EAP-TLS and Active Directory
Hi there! I’m having a problem where I don’t fully understand exactly how EAP-TLS works in regards to authorization. I'm trying to implement a 802.1x wireless network which uses EAP-TLS for security reasons. I already have a Windows server with a Certificate Authority, so that's not really an issue. All I have to do there is to create the certificates and then insert them into both the FreeRADIUS server and all the clients. Here’s my problem. As I understand it, EAP-TLS uses the certificates for authentication and therefor my users credentials become less important (not needed to log in to the network). Now, if my users never enter their credentials and the FreeRADIUS server never checks with Active Directory for authorization, what decides what network resources a specific user should have access to? My goal here is to have it so that when a user connects to the network, the user should automatically get access that users network resources. Thanks in advance, Simon
On 25-11-15 10:22, Simon Larsson wrote:
I'm trying to implement a 802.1x wireless network which uses EAP-TLS for security reasons. I already have a Windows server with a Certificate Authority, so that's not really an issue. All I have to do there is to create the certificates and then insert them into both the FreeRADIUS server and all the clients.
Here’s my problem. As I understand it, EAP-TLS uses the certificates for authentication and therefor my users credentials become less important (not needed to log in to the network).
Create a unique certificate for every user, and use that certificate for authentication. -- Herwin Weststrate
On 25 Nov 2015, at 09:22, Simon Larsson <simlar@live.se> wrote:
Hi there!
I’m having a problem where I don’t fully understand exactly how EAP-TLS works in regards to authorization.
I'm trying to implement a 802.1x wireless network which uses EAP-TLS for security reasons. I already have a Windows server with a Certificate Authority, so that's not really an issue. All I have to do there is to create the certificates and then insert them into both the FreeRADIUS server and all the clients.
Here’s my problem. As I understand it, EAP-TLS uses the certificates for authentication and therefor my users credentials become less important (not needed to log in to the network). Now, if my users never enter their credentials and the FreeRADIUS server never checks with Active Directory for authorization, what decides what network resources a specific user should have access to?
My goal here is to have it so that when a user connects to the network, the user should automatically get access that users network resources.
Lots of different ways to do this. But, off the top of my head… use some xlat ldap queries in the post-auth section using the CN from the certificate. Regards Scott Armitage
On 25 Nov 2015, at 09:36, Scott Armitage <S.P.Armitage@lboro.ac.uk> wrote:
On 25 Nov 2015, at 09:22, Simon Larsson <simlar@live.se> wrote:
Hi there!
I’m having a problem where I don’t fully understand exactly how EAP-TLS works in regards to authorization.
I'm trying to implement a 802.1x wireless network which uses EAP-TLS for security reasons. I already have a Windows server with a Certificate Authority, so that's not really an issue. All I have to do there is to create the certificates and then insert them into both the FreeRADIUS server and all the clients.
Here’s my problem. As I understand it, EAP-TLS uses the certificates for authentication and therefor my users credentials become less important (not needed to log in to the network). Now, if my users never enter their credentials and the FreeRADIUS server never checks with Active Directory for authorization, what decides what network resources a specific user should have access to?
My goal here is to have it so that when a user connects to the network, the user should automatically get access that users network resources.
Lots of different ways to do this. But, off the top of my head…
use some xlat ldap queries in the post-auth section using the CN from the certificate.
if it just simple stuff, like X department get VLAN 123. Just embed information into the certificate e.g. using a SAN, then some unlang in the post-auth e.g: if (&EAP-Type == 13) { if ( "%{TLS-Client-Cert-Subject}" =~ /OU\=Marketing/ ) { update session-state { Tunnel-Private-Group-Id := “123" } } }
On Wed, Nov 25, 2015 at 10:22:52AM +0100, Simon Larsson wrote:
My goal here is to have it so that when a user connects to the network, the user should automatically get access that users network resources.
As has been said there are many ways to do this. We check the certificate subject against the AD LDAP to ensure that the machine is permitted to connect. It should be simple to put machines in groups and then assign a VLAN for each group, or even put the VLAN number in LDAP if you really wanted to then just pull the value out in FreeRADIUS. But remember with AD/Windows this is normally not really "user" authentication - it is "machine" authentication, so the VLAN will be for the computer rather than the specific user, unless you generate certificates for all your users and somehow get them authenticating on to the network using that (e.g. in Windows you could set to "user" auth and then use smartcards). Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 25 Nov 2015, at 11:07, Matthew Newton <mcn4@LEICESTER.AC.UK> wrote:
On Wed, Nov 25, 2015 at 10:22:52AM +0100, Simon Larsson wrote:
My goal here is to have it so that when a user connects to the network, the user should automatically get access that users network resources.
As has been said there are many ways to do this.
We check the certificate subject against the AD LDAP to ensure that the machine is permitted to connect.
Not telling you how to suck eggs Matthew, but couldn’t you improve efficiency by using an OCSP check instead. Scott
On Wed, Nov 25, 2015 at 11:14:20AM +0000, Scott Armitage wrote:
On 25 Nov 2015, at 11:07, Matthew Newton <mcn4@LEICESTER.AC.UK> wrote: We check the certificate subject against the AD LDAP to ensure that the machine is permitted to connect.
Not telling you how to suck eggs Matthew, but couldn’t you improve efficiency by using an OCSP check instead.
We do that as well. That doesn't check that the machine is in a particular group, though :-). Not all machines are permitted to join the wireless network. Matthew (still learning how to suck eggs properly) -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 25 Nov 2015, at 06:31, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Wed, Nov 25, 2015 at 11:14:20AM +0000, Scott Armitage wrote:
On 25 Nov 2015, at 11:07, Matthew Newton <mcn4@LEICESTER.AC.UK> wrote: We check the certificate subject against the AD LDAP to ensure that the machine is permitted to connect.
Not telling you how to suck eggs Matthew, but couldn’t you improve efficiency by using an OCSP check instead.
We do that as well.
That doesn't check that the machine is in a particular group, though :-). Not all machines are permitted to join the wireless network.
eggs are cacheable in v3.1.x -Arran FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
We check the certificate subject against the AD LDAP to ensure that the machine is permitted to connect.
It should be simple to put machines in groups and then assign a VLAN for each group, or even put the VLAN number in LDAP if you really wanted to then just pull the value out in FreeRADIUS.
But remember with AD/Windows this is normally not really "user" authentication - it is "machine" authentication, so the VLAN will be for the computer rather than the specific user, unless you generate certificates for all your users and somehow get them authenticating on to the network using that (e.g. in Windows you could set to "user" auth and then use smartcards).
Matthew
My thought was to create specific certificates for every single user. I think I understand different ways to tell FreeRADIUS what VLAN to put a specific user or group in, but what about shared folders and stuff like that? The certificate would authenticate the user on to the network by communicating with the FreeRADIUS server, but when it comes to authorization there need to be some connection with the Windows server or am I misunderstanding this?
participants (5)
-
Arran Cudbard-Bell -
Herwin Weststrate -
Matthew Newton -
Scott Armitage -
Simon Larsson