EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
Hi, we're using FR 2.0 for our machine authentication for XP to Win7 with EAP-TLS. Everything is working so far, but I noticed a difference between authenticating via WLAN and LAN, which starts to be a problem for us now. If I make a auth via LAN the provided username ist <hostname>, if I do it via WLAN it is host/<hostname>. While we use "host/" as a realm for our Radsecproxy, I'd like to change the behauviour for the authentication via LAN and add a string to the <hostname> (i.e. "host/" or something else) to unify the login for WLAN an LAN. So how or where can I change that? A hint will be really welcome. TIA Alex
Alexandros Gougousoudis wrote:
we're using FR 2.0 for our machine authentication for XP to Win7 with EAP-TLS. Everything is working so far, but I noticed a difference between authenticating via WLAN and LAN, which starts to be a problem for us now. If I make a auth via LAN the provided username ist <hostname>, if I do it via WLAN it is host/<hostname>. While we use "host/" as a realm for our Radsecproxy, I'd like to change the behauviour for the authentication via LAN and add a string to the <hostname>
Don't. You will break EAP.
(i.e. "host/" or something else) to unify the login for WLAN an LAN.
So how or where can I change that? A hint will be really welcome.
Find a better solution. Change your rules so that you're keying off of the correct data, and doing that only when you want. Alan DeKok.
Hi Alan, thanks for your reply! Alan DeKok schrieb:
"host/" as a realm for our Radsecproxy, I'd like to change the behauviour for the authentication via LAN and add a string to the <hostname>
Don't. You will break EAP.
That's not clear. Why would that break EAP if the workstations are sending a different Login? It already does, depending on LAN or WLAN Logins. I don't mean some kind of rewrite or redirect inside of Freeradius. Using Linux I can send whatever I want as the loginname.
Find a better solution. Change your rules so that you're keying off of the correct data, and doing that only when you want.
I have now a more or less complicated regex rule in the radsecproxy, but I thought it's more elegant to unify both logins. I thought doing it in the profile-xml-file of the LAN connection in Win, but unfortunately it's not the right place for it. At least all official ressources I can find from MS, are not pointing out how to do that. bye Alex
I'm sorry, I don't have time right now to help you, but you are on the right track. Windows has a feature "Machine Authentication" where the station authenticates (using the $hostname and a secret credential created at domain join) with a Domain controller before the user login. On an hardwired ethernet connection that happens in the background at boot. On a dynamic connection like Wi-Fi that is an option, if the EAP supplicant module supports it. (Most did not in the past) The control for this has mutated between XP and later. In Vista and Win7 this got more complicated, as you see there are XML files called "profiles" that control these behaviors. They are a bit difficult to figure out at first (the documentation sucks and is probably wrong at points) but if you burrow in and experiment a bit, you might get it figured out. There are command line tools for dumping the profiles and tweaking on the settings that the GUIs don't get to. Once you get what you want settled, you can also create domain policies and push them to all stations that way. Sorry, I don't have enough time to look up my old notes. Dave. Quoting Alexandros Gougousoudis <gougousoudis-list@servicecenter-khs.de>:
Hi Alan,
thanks for your reply!
Alan DeKok schrieb:
"host/" as a realm for our Radsecproxy, I'd like to change the behauviour for the authentication via LAN and add a string to the <hostname>
Don't. You will break EAP.
That's not clear. Why would that break EAP if the workstations are sending a different Login? It already does, depending on LAN or WLAN Logins. I don't mean some kind of rewrite or redirect inside of Freeradius. Using Linux I can send whatever I want as the loginname.
Find a better solution. Change your rules so that you're keying off of the correct data, and doing that only when you want.
I have now a more or less complicated regex rule in the radsecproxy, but I thought it's more elegant to unify both logins. I thought doing it in the profile-xml-file of the LAN connection in Win, but unfortunately it's not the right place for it. At least all official ressources I can find from MS, are not pointing out how to do that.
bye Alex
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alexandros Gougousoudis wrote:
That's not clear. Why would that break EAP if the workstations are sending a different Login?
You said you wanted to add a string to hostname. Don't do that. Editing it in FreeRADIUS will break things.
It already does, depending on LAN or WLAN Logins. I don't mean some kind of rewrite or redirect inside of Freeradius. Using Linux I can send whatever I want as the loginname.
If you know you can change the client, than change the client.
I have now a more or less complicated regex rule in the radsecproxy, but I thought it's more elegant to unify both logins. I thought doing it in the profile-xml-file of the LAN connection in Win, but unfortunately it's not the right place for it. At least all official ressources I can find from MS, are not pointing out how to do that.
