Re: Is PEAP/EAP-MSCHAPv2 with certs a reasonable way to keep untrusted computers off the lan?
But what you can do is largely dependant on what NAS supports
Thanks for the explanation.
I want my users to have to supply both a valid domain user/password combo AND I want their computers to prove that they are allowed on the lan. My understanding of the PEAP/EAP-MSCHAPv2 + cert approach was that my users (and their computers) would need both sorts of credentials in order to use the lan.
Yes, but that would be machine, not client (user) certificate. So machine will be checked with certificate and user with username/pass. In two separate authentication sessions (when machine is switched on/ user logs off - machine authentication; when user logs in - user authentication).
Ok. So is a machine cert different than a client cert? Can I have a single machine cert for all machines, or do I need to generate one for every machine. If so does that simply mean I edit the client.cnf with the FQDN of the machine in question. With several hundred machines on the domain this sound painful. Would I then set my XP clients who are connecting by wire to use EAP type "Smart Card or Other Certificate"? or would they continue to use PEAP MSCHAPV2? And would I continue to try and force the freeradius server to do certificate checking via eap.conf? I haven't found a good howto on this. It seems that most folks are concerned about using freeradius with WPA supplicants. The process seems a bit different for computers who's must be valid as well.
2) Is there a better approach?
That depends on your hardware. If your switches support port based authentication and dynamic VLAN assignment via radius you can make this work.
We're looking at using used HP 2650's but I'd be interested in knowing your recommendation for high density switches for Lan environments with robust dot1x support.
And how are you going to stop students from plugging into the ports they feel like? You can paint them in different colours, do what you like - students will still plug into the "wrong" ones.
The NAS are located in server closets so the students would be plugging into ports in classrooms. Since they wouldn't have a machine cert they'd get no joy, right? Or better - how is admin
going to get onto the admin VLAN from a port "allocated" to students? Use dynamic VLAN assignment. I like the idea but currently don't have equipment that supports this AFAIK. Again, what would you recommend in terms of hardware? As always, cost is an issue :->
I appreciate your help! john
I haven't found a good howto on this. It seems that most folks are concerned about using freeradius with WPA supplicants. The process seems a bit different for computers who's must be valid as well.
And why do you insist on checking machine identity? Security? Lets say one of your students was trawling porn and warez sites all night while downloading some dodgy cracked game via torrents - he has a certificate on his laptop. The other student just bought a new laptop - he has no machine certificate. Guess which one will be able to hook up to your network. Do you really want to let the first one and stop the second?
2) Is there a better approach?
That depends on your hardware. If your switches support port based authentication and dynamic VLAN assignment via radius you can make this work.
We're looking at using used HP 2650's but I'd be interested in knowing your recommendation for high density switches for Lan environments with robust dot1x support.
Arran is better person to ask. Read his article on HP switches: http://wiki.freeradius.org/HP
And how are you going to stop students from plugging into the ports they feel like? You can paint them in different colours, do what you like - students will still plug into the "wrong" ones.
The NAS are located in server closets so the students would be plugging into ports in classrooms.
And teachers? Dedicated teacher ports? Who is going to guard them when teacher leaves the classroom. You really don't want students anywhere near teacher resources.
Or better - how is admin
going to get onto the admin VLAN from a port "allocated" to students? Use dynamic VLAN assignment. I like the idea but currently don't have equipment that supports this AFAIK. Again, what would you recommend in terms of hardware? As always, cost is an issue :->
That expense will save you a lot of headaches later. Ivan Kalik Kalik Informatika ISP
On Fri, May 8, 2009 at 1:19 PM, Ivan Kalik <tnt@kalik.net> wrote:
I haven't found a good howto on this. It seems that most folks are concerned about using freeradius with WPA supplicants. The process seems a bit different for computers who's must be valid as well.
And why do you insist on checking machine identity? Security? Lets say one of your students was trawling porn and warez sites all night while downloading some dodgy cracked game via torrents - he has a certificate on his laptop. The other student just bought a new laptop - he has no machine certificate. Guess which one will be able to hook up to your network. Do you really want to let the first one and stop the second?
Hi Ivan, I want machine security for machines owned by the school district. That way only school machines can be on the Lan. Student machines won't get the cert installed on their machines so they won't be able to answer the challenge from the CA, right? Am I missing your argument? Is there some difference between a "machine cert" and a "client cert" ? If so is there some direction about how to manufacture and install them?
Arran is better person to ask. Read his article on HP switches:
Thank you.
And teachers? Dedicated teacher ports? Who is going to guard them when teacher leaves the classroom. You really don't want students anywhere near teacher resources.
Sure, but again. Students can't just plug into those ports since they won't have the cert that allows them access to the Lan, right?
That expense will save you a lot of headaches later.
I believe you. Assuming I collection of those switches wouldn't I also need a management server to manage dynamic vlan assignment? Cheers! John
I want machine security for machines owned by the school district. That way only school machines can be on the Lan. Student machines won't get the cert installed on their machines so they won't be able to answer the challenge from the CA, right? Am I missing your argument?
Ah, that's how it's going to work. You probably don't need machine certificates. Students will just pinch them and install them on unauthorized machines. You will still have to check mac addresses (Calling-Station-Id). So, drop machine authentication completetly and match Calling-Station-Id on user authentication. You can tie a user to a single machine or even a group of machines with huntgroups/sqlhuntgroups. Doing more than that significantly inceases the workload - for very little benefit.
