eg in GPO) offering a 'user auth' (e.g. PEAP) method. of course, since its via GPO you can already have the profile pretty much populated (correct CA, RADIUS server being checked etc) - just ask for user/pass in correct format - ie user education. i've authed users and machines against AD without worrying about the branch - they should be findable with a global auth - however, the username is NOT going to be in Stripped-User-Name - as there is no matching realm you have and therefore that is not populated...so you need to use the usual 'if this exists use this else use this' syntax eg %{%{Stripped-User-Name}:%{User-Name}} - theres also the nt_domain_hack in mschap to check/set - you need to run in debug mode for an EAP-TLS client to check what is coming in and key off the relevant part. in previous role, we were moving away to EAP-TLS for these sorts of things - quicker auths, less hit on AD, no need to use AD for authZ etc. less moving parts to go wrong :) alan
Hi Alex,
We now want to enable our managed laptops to connect to eduroam at a remote site using machine authentication using EAP-TTLS.
I've got part of the way in that I can see an inbound request from host/<fqdn of laptop> and a failure
Have you found a Windows knob to append an NAI-style realm to the the advertised username of 'host/computer.ad.domain'? I'd be very interested to know more if you had! If not I guess you'll be looking to the remote site to proxy around the side of the eduroam national proxies? (I have a feeling that is frowned upon by the eduroam tech-specs?) We use PEAP/MSCHAPv2 throughout for both User- and Host- authentication, with only a single mschap instance - it feels to me like you could be missing rewriting the computer's 'username' to 'computername$'. Our configuration has diverged substantially from the stock freeradius configuration, but here's a hopefully useful snippet: -=- server peap-inner { authorize { filter_username filter_inner_identity suffix if (!ok) { update request { &Module-Failure-Message += 'Inner realm not local' } reject } # Only lancs.local computer accounts can authenticate without a realm if (&Realm == "NULL") { if (&User-Name =~ /^host\/(.+)\.lancs\.local$/) { update request { &Stripped-User-Name := "%{1}$" } } else { update request { &Module-Failure-Message += 'Only lancs.local computer account authentication is available without an NAI realm' } reject } [...] -=- Graham
On Mar 26, 2018, at 3:52 PM, Graham Clinch <g.clinch@lancaster.ac.uk> wrote:
Have you found a Windows knob to append an NAI-style realm to the the advertised username of 'host/computer.ad.domain'?
Windows has essentially zero configuration for this. TBH, I wouldn't recommend authenticating machines to Eduroam. It's *much* better to authenticate people. Plus, you can specify an NAI like "user@domain" for people. You can't really do that for hosts.
I'd be very interested to know more if you had! If not I guess you'll be looking to the remote site to proxy around the side of the eduroam national proxies? (I have a feeling that is frowned upon by the eduroam tech-specs?)
It's possible. But, the ore unusual your configuration, the less likely it is to work everywhere.
We use PEAP/MSCHAPv2 throughout for both User- and Host- authentication, with only a single mschap instance - it feels to me like you could be missing rewriting the computer's 'username' to 'computername$'.
Don't re-write User-Names in a proxy. It will break EAP. Alan DeKok.
What we were originally doing wa using eap-ttls. In windows we could set the outer UserName to be @york.ac.uk and the inner UserName to be itsyork/<userid> ... problem was that it worked for wired 802.1x but not wifi dot1x. We're nowtrying a Securew2 driver to get round the issue wih the windows built in eap-ttls setup. What our desktop people have done is do a machine auth using eap-ttls with outer username=@york.ac.uk. This does get as far as our ORPS systems from a remote eduroam site and the only thing wrong is at the mschap level which I guess is due to my use of stripped user name. Why not use EAP-TLS ? because although I have a cloudpath one stop server for cert management its not a windows PKI so they're waiting until one is available. They are planning on using TLS when that PKI is available. Rgds A On 26 March 2018 at 21:04, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 26, 2018, at 3:52 PM, Graham Clinch <g.clinch@lancaster.ac.uk> wrote:
Have you found a Windows knob to append an NAI-style realm to the the advertised username of 'host/computer.ad.domain'?
Windows has essentially zero configuration for this.
TBH, I wouldn't recommend authenticating machines to Eduroam. It's *much* better to authenticate people.
Plus, you can specify an NAI like "user@domain" for people. You can't really do that for hosts.
I'd be very interested to know more if you had! If not I guess you'll be looking to the remote site to proxy around the side of the eduroam national proxies? (I have a feeling that is frowned upon by the eduroam tech-specs?)
It's possible. But, the ore unusual your configuration, the less likely it is to work everywhere.
We use PEAP/MSCHAPv2 throughout for both User- and Host- authentication, with only a single mschap instance - it feels to me like you could be missing rewriting the computer's 'username' to 'computername$'.
Don't re-write User-Names in a proxy. It will break EAP.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
you already have a TLS PKI - its in Windows AD for your pleasure to use - you just need to get them to use a server chain that matches what you can trust in your FR setup - or just proxy EAP-TLS to an NPS in the AD... ;-) PS have you tried GEANTLink for the supplicant (its what eduroamCAT uses for TTLS support) - https://github.com/Amebis/GEANTLink alan
On 26 Mar 2018, at 22:16, Alex Sharaz via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
What we were originally doing wa using eap-ttls. In windows we could set the outer UserName to be @york.ac.uk and the inner UserName to be itsyork/<userid> ... problem was that it worked for wired 802.1x but not wifi dot1x. We're nowtrying a Securew2 driver to get round the issue wih the windows built in eap-ttls setup.
What our desktop people have done is do a machine auth using eap-ttls with outer username=@york.ac.uk. This does get as far as our ORPS systems from a remote eduroam site and the only thing wrong is at the mschap level which I guess is due to my use of stripped user name.
Why not use EAP-TLS ? because although I have a cloudpath one stop server for cert management its not a windows PKI so they're waiting until one is available. They are planning on using TLS when that PKI is available.
Alex, At Loughborough for BYOD users we issue certs from cloudpath. However, for managed windows machines we get the AD to issue a cert with machine-name@realm. Then we have added the AD CA certs to the trusted CA list on the RADIUS server. The certificate management on the managed devices is handled by the AD. Regards Scott
participants (8)
-
Adam Bishop -
Alan Buxey -
Alan DeKok -
Alex Sharaz -
Graham Clinch -
Isaac Boukris -
Scott Armitage -
Trinklein, Jason R