I can't help there. Alan DeKok.
Hi Alan, Alan DeKok schrieb:
Freeradius. Using Linux I can send whatever I want as the loginname.
If you know you can change the client, than change the client.
This is exactly what I want to do! Change the loginname, the clients sends to the Authenticater. It's a Windows 802.1x question, not a question how to configure FR. FR does everything alright. But most FR people here have more knowlegde about Windows 802.1x, than the Windows people in a Windows group/list. bye Alex
On 10/12/2012 09:55 AM, Alexandros Gougousoudis wrote:
Hi Alan,
Alan DeKok schrieb:
Freeradius. Using Linux I can send whatever I want as the loginname.
If you know you can change the client, than change the client.
This is exactly what I want to do! Change the loginname, the clients sends to the Authenticater. It's a Windows 802.1x question, not a question how to configure FR. FR does everything alright. But most FR people here have more knowlegde about Windows 802.1x, than the Windows people in a Windows group/list.
To repeat: I don't see that behaviour. In my observation, windows sends host/ on both wired and wireless. Are you sure you aren't mangling the hostnames somehow?
The behavior _is_ configurable, but as you have observed for your particular network, the default is not to attempt machine auth. It is configurable on a per-network connection basis, I'm getting fuzzy on if it's adapter or SSID based. If the OP is observing such behavior, he needs to figure out why (what turned it on, is it consistent or the same for all users) and work with that. Dave. Quoting Phil Mayers <p.mayers@imperial.ac.uk>:
On 10/12/2012 09:55 AM, Alexandros Gougousoudis wrote:
Hi Alan,
Alan DeKok schrieb:
Freeradius. Using Linux I can send whatever I want as the loginname.
If you know you can change the client, than change the client.
This is exactly what I want to do! Change the loginname, the clients sends to the Authenticater. It's a Windows 802.1x question, not a question how to configure FR. FR does everything alright. But most FR people here have more knowlegde about Windows 802.1x, than the Windows people in a Windows group/list.
To repeat: I don't see that behaviour. In my observation, windows sends host/ on both wired and wireless. Are you sure you aren't mangling the hostnames somehow? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi David, David Mitton schrieb:
If the OP is observing such behavior, he needs to figure out why (what turned it on, is it consistent or the same for all users) and work with that.
It is consistent for all machines in the network. To figure out why this happend, is exactly what I want to do. But I need a good point to start. At least in MS-TechNet is no usable information about that behauviour. But - as always - it depends also on the kind of question. Maybe I used the wrong keywords for the search. At the moment I can't see any light at the end of the tunnel. Bye Alex
On 12/10/12 13:59, Alexandros Gougousoudis wrote:
Hi David,
David Mitton schrieb:
If the OP is observing such behavior, he needs to figure out why (what turned it on, is it consistent or the same for all users) and work with that.
It is consistent for all machines in the network. To figure out why this happend, is exactly what I want to do. But I need a good point to start. At least in MS-TechNet is no usable information about that behauviour. But - as always - it depends also on the kind of question. Maybe I used the wrong keywords for the search. At the moment I can't see any light at the end of the tunnel.
It's interesting that the problem occurs on your wireless network. Is it possible your wireless networking equipment is mangling the hostnames? Which vendor are you using? Have you verified that you really are receiving "hostname" instead of "host/hostname"? Verified with a reliable tool i.e. "tcpdump" on the RADIUS server?
Phil Mayers schrieb:
Is it possible your wireless networking equipment is mangling the hostnames? Which vendor are you using?
Mhh, I can check that again, it's an old Linksys-AP. I'll see if that happens also with the other more professional hardware we have.
Have you verified that you really are receiving "hostname" instead of "host/hostname"? Verified with a reliable tool i.e. "tcpdump" on the RADIUS server? No, I just took the Debug-Mode from FR.
But it's good to know, that the normal behaviour of windows is to use a unique Loginname for all kind of machine-based auth. Bye Alex
On 12/10/12 13:48, David Mitton wrote:
The behavior _is_ configurable, but as you have observed for your particular network, the default is not to attempt machine auth. It is configurable on a per-network connection basis, I'm getting fuzzy on if it's adapter or SSID based.
No, you've misunderstood the point I'm making. I am aware that machine and user auth are configurable (FYI, it's per-adapter on LAN, per SSID on wireless). The issue the OP seems to be facing is that, when *doing* machine auth, he gets different format names on wired versus wireless. Windows doesn't do that, so either his RADIUS config or Wi-Fi network is mangling them.
