Hello all, I have been using FreeRadius for several years now and am stuck trying to make our Windows based wireless system authenticate PRIOR to user login. I have searched the FreeRadius and Deploying FreeRadius sites as well as Google, but no luck. Here is a brief over-view of my FreeRadius setup: 1) Clients: Windows XP & Windows 7 (Professional in both cases - NO VISTA!) 2) Currently running FreeRadius version 2.0.5 3) Currently authenticating users via TLS/PEAP with computer name/username I'm not sure what else (if anything) you might need. I am also looking at changing the FreeRadius setup to authenticate against our Windows 2008r2 Active Directory servers. We have one main location and two remote sites. Currently we have only one FreeRadius server at the main site. If the VPN connection between the main site and either / both of the remote sites goes down, the remote sites can't authenticate. My thought was to have three FreeRadius servers that would authenticate to the local copy of the AD. Having said all of this, I do not want to get to many things going at one time. I much prefer to tackle on issue at a time. Thanks in advance for any insight you may have on either/both of these issues. Scott
On 09/09/2011 03:00 PM, Scott Hughes wrote:
Hello all,
I have been using FreeRadius for several years now and am stuck trying to make our Windows based wireless system authenticate PRIOR to user login.
I have searched the FreeRadius and Deploying FreeRadius sites as well as Google, but no luck. Here is a brief over-view of my FreeRadius setup:
1) Clients: Windows XP & Windows 7 (Professional in both cases – NO VISTA!)
2) Currently running FreeRadius version 2.0.5
3) Currently authenticating users via TLS/PEAP with computer name/username
I'm not sure what you're asking here. Pre-login auth is entirely client side. As long as FreeRADIUS can authenticate the users, it'll just work. Have you tried it? I assume you are using Samba/ntlm_auth to verify the PEAP/MSCHAP against your domain?
-----Original Message----- From: freeradius-users-bounces+scott=renshawauto.net@lists.freeradius.org [mailto:freeradius-users-bounces+scott=renshawauto.net@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Friday, September 09, 2011 9:21 AM To: freeradius-users@lists.freeradius.org Subject: Re: Windows Pre-Login Auth On 09/09/2011 03:00 PM, Scott Hughes wrote:
Hello all,
I have been using FreeRadius for several years now and am stuck trying to make our Windows based wireless system authenticate PRIOR to user login.
I have searched the FreeRadius and Deploying FreeRadius sites as well as Google, but no luck. Here is a brief over-view of my FreeRadius setup:
1) Clients: Windows XP & Windows 7 (Professional in both cases - NO VISTA!)
2) Currently running FreeRadius version 2.0.5
3) Currently authenticating users via TLS/PEAP with computer name/username
I'm not sure what you're asking here. Pre-login auth is entirely client side. As long as FreeRADIUS can authenticate the users, it'll just work. Have you tried it? I assume you are using Samba/ntlm_auth to verify the PEAP/MSCHAP against your domain? - My apologies for not being clear. Please ignore the second part of my post. I simply wanted to be complete in my posting as to where I currently am (authenticating via the users file) and where I would like to go in case it is relevant (authenticating via Active Domain). I am attempting to authenticate the computer name using certificates prior to the user logging in. I have configured the certificates but I am still not able to login. I've tried client certificates for user name and several variations of the computer name, but again, it did not work. I am changing the common name in the client certificate which is what it seems to key off of. Thanks, Scott
As a matter of fact, this very setup saved my bacon this week. I had to get into an older Windows7 laptop, and while my domain account was a member of the admins group, I hadn't logged on since before my most recent password change (so it had my old password cached). AND the wired settings were unknown and didn't work on any LAN I tried. So I fired up 802.11i wireless... and the pre-Windows logon text box was added to my login screen, allowing me to authenticate to FreeRADUIS (Samba/ntlm-auth) and get on the network so my machine could talk to a DC and update to use my current password. FreeRADIUS saves the day :) Steve -----Original Message----- From: freeradius-users-bounces+steven.lovaas=colostate.edu@lists.freeradius.org [mailto:freeradius-users-bounces+steven.lovaas=colostate.edu@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Friday, September 09, 2011 8:21 AM To: freeradius-users@lists.freeradius.org Subject: Re: Windows Pre-Login Auth On 09/09/2011 03:00 PM, Scott Hughes wrote:
Hello all,
I have been using FreeRadius for several years now and am stuck trying to make our Windows based wireless system authenticate PRIOR to user login.
