Confused with FreeRadius + Win2000 + Linksys + EAP + Certs
Hi, I'am working on a FreeRadius Setup für our network since 3 weeks and I get more and more confused, even after days of RTFM. If someone could help me, I'd owe you a beer. :-) This is what I want to do: We have a Linksys Switch which can be an AP for Radius. If a PC is authenticated the Port of the Switch will work. I want to install a certificate on every PC in our network. The Supplicant should contact the AP using eap and the AP the Radius-Server (I use freeradius 1.1.0 on Suse 10.1). So the PC should have access to the network, regardless of the user which will work on it. I configured Freeradius' eap.conf to use TLS, did all certificates and installed it on the client and server. radiusd -X -A does't report an error. All Servers and Clients are in the DNS. The problem is, if I setup the authentification with EAP-Type "Smartcard or Certificate" in W2K simply nothing happens, there is no request coming to the radius server, nor an error message on the client. If I configure on the client PEAP with protected Password (and say that it should not use the Windows-Logonname in the EAP-MSCHAPv2 Dialog) I get a logon-screen and can authentify the computer (I've put a dummyuser in users files) and I see the conversation in the server-debug. If I say it should use the Windowslogonname, again nothing happens to the radius server (there is even no request to that server). I even took SecureW2 to test, with the same result. I'm doing something terribly wrong, but what could it be? Every hint is welcome! In the future I want to check also in our LDAP-Directory (we have a Samba-Domain there) if the computer exists in the domain and only then accept the certificate for authentification. But I'am lightyears away from it, did anybody do this before? thanks in advance Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik "Hanns Eisler" und der Hochschule für Schauspielkunst "Ernst Busch". Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445
Alexandros Gougousoudis <gougousoudis@kh-berlin.de> wrote:
The problem is, if I setup the authentification with EAP-Type "Smartcard or Certificate" in W2K simply nothing happens, there is no request coming to the radius server, nor an error message on the client.
FreeRADIUS doesn't support that EAP type, sorry.
If I say it should use the Windowslogonname, again nothing happens to the radius server (there is even no request to that server).
Then the problem is on the client side. RADIUS servers do nothing unless they receive a request. So if they don't receive a request... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hi Alan, Alan DeKok schrieb:
The problem is, if I setup the authentification with EAP-Type "Smartcard
FreeRADIUS doesn't support that EAP type, sorry.
Hm, thats bad. Is it on the roadmap? I have seen a Howto, generating certs and switching eap-type to tls on freeradius? Thats not the same I guess?If I say it should use the Windowslogonname, again nothing happens to
the radius server (there is even no request to that server).
Then the problem is on the client side. RADIUS servers do nothing unless they receive a request. So if they don't receive a request...
That what I think too, but what can be the problem if W2K simply doesn't sent the handshake if this option is enabled, and it works if it is disabled? How can the PC be authentified, even if the user is not? We have a lot student pc in a pool, but the students have no individual account. I want to protect the Ethernet-ports against plugging in another computer, not verified from us. How can this be achieved? Thanks for lighten me up... :-) TIA Alex
Hm, thats bad. Is it on the roadmap? I have seen a Howto, generating certs and switching eap-type to tls on freeradius?
Yes Windows hosts can be authenticated with EAP-TLS by choosing something like "SmartCard or certificate" under the Authentication Tab of the adapter properties.
How can the PC be authentified, even if the user is not? We have a lot student pc in a pool, but the students have no individual account. I want to protect the Ethernet-ports against plugging in another computer, not verified from us. How can this be achieved?
You want a certificate per host and not a certificate per user. I use the following procedure to enable Host EAP-TLS authentication: * Set the "HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters \General\Global\AuthMode" value to '2 in the windows registry. This means: "Computer authentication is performed when the wireless client computer is started. User authentication is never performed." See http://www.microsoft.com/technet/itsolutions/network/wifi/wififaq.mspx * Create a certificate per host: - cn must contain the Netbios name of the PC - the extension SubjectAltName must contain the Netbios name of the PC (I think) - The field Extended Key Usage must contain the option 'TLS Web Client Authentication' (OID 1.3.6.1.5.5.7.3.2) - Note that the Radius server's certificate must contain the 1.3.6.1.5.5.7.3.1 extension - The certificate can be exported into a PKCS12 file .p12 (this includes the private key). The certificate MUST be installed in the HOST CERTIFICATE STORE (simply double clic the file will NOT work): Run 'mmc' and Add the Snap-in 'Certificate>Local Computer', then in the private folder import the .p12 file and in the Trusted Root CA the CA certificate). Authentication will use the following username: The string 'Host/' concatenated with the Netbios name of the host. For instance if then NetbiosName is MYPC, use the following rule format in the raddb/users file: Host/MYPC CheckItems, ... ReplyAttributes..., ReplyAttributes..., Fall-Through = no There might be other solutions, but at least this is how it works for us... HTH, Thibault
participants (3)
-
Alan DeKok -
Alexandros Gougousoudis -
Thibault Le Meur