On 11/10/12 12:43, Alexandros Gougousoudis wrote:
Hi,
we're using FR 2.0 for our machine authentication for XP to Win7 with EAP-TLS. Everything is working so far, but I noticed a difference between authenticating via WLAN and LAN, which starts to be a problem for us now. If I make a auth via LAN the provided username ist <hostname>, if I do it via WLAN it is host/<hostname>. While we use "host/" as a realm for our Radsecproxy, I'd like to change the behauviour for the authentication via LAN and add a string to the <hostname> (i.e. "host/" or something else) to unify the login for WLAN an LAN.
I don't understand - you're saying that, for windows clients: 1. On wi-fi they send host/name.domain.com 2. On LAN, then send... something else? Are you sure? We don't see that.
Hi Phil, Phil Mayers schrieb:
I don't understand - you're saying that, for windows clients:
1. On wi-fi they send host/name.domain.com 2. On LAN, then send... something else?
Are you sure? We don't see that.
Exactly. On wifi they send <hostname> on LAN they send: host/<hostname> <hostname> is the Windowshostname from the systemsettings. bye Alex
Hi,
Phil Mayers schrieb:
I don't understand - you're saying that, for windows clients:
1. On wi-fi they send host/name.domain.com 2. On LAN, then send... something else?
Are you sure? We don't see that.
i agree
Exactly. On wifi they send
<hostname>
on LAN they send:
host/<hostname>
<hostname> is the Windowshostname from the systemsettings.
we dont see that. we see host/machinename.domain on both wired and wireless alan
On 10/12/2012 09:59 AM, Alexandros Gougousoudis wrote:
Hi Phil,
Phil Mayers schrieb:
I don't understand - you're saying that, for windows clients:
1. On wi-fi they send host/name.domain.com 2. On LAN, then send... something else?
Are you sure? We don't see that.
Exactly. On wifi they send
<hostname>
on LAN they send:
host/<hostname>
We don't see that behaviour. We consistently see "host/". Check you aren't mangling the hostnames in your FreeRADIUS config.
Hi, Phil Mayers schrieb:
We don't see that behaviour. We consistently see "host/". Check you aren't mangling the hostnames in your FreeRADIUS config.
Strange, but thanks for watching. We're not mangeling anything in FR. That's what I see, running FR in Debug-Mode. Maybe because we're running on a NT4-Sambadomain and are not using a AD? Since XP SP3 we establish a machine-auth via exporting, textediting and importing the profile-xml of the specific LAN-interface, we're authenticating using EAP-TLS, CN of the cert is the <hostname>. Machine-auth via WLAN is done by a registry-change. Ok, I'll keep looking. bye Alex
Hi, I just wonder if this parameter should be set on Raddact or radreply or what ever. If some one could point me to the right howto.... thanks
On 10/27/2012 05:03 PM, yzy-oui-fi wrote:
Hi,
I just wonder if this parameter should be set on Raddact or radreply or what ever.
Attributes you want to send go in radreply or radgroupreply, if you're using groups. Attributes never go in radacct; radacct stores accounting info.
OOps i meant "radcheck or radreply", but radgroupreply will be my choice...Thanks for your reply Le samedi 27 octobre 2012 à 19:05 +0100, Phil Mayers a écrit :
On 10/27/2012 05:03 PM, yzy-oui-fi wrote:
Hi,
I just wonder if this parameter should be set on Raddact or radreply or what ever.
Attributes you want to send go in radreply or radgroupreply, if you're using groups.
Attributes never go in radacct; radacct stores accounting info. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ok i get farther, solving dictionary missing attribute. The problem is that this doesn't give what i was looking for. this attribute is only available for granted user, and tried to solve the uamallowed issue under DD-WRT box. I mean i want to replace the UAM allowed embed in DD-WRT chillispot with those provide by server before to grant users.... Le mercredi 07 novembre 2012 à 00:33 +0100, yzy-oui-fi a écrit :
OOps i meant "radcheck or radreply", but radgroupreply will be my choice...Thanks for your reply
Le samedi 27 octobre 2012 à 19:05 +0100, Phil Mayers a écrit :
On 10/27/2012 05:03 PM, yzy-oui-fi wrote:
Hi,
I just wonder if this parameter should be set on Raddact or radreply or what ever.
Attributes you want to send go in radreply or radgroupreply, if you're using groups.
Attributes never go in radacct; radacct stores accounting info. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (6)
-
alan buxey -
Alan DeKok -
Alexandros Gougousoudis -
David Mitton -
Phil Mayers -
yzy-oui-fi