Server Certificate for use with Windows PEAP Clients
Hi I'd like to get certificates installed on two of our FreeRADIUS boxes to satisfy the requirements of the Windows built in PEAP client when it does it's "Validate server certificate" bit. I have read about the requirement for the certificate to include the Server Authentication (1.3.6.1.5.5.7.3.1) OID in the Enhanced Key Usage section and I would like to know if anyone else has had experience of this. I have also heard about the special WLAN certificate available from Verisign which sounds like it will do the job, but I would like to hear from anyone who knows about an alternative as this one is a bit pricey. Thanks Ben Thompson
Hi, i sucessfully installed a Radius authentificated Network with EAP-TLS Authentifikation. But I cant get logon to my Domain Controller when themachines boot up.. Ok, I know this Problem is not new, but is there any chance to solve this problem without additional software like AEGIS?? Or is there an other Software for Windows XP and or 2000 which is free from license? And is itpossible to set a default vlan group where the Domain Controller exists and all Clients firstly get in and later change the VLANID??? Would this be possible and how would it work? Greetings Armin
=?iso-8859-1?Q?Kr=E4mer_Armin?= <Kraemer.Armin@web.de> wrote:
Hi, i sucessfully installed a Radius authentificated Network with EAP-TLS Authentifikation. But I cant get logon to my Domain Controller when themachines boot up.. Ok, I know this Problem is not new, but is there any chance to solve this problem without additional software like AEGIS??
No.
Or is there an other Software for Windows XP and or 2000 which is free from license? And is itpossible to set a default vlan group where the Domain Controller exists and all Clients firstly get in and later change the VLANID??? Would this be possible and how would it work?
With other client software, and machine certificates (rather than machine accounts in AD) it may be possible. Alan DeKok.
Okay, thanks for the answert, if anyone knows a client software which is free or cheap and supports this please mail me. I need it for ~300 Clients. Greeting Armin -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Montag, 22. August 2005 18:17 An: FreeRadius users mailing list Betreff: Re: Windows Client Authentification bevore Domain logon =?iso-8859-1?Q?Kr=E4mer_Armin?= <Kraemer.Armin@web.de> wrote:
Hi, i sucessfully installed a Radius authentificated Network with EAP-TLS Authentifikation. But I cant get logon to my Domain Controller when themachines boot up.. Ok, I know this Problem is not new, but is there any chance to solve this problem without additional software like AEGIS??
No.
Or is there an other Software for Windows XP and or 2000 which is free from license? And is itpossible to set a default vlan group where the Domain Controller exists and all Clients firstly get in and later change the VLANID??? Would this be possible and how would it work?
With other client software, and machine certificates (rather than machine accounts in AD) it may be possible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, i set up an EAP-TLS based Radius Server an want realize dynamical VLANS Port based with a Nortel BAystack 470 48T Switch. Is there any possiblility how i can give more than one VLANID dynamicaly to the switch? Wit one VLAn it works fine, but how can give a second ore third VLAN ID to th P same port? Greetings Armin
=?iso-8859-1?Q?Armin_Kr=E4mer?= <Kraemer.Armin@web.de> wrote:
Hi, i set up an EAP-TLS based Radius Server an want realize dynamical VLANS Port based with a Nortel BAystack 470 48T Switch. Is there any possiblility how i can give more than one VLANID dynamicaly to the switch? Wit one VLAn it works fine, but how can give a second ore third VLAN ID to th P same port?
See the NAS documentation for how to configure VLAN's with RADIUS. Alan DeKok.
At 16:26 22/08/05, you wrote:
Hi, i sucessfully installed a Radius authentificated Network with EAP-TLS Authentifikation. But I cant get logon to my Domain Controller when themachines boot up.. Ok, I know this Problem is not new, but is there any chance to solve this problem without additional software like AEGIS?? Or is there an other Software for Windows XP and or 2000 which is free from license? And is itpossible to set a default vlan group where the Domain Controller exists and all Clients firstly get in and later change the VLANID??? Would this be possible and how would it work?
Greetings Armin
I have managed to do this by three different routes. 1. Use the Microsoft built in wireless client. To do this you need to use mmc and the certificate plug in to install a CA certificate & personal certificate for the local machine. Create a wireless profile in XP which connects to your network using the CA certificate you installed. Then add a DWORD registry entry AuthType with a value of 2 to HKLM\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global. This causes XP to use the machine account to authenticate to the network. This only uses the machine account to authenticate against the network, at no time does it use the users account. Other values to use are 0 - Use the default XP authentication, 1 - Always perform user authentication when a user logs on, 2 - Perform computer authentication only. 2. As above, but don't add the registry entry. This time the machine will authenticate itself to the network before logon which allows the computer to see the network and the domain. Once the user logs on to the domain the connection is lost and the user account is then used to authenticate against the network. The problem here is that unless the user also has a valid personal certificate the authentication fails. This means going round to each user and installing a certificate, unless you can do it via Active Directory, we are using a Samba PDC here so that is not possible. I decided against this option with having 1500 potential users. 3. If you are using Intel wireless cards download the full version of the ProSet drivers, mine were 2200BG. This allows for different profiles which work as the machine before logon, or during logon to validate the user against the network. It also adds TTLS as well as TLS. There is a problem with this software if you are using roaming profiles. During logoff the network connection is dropped and it is impossible to upload the profile to the servers. According to Intel this is a know problem and at this time they have not replied to say if there is going to be a fix for it. This method worked very well upto the point of saving the profile, it is also much easier to distribute the settings to other machine using the profile import feature the ProSet drivers provide. Steve Atkinson Deputy Network Manager Fallibroome High School Priory Lane Macclesfield Cheshire SK10 4AF
Ben Thompson <bt4@york.ac.uk> wrote:
I have read about the requirement for the certificate to include the Server Authentication (1.3.6.1.5.5.7.3.1) OID in the Enhanced Key Usage section and I would like to know if anyone else has had experience of this.
Yes. Use it, it works.
I have also heard about the special WLAN certificate available from Verisign which sounds like it will do the job, but I would like to hear from anyone who knows about an alternative as this one is a bit pricey.
See the "scripts" directory. You can create certificates, with the OID, for free. Alan DeKok.
On Mon, 2005-08-22 at 12:12 -0400, Alan DeKok wrote:
Ben Thompson <bt4@york.ac.uk> wrote:
I have read about the requirement for the certificate to include the Server Authentication (1.3.6.1.5.5.7.3.1) OID in the Enhanced Key Usage section and I would like to know if anyone else has had experience of this.
Yes. Use it, it works.
I have also heard about the special WLAN certificate available from Verisign which sounds like it will do the job, but I would like to hear from anyone who knows about an alternative as this one is a bit pricey.
See the "scripts" directory. You can create certificates, with the OID, for free.
Alan DeKok.
Hi Thanks for the info. I would like to get a certificate installed that has been signed by one of the trusted CA's if possible. I am not sure about the Verisign certificate as they seem to want people to buy online and download using some sort of automated certificate installation feature in Internet Explorer on the target machine. As described here : http://www.microsoft.com/downloads/details.aspx?FamilyID=1971d43c-d2d9-408d-... Cheers Ben
participants (5)
-
Alan DeKok -
Armin Krämer -
Ben Thompson -
Krämer Armin -
Steven Atkinson