I have searched the FreeRadius and Deploying FreeRadius sites as well as Google, but no luck. Here is a brief over-view of my FreeRadius setup:
1) Clients: Windows XP & Windows 7 (Professional in both cases - NO VISTA!)
2) Currently running FreeRadius version 2.0.5
3) Currently authenticating users via TLS/PEAP with computer name/username
I'm not sure what you're asking here. Pre-login auth is entirely client side. As long as FreeRADIUS can authenticate the users, it'll just work. Have you tried it? I assume you are using Samba/ntlm_auth to verify the PEAP/MSCHAP against your domain? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Windows 7 you can configure pre-login authentication (wireless connection properties -> Advanced settings) both for computer and user. On XP (with native windows client), I don't think that it is possible to do that. On Fri, 9 Sep 2011 09:00:32 -0500, "Scott Hughes" wrote: Hello all, I have been using FreeRadius for several years now and am stuck trying to make our Windows based wireless system authenticate PRIOR to user login. I have searched the FreeRadius and Deploying FreeRadius sites as well as Google, but no luck. Here is a brief over-view of my FreeRadius setup: 1) Clients: Windows XP ">2) Currently running FreeRadius version 2.0.5 3) Currently authenticating users via TLS/PEAP with computer name/username I'm not sure what else (if anything) you might need. I am also looking at changing the FreeRadius setup to authenticate against our Windows 2008r2 Active Directory servers. We have one main location and two remote sites. Currently we have only one FreeRadius server at the main site. If the VPN connection between the main site and either / both of the remote sites goes down, the remote sites can't authenticate. My thought was to have three FreeRadius servers that would authenticate to the local copy of the AD. Having said all of this, I do not want to get to many things going at one time. I much prefer to tackle on issue at a time. Thanks in advance for any insight you may have on either/both of these issues. Scott
On 09/09/2011 03:21 PM, nf-vale wrote:
On Windows 7 you can configure pre-login authentication (wireless connection properties -> Advanced settings) both for computer and user. On XP (with native windows client), I don't think that it is possible to do that.
This is possible in XP SP3. I can't remember if the UI is exposed, but you can definitely do it with group policy or netsh/XML profiles.
-----Original Message----- From: freeradius-users-bounces+scott=renshawauto.net@lists.freeradius.org [mailto:freeradius-users-bounces+scott=renshawauto.net@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Friday, September 09, 2011 9:31 AM To: freeradius-users@lists.freeradius.org Subject: Re: Windows Pre-Login Auth On 09/09/2011 03:21 PM, nf-vale wrote:
On Windows 7 you can configure pre-login authentication (wireless connection properties -> Advanced settings) both for computer and user. On XP (with native windows client), I don't think that it is possible to do that.
This is possible in XP SP3. I can't remember if the UI is exposed, but you can definitely do it with group policy or netsh/XML profiles. I am using group policy to create the profile for everyone (currently just me) in the 'Wireless' group. Thanks, Scott
On Windows 7 you can configure pre-login authentication (wireless connection properties -> Advanced settings) both for computer and user. On XP (with native windows client), I don't think that it is possible to do that.
Yes it is .. just check the box for "authenticate as computer account" in the wireless properties (in XP). IIRC this was introduced when they finally fixed the supplicant in sp2. The credentials come across as COMPUTERNAME$ Regards, Michael Holstein Cleveland State University
On Fri, 9 Sep 2011 09:00:32 -0500, "Scott Hughes" wrote:
Hello all,
I have been using FreeRadius for several years now and am stuck trying to make our Windows based wireless system authenticate PRIOR to user login.
I have searched the FreeRadius and Deploying FreeRadius sites as well as Google, but no luck. Here is a brief over-view of my FreeRadius setup:
1) Clients: Windows XP ">2) Currently running FreeRadius version 2.0.5
3) Currently authenticating users via TLS/PEAP with computer name/username
I'm not sure what else (if anything) you might need. I am also looking at changing the FreeRadius setup to authenticate against our Windows 2008r2 Active Directory servers. We have one main location and two remote sites. Currently we have only one FreeRadius server at the main site. If the VPN connection between the main site and either / both of the remote sites goes down, the remote sites can't authenticate. My thought was to have three FreeRadius servers that would authenticate to the local copy of the AD. Having said all of this, I do not want to get to many things going at one time. I much prefer to tackle on issue at a time.