Is there some difference between a "machine cert" and a "client cert"
No. It's just whose details are on the certificate.
? If so is there some direction about how to manufacture and install them?
Same as the ones for users.
I believe you. Assuming I collection of those switches wouldn't I also need a management server to manage dynamic vlan assignment?
Sort of. Freeradius would be that "management" server. VLAN IDs will be in user/group entries. Ivan Kalik Kalik Informatika ISP
On 8/5/09 22:02, Ivan Kalik wrote:
I want machine security for machines owned by the school district. That way only school machines can be on the Lan. Student machines won't get the cert installed on their machines so they won't be able to answer the challenge from the CA, right? Am I missing your argument?
Ah, that's how it's going to work. You probably don't need machine certificates. Students will just pinch them and install them on unauthorized machines. You will still have to check mac addresses (Calling-Station-Id).
Which students will pinch, and use to administratively override the MAC addresses of their laptop NICs? ;) Hell you can do it in ifconfig if your driver supports it (hw class address ether). Surely file permissions on Windows Machines can't be *that* broken.
So, drop machine authentication completetly and match Calling-Station-Id on user authentication. You can tie a user to a single machine or even a group of machines with huntgroups/sqlhuntgroups. Doing more than that significantly inceases the workload - for very little benefit.
Is there some difference between a "machine cert" and a "client cert"
No. It's just whose details are on the certificate.
? If so is there some direction about how to manufacture and install them?
Same as the ones for users.
I believe you. Assuming I collection of those switches wouldn't I also need a management server to manage dynamic vlan assignment?
Sort of. Freeradius would be that "management" server. VLAN IDs will be in user/group entries.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
On Fri, May 8, 2009 at 2:27 PM, Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk> wrote:
On 8/5/09 22:02, Ivan Kalik wrote:
I want machine security for machines owned by the school district. That way only school machines can be on the Lan. Student machines won't get the cert installed on their machines so they won't be able to answer the challenge from the CA, right? Am I missing your argument?
Ah, that's how it's going to work. You probably don't need machine certificates. Students will just pinch them and install them on unauthorized machines. You will still have to check mac addresses (Calling-Station-Id).
If that's the case what's the purpose of machine certs? Are they really that easy to steal from a XP/sp3 box joined to AD? Our end users are pretty constrained by GPO (no command line etc)
So, drop machine authentication completetly and match Calling-Station-Id on user authentication. You can tie a user to a single machine or even a group of machines with huntgroups/sqlhuntgroups. Doing more than that significantly inceases the workload - for very little benefit.
I am willing to do that if the consensus is that is the current best practice. I was working under the assumption that the way folks using freeradius typically secured their lans was via a combination of dot1x, freeradius, and certs on the users hosts. So I guess my question now is more fundemental. What's the proper approach to take to secure wired clients using freeradius and dot1x? Perhaps I should start a new topic? John
If that's the case what's the purpose of machine certs? Are they really that easy to steal from a XP/sp3 box joined to AD? Our end users are pretty constrained by GPO (no command line etc)
Ah, you weren't mentioning AD. With AD you can exercise reasonable control. And issuing and installing certificates should't be much of a problem (read about domain member autoenrolement). You should go for AD integration: http://deployingradius.com/documents/configuration/active_directory.html and leave user/machine authentication to AD. The problems are with non-domain machines. In their wisdom MS have removed Power User option for new accounts for XP (used to be there in Win2K). So, faced with admin or limited options most people end up opening local admin accounts. With them all local files are fair game. Sad truth is that Power User group still exists on Win XP Pro - but most MS trained admins are not aware of it.
So, drop machine authentication completetly and match Calling-Station-Id on user authentication. You can tie a user to a single machine or even a group of machines with huntgroups/sqlhuntgroups. Doing more than that significantly inceases the workload - for very little benefit.
I am willing to do that if the consensus is that is the current best practice.
No, in your case you should use machine certificates. You have already put in increased workload into AD - use it. But still, dynamic VLANs would be much prefered to static ones. And you would save yourself the workload needed to secure NAS/port combinations from unwanted access with huntgroups/sqlhuntgroups. Ivan Kalik Kalik Informatika ISP
Ah, you weren't mentioning AD. With AD you can exercise reasonable control. And issuing and installing certificates should't be much of a problem (read about domain member autoenrolement). You should go for AD integration:
Hi, Ivan. I mentioned AD but it was way back in the first email. To recap my setup looks like Active Directory <=> winbind <=> Freeradius <=> NAS <=> Supplicant I set this up by following the link you reference. So that part is good :-)
http://deployingradius.com/documents/configuration/active_directory.html
and leave user/machine authentication to AD.
Right so user auth is the job of AD. Are you aware of any pointers or howto's on getting autoenrollment working with AD and Freeradius?
No, in your case you should use machine certificates. You have already put in increased workload into AD - use it. But still, dynamic VLANs would be much prefered to static ones. And you would save yourself the workload needed to secure NAS/port combinations from unwanted access with huntgroups/sqlhuntgroups.
Can you explain what you mean by this? Thank you for all of your advice. I really appreciate it! John
participants (3)
-
Arran Cudbard-Bell -
Ivan Kalik -
john