Windows client MS-chap auto-reauthentication
Hello, I'm connecting Windows clients to a LAN via Linksys access points and a Freeradius server. I'm using EAP/TLS with certificates installed on the clients and in modules/mschap I defined: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=DOMAIN --require-membership-of=DOMAIN\\WIFI_DATA --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" So the Windows clients must have a certificate and login with the credentials of an Active Directory user member of the WIFI_DATA group. This setup works fine. However, I'm seeing a major difference between a Windows XP pro SP2 client and a Windows Vista: if the Vista client (laptop) reboots the OS then access to the LAN via WIFI requires the user to re-enter login username and password, as expected. If the XP client reboots the OS then user credentials seem to be automatically sent to the Radius server again, as if they were stored on the system (no user interaction). Can I change this behavior and require the user to re-send their login data each time the Windows session is closed or the OS reboots? I realize this is a "client-only" issue and that freeradius can't possibly detect the difference between the 2 cases (or can it?) but I am concerned that if, for example, the XP laptop is stolen (or unauthoritatively lent) then all the "unwanted" user needs to do to access our LAN is boot the OS, unless the legitimate user's password has expired. The laptop is for a hospital's Emergency department so it's easy to imagine that it cannot be under 24-hour surveillance (but usually, the legitimate users switch the device off when done working or the laptop automatically turns off after an inactivity timeout). Does anyone know: why XP re-authenticates automatically and how to disable it? why Vista doesn't behave the same way? if installing SP3 on XP removes this feature? if somethng can be done on freeradius to discriminate manual logins from auto-logins? I'm running freeradius 2.0.5 on Linux. Thank you, Vieri
why XP re-authenticates automatically and how to disable it? b It's made that way. Why? Ask Microdoft. You can't disale it. You can remove cached credentials by hacking the registry - search Microsoft knowldgebase if you want to know how.
why Vista doesn't behave the same way?
Because people from Microsoft came to their senses? Just to mako things interesting? Who knows - ask Microsoft.
if installing SP3 on XP removes this feature?
No.
if somethng can be done on freeradius to discriminate manual logins from auto-logins?
No. There is nothing in the request to distinguish cached credentials from those entered by the user. That's the whole point of cacheing them. Ivan Kalik Kalik Informatika ISP
hi, XP caches successful connections - Vista does too IIRC so I'm not sure why you are seeing different behaviour.. anyhow..you can clear the credentials by blatting a registry on eg logout or login. the RADIUS server wont see the difference between std login and cached login as the client sends the same stuff. regarding theft. you are using EAP-TLS with client certs? in that case, you can simply revoke that client cert. the joys of using PKI alan
Alan Buxey wrote:
hi,
XP caches successful connections - Vista does too IIRC so I'm not sure why you are seeing different behaviour.. anyhow..you can clear the credentials by blatting a registry on eg logout or login. the RADIUS server wont see the difference between std login and cached login as the client sends the same stuff.
regarding theft. you are using EAP-TLS with client certs? in that case, you can simply revoke that client cert. the joys of using PKI
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The windows supplicant should remove cached credentials if you return an EAP-Failure before the EAP type is negotiated. Have fun implementing that in a none disruptive way :) -Arran
--- On Sun, 10/18/09, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
XP caches successful connections - Vista does too IIRC so I'm not sure why you are seeing different behaviour.. anyhow..you can clear the credentials by blatting a registry on eg logout or login.
OK, thanks for the suggestion. And thanks, Micro$oft, for automating things for me.
the RADIUS server wont see the difference between std login and cached login as the client sends the same stuff.
I thought so.
regarding theft. you are using EAP-TLS with client certs? in that case, you can simply revoke that client cert.