Thanks in advance for any insight you may have on either/both of these issues.
Scott
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-----Original Message----- From: Michael Holstein [mailto:michael.holstein@csuohio.edu] Sent: Friday, September 09, 2011 10:23 AM To: FreeRadius users mailing list Cc: scott@renshawauto.net Subject: Re: Windows Pre-Login Auth
On Windows 7 you can configure pre-login authentication (wireless connection properties -> Advanced settings) both for computer and user. On XP (with native windows client), I don't think that it is possible to do that.
Yes it is .. just check the box for "authenticate as computer account" in the wireless properties (in XP). IIRC this was introduced when they finally fixed the supplicant in sp2. The credentials come across as COMPUTERNAME$ Regards, Michael Holstein Cleveland State University Thanks for the response. What I get in my radius.log is: Auth: Login incorrect: [host/COMPUTERNAME.ad-domain.local/<via Auth-Type = EAP>] (from client AP port 5136 cli <mac address here>) Scott
-----Original Message----- From: Michael Holstein [mailto:michael.holstein@csuohio.edu] Sent: Friday, September 09, 2011 10:23 AM To: FreeRadius users mailing list Cc: scott@renshawauto.net Subject: Re: Windows Pre-Login Auth
On Windows 7 you can configure pre-login authentication (wireless connection properties -> Advanced settings) both for computer and user. On XP (with native windows client), I don't think that it is possible to do that.
Yes it is .. just check the box for "authenticate as computer account" in the wireless properties (in XP). IIRC this was introduced when they finally fixed the supplicant in sp2. The credentials come across as COMPUTERNAME$ Regards, Michael Holstein Cleveland State University Also, would it be better to get the AD authentication working BEFORE I attempt to authenticate prior to login or is it the same either way? Thanks, Scott
On 09/09/2011 04:23 PM, Scott Hughes wrote:
Also, would it be better to get the AD authentication working BEFORE I attempt to authenticate prior to login or is it the same either way?
AD auth is a pre-requisite for machine auth. So yes, it would be better to do that first! (Please make your email client quote in the standard way!)
-----Original Message----- From: freeradius-users- bounces+scott=renshawauto.net@lists.freeradius.org [mailto:freeradius- users-bounces+scott=renshawauto.net@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Friday, September 09, 2011 10:39 AM To: freeradius-users@lists.freeradius.org Subject: Re: Windows Pre-Login Auth
On 09/09/2011 04:23 PM, Scott Hughes wrote:
Also, would it be better to get the AD authentication working BEFORE I attempt to authenticate prior to login or is it the same either way?
AD auth is a pre-requisite for machine auth. So yes, it would be better to do that first!
(Please make your email client quote in the standard way!) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Better on the quoting? Thanks, Scott
Once you have Samba and AD talking via winbind, it is pretty straightforward. You can configure all the machines via Group Policy I have used this post, pretty much to the T: http://lists.cistron.nl/pipermail/freeradius-users/2009-March/msg00231.html Good luck On 9/9/2011 8:51 AM, Scott Hughes wrote:
-----Original Message----- From: freeradius-users- bounces+scott=renshawauto.net@lists.freeradius.org [mailto:freeradius- users-bounces+scott=renshawauto.net@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Friday, September 09, 2011 10:39 AM To: freeradius-users@lists.freeradius.org Subject: Re: Windows Pre-Login Auth
On 09/09/2011 04:23 PM, Scott Hughes wrote:
Also, would it be better to get the AD authentication working BEFORE I attempt to authenticate prior to login or is it the same either way? AD auth is a pre-requisite for machine auth. So yes, it would be better to do that first!
(Please make your email client quote in the standard way!) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Better on the quoting?
Thanks, Scott
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-----Original Message----- From: freeradius-users- bounces+scott=renshawauto.net@lists.freeradius.org [mailto:freeradius- users-bounces+scott=renshawauto.net@lists.freeradius.org] On Behalf Of Commonn Systems Sent: Friday, September 09, 2011 4:54 PM To: freeradius-users@lists.freeradius.org Subject: Re: Windows Pre-Login Auth
Once you have Samba and AD talking via winbind, it is pretty straightforward. You can configure all the machines via Group Policy I have used this post, pretty much to the T: http://lists.cistron.nl/pipermail/freeradius-users/2009- March/msg00231.html
Good luck
Thanks!! Scott
-----Original Message-----
From: freeradius-users- bounces+scott=renshawauto.net@lists.freeradius.org [mailto:freeradius- users-bounces+scott=renshawauto.net@lists.freeradius.org] On Behalf Of Commonn Systems Sent: Friday, September 09, 2011 4:54 PM To: freeradius-users@lists.freeradius.org Subject: Re: Windows Pre-Login Auth
Once you have Samba and AD talking via winbind, it is pretty straightforward. You can configure all the machines via Group Policy I have used this post, pretty much to the T: http://lists.cistron.nl/pipermail/freeradius-users/2009- March/msg00231.html
Good luck
I am running into an issue attempting to make FreeRadius authenticate via AD. I am using FreeRadius version: 2.1.7, for host x86_64-redhat-linux-gnu and I am using the following version for Samba/Winbind: 3.5.4-0.70.el5_6.1 I can join the domain and get a list of users, and complete the ntlm_auth step successfully. However, when I attempt to use a real AD username and password I get an Access-Reject. ---------------------------------------------------------------------------- ------------------------------------ Here is the command I am sending to the FreeRadius server: radtest scott kjsdfh7823 localhost 0 testing123 ---------------------------------------------------------------------------- --------------------------------------- Here is what the Radius -X output shows: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 49689, id=38, length=57 User-Name = "scott" User-Password = "kjsdfh7823" NAS-IP-Address = 10.119.189.35 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "scott", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 206 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No MS-CHAP-Challenge in the request ++[mschap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> scott attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 38 to 127.0.0.1 port 49689 Waking up in 4.9 seconds. Cleaning up request 0 ID 38 with timestamp +17 Ready to process requests. ---------------------------------------------------------------------------- -------------- I think the line above (in the radius -X output) that reads, "[mschap] No MS-CHAP-Challenge in the request" may be causing the issue (i.e. - not testing it properly for MS-Chap - sending a cleartext username and password instead of what the MS-Chap module expects?). Any assistance would be greatly appreciated. I have and am continuing to scour the internet for anything that might fix this issue. Thanks, Scott
I think the line above (in the radius -X output) that reads, "[mschap] No MS-CHAP-Challenge in the request" may be causing the issue (i.e. - not testing it properly for MS-Chap - sending a cleartext username and password instead of what the MS-Chap module expects?).
You hardcoded Auth-Type := MS-CHAP didn't you? You know how the wiki and the users file and numerous posts on the mailing list say that setting Auth-Type manually is wrong? You might want to follow their advice...
Any assistance would be greatly appreciated. I have and am continuing to scour the internet for anything that might fix this issue.
http://wiki.freeradius.org/NTLM-Auth-with-PAP-HOWTO -Arran Arran Cudbard-Bell a.cudbardb@freeradius.org RADIUS - Waging war on ignorance and apathy one Access-Challenge at a time.
-----Original Message----- From: Arran Cudbard-Bell [mailto:a.cudbardb@freeradius.org] Sent: Saturday, September 10, 2011 11:36 AM To: scott@renshawauto.net; FreeRadius users mailing list Subject: Re: Windows Pre-Login Auth
I think the line above (in the radius -X output) that reads, "[mschap] No MS-CHAP-Challenge in the request" may be causing the issue (i.e. - not testing it properly for MS-Chap - sending a cleartext username and password instead of what the MS-Chap module expects?).
You hardcoded Auth-Type := MS-CHAP didn't you? You know how the wiki and the users file and numerous posts on the mailing list say that setting Auth-Type manually is wrong? You might want to follow their advice...
Any assistance would be greatly appreciated. I have and am continuing to scour the internet for anything that might fix this issue.
http://wiki.freeradius.org/NTLM-Auth-with-PAP-HOWTO
-Arran
Arran Cudbard-Bell a.cudbardb@freeradius.org
RADIUS - Waging war on ignorance and apathy one Access-Challenge at a time.