But I have to revoke it manually (CRL) as soon as I'm informed of the theft, which is usually a long and unreliable process. :-( Thanks anyway. Vieri
Hello, I tried asking the post with no response but was hoping you could assist in my search. I'm currently running a M$ implementation of radius (IAS) for a small number of users/computers (roughly 300 users and 700 devices all microsoft based). I'm trying to prevent rogue devices from connecting to production and obviously only allow valid users & devices. The current setup states members of domain computers or domain users are allowed to auth against the radius server. Do you know if its possible through freeradius to allow these devices AND these users only? We're using eap-peap-mschapv2 as our current authentication method. Is there a way using --require-membership-of to combine users AND groups perhaps through some type of regular expression? Is this some type of limitation of peap mschapv2 that's preventing this from happening? As of now the os of choice is freebsd 7.2 running freeradius 2.x. Any insight would be greatly appreciated. Best regards, D. Phillips On Sun, Oct 18, 2009 at 3:07 PM, Vieri <rentorbuy@yahoo.com> wrote:
Hello,
I'm connecting Windows clients to a LAN via Linksys access points and a Freeradius server. I'm using EAP/TLS with certificates installed on the clients and in modules/mschap I defined:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=DOMAIN --require-membership-of=DOMAIN\\WIFI_DATA --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
So the Windows clients must have a certificate and login with the credentials of an Active Directory user member of the WIFI_DATA group.
This setup works fine. However, I'm seeing a major difference between a Windows XP pro SP2 client and a Windows Vista: if the Vista client (laptop) reboots the OS then access to the LAN via WIFI requires the user to re-enter login username and password, as expected. If the XP client reboots the OS then user credentials seem to be automatically sent to the Radius server again, as if they were stored on the system (no user interaction).
Can I change this behavior and require the user to re-send their login data each time the Windows session is closed or the OS reboots? I realize this is a "client-only" issue and that freeradius can't possibly detect the difference between the 2 cases (or can it?) but I am concerned that if, for example, the XP laptop is stolen (or unauthoritatively lent) then all the "unwanted" user needs to do to access our LAN is boot the OS, unless the legitimate user's password has expired. The laptop is for a hospital's Emergency department so it's easy to imagine that it cannot be under 24-hour surveillance (but usually, the legitimate users switch the device off when done working or the laptop automatically turns off after an inactivity timeout).
Does anyone know: why XP re-authenticates automatically and how to disable it? why Vista doesn't behave the same way? if installing SP3 on XP removes this feature? if somethng can be done on freeradius to discriminate manual logins from auto-logins?
I'm running freeradius 2.0.5 on Linux.
Thank you,
Vieri
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Doc Phillips wrote:
I'm trying to prevent rogue devices from connecting to production and obviously only allow valid users & devices. The current setup states members of domain computers or domain users are allowed to auth against the radius server. Do you know if its possible through freeradius to allow these devices AND these users only?
Yes. FreeRADIUS can do machine && user authentication against Active Directory, using Samba.
We're using eap-peap-mschapv2 as our current authentication method. Is there a way using --require-membership-of to combine users AND groups perhaps through some type of regular expression?
I'm not sure what that means. Alan DeKok.
On Tue, Oct 20, 2009 at 2:46 AM, Alan DeKok <aland@deployingradius.com>wrote:
Doc Phillips wrote:
I'm trying to prevent rogue devices from connecting to production and obviously only allow valid users & devices. The current setup states members of domain computers or domain users are allowed to auth against the radius server. Do you know if its possible through freeradius to allow these devices AND these users only?
Yes. FreeRADIUS can do machine && user authentication against Active Directory, using Samba.
Thanks I'll research that further.
We're using eap-peap-mschapv2 as our current authentication method. Is there a way using --require-membership-of to combine users AND groups perhaps through some type of regular expression?
I'm not sure what that means.
I was thinking something along the lines of "--require-membership-of=domain\\ computers" && "--require-membership-of=domain\\ users". You can only access the network if you're logging on from a valid machine with valid credentials. Does that make sense or am I totally off? Thanks again for all the help!!
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Doc Phillips wrote:
I was thinking something along the lines of "--require-membership-of=domain\\ computers" && "--require-membership-of=domain\\ users". You can only access the network if you're logging on from a valid machine with valid credentials. Does that make sense or am I totally off?
Pass those command-line options to ntlm_auth? Sure, I guess. Alan DeKok.
participants (6)
-
Alan Buxey -
Alan DeKok -
Arran Cudbard-Bell -
Doc Phillips -
Ivan Kalik -
Vieri