Thank you for the reply Arran. Yes, I did hard code the Auth-Type as instructed for test purposes. I commented the hard-coding out and still have the same results as above. Thanks, Scott
Scott Hughes wrote:
Thank you for the reply Arran. Yes, I did hard code the Auth-Type as instructed for test purposes. I commented the hard-coding out and still have the same results as above.
See the Wiki for examples of how to configure AD login with FreeRADIUS. See also my web page: http://deployingradius.com This is documented, and it works. Alan DeKok.
-----Original Message----- From: Alan T DeKok [mailto:aland@freeradius.org] Sent: Saturday, September 10, 2011 12:22 PM To: scott@renshawauto.net; FreeRadius users mailing list Subject: Re: Windows Pre-Login Auth
Scott Hughes wrote:
Thank you for the reply Arran. Yes, I did hard code the Auth-Type as instructed for test purposes. I commented the hard-coding out and still have the same results as above.
See the Wiki for examples of how to configure AD login with FreeRADIUS.
See also my web page: http://deployingradius.com
This is documented, and it works.
Alan DeKok.
Will do. Thanks Alan. Scott
What does your mschap module configuration look like? Having the radiusd -X output before the request would be helpful too. Gondar On 9/10/2011 8:52 AM, Scott Hughes wrote:
-----Original Message-----
From: freeradius-users- bounces+scott=renshawauto.net@lists.freeradius.org [mailto:freeradius- users-bounces+scott=renshawauto.net@lists.freeradius.org] On Behalf Of Commonn Systems Sent: Friday, September 09, 2011 4:54 PM To: freeradius-users@lists.freeradius.org Subject: Re: Windows Pre-Login Auth
Once you have Samba and AD talking via winbind, it is pretty straightforward. You can configure all the machines via Group Policy I have used this post, pretty much to the T: http://lists.cistron.nl/pipermail/freeradius-users/2009- March/msg00231.html
Good luck
I am running into an issue attempting to make FreeRadius authenticate via AD. I am using FreeRadius version: 2.1.7, for host x86_64-redhat-linux-gnu and I am using the following version for Samba/Winbind: 3.5.4-0.70.el5_6.1
I can join the domain and get a list of users, and complete the ntlm_auth step successfully.
However, when I attempt to use a real AD username and password I get an Access-Reject.
---------------------------------------------------------------------------- ------------------------------------
Here is the command I am sending to the FreeRadius server:
radtest scott kjsdfh7823 localhost 0 testing123
---------------------------------------------------------------------------- ---------------------------------------
Here is what the Radius -X output shows:
Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 49689, id=38, length=57 User-Name = "scott" User-Password = "kjsdfh7823" NAS-IP-Address = 10.119.189.35 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "scott", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 206 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No MS-CHAP-Challenge in the request ++[mschap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> scott attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 38 to 127.0.0.1 port 49689 Waking up in 4.9 seconds. Cleaning up request 0 ID 38 with timestamp +17 Ready to process requests. ---------------------------------------------------------------------------- --------------
I think the line above (in the radius -X output) that reads, "[mschap] No MS-CHAP-Challenge in the request" may be causing the issue (i.e. - not testing it properly for MS-Chap - sending a cleartext username and password instead of what the MS-Chap module expects?).
Any assistance would be greatly appreciated. I have and am continuing to scour the internet for anything that might fix this issue.
Thanks, Scott
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-----Original Message----- From: freeradius-users- bounces+scott=renshawauto.net@lists.freeradius.org [mailto:freeradius- users-bounces+scott=renshawauto.net@lists.freeradius.org] On Behalf Of Commonn Systems Sent: Saturday, September 10, 2011 1:30 PM To: freeradius-users@lists.freeradius.org Subject: Re: Windows Pre-Login Auth
What does your mschap module configuration look like? Having the radiusd - X output before the request would be helpful too.
Gondar
It seems to be working now. Will be testing it on a client (myself) shortly. Thanks, Scott
participants (8)
-
Alan T DeKok -
Arran Cudbard-Bell -
Commonn Systems -
Lovaas,Steven -
Michael Holstein -
nf-vale -
Phil Mayers -
Scott Hughes