Machine account authentication progress?
Has anything happened in this area, to allow machine authentication against AD? From reading the mailing list I believe it was a problem with ntlm_auth, is this any closer to getting fixed, if not, how do people work around it. We have laptops here that authenticate against the domain if it's available, or locally if not. There is a logon script if they are at the site. How best I work round this? -- Pete Savage - cbx33::silentk wiki.ubuntu.com/PeteSavage
Hi,
Has anything happened in this area, to allow machine authentication against AD? From reading the mailing list I believe it was a problem with ntlm_auth, is this any closer to getting fixed, if not, how do people work around it. We have laptops here that authenticate against the domain if it's available, or locally if not. There is a logon script if they are at the site. How best I work round this?
we use machine authentication extensively here. whats your exact problem? alan
On 17/05/07, A.L.M.Buxey@lboro.ac.uk <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
Has anything happened in this area, to allow machine authentication against AD? From reading the mailing list I believe it was a problem with ntlm_auth, is this any closer to getting fixed, if not, how do people work around it. We have laptops here that authenticate against the domain if it's available, or locally if not. There is a logon script if they are at the site. How best I work round this?
we use machine authentication extensively here. whats your exact problem?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I followed the wiki howto, http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO, and it works great for user authentication, but does nothing for mchine authentication. Is there something extra I have o configure for machine access? Like the ntlm_auth line? -- Pete Savage - cbx33::silentk wiki.ubuntu.com/PeteSavage
Hi,
I followed the wiki howto, http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO, and it works great for user authentication, but does nothing for mchine authentication. Is there something extra I have o configure for machine access? Like the ntlm_auth line?
basic steps 1) generate correct certs. configure eap.conf 2) bind system into the AD (needs config of samba, winbind and 'net ads join' commands as per docs all over the web 3) change permissions in winbindd_priviledged directory or ntlm_auth wont work (you'll get debug logs saying winbind_auth_crap permissions not correct etc) 4) enable the ntlm_auth line - ensuring its correct for your application/usage 5) spend time massaging the Stripped-Username or Username to ensure that you only pass the machine over to the AD during ntlm_auth - check the mailing list history for such useful methods alan
1) generate correct certs. configure eap.conf 2) bind system into the AD (needs config of samba, winbind and 'net ads join' commands as per docs all over the web 3) change permissions in winbindd_priviledged directory or ntlm_auth wont work (you'll get debug logs saying winbind_auth_crap permissions not correct etc) 4) enable the ntlm_auth line - ensuring its correct for your application/usage
5) spend time massaging the Stripped-Username or Username to ensure that you only pass the machine over to the AD during ntlm_auth - check the mailing list history for such useful methods
I have done all these steps except number 5. Are you saying that we can
now get machine names to authenticate prior to the user actually logging in? I can get it working fine after the user has logged in. It's just getting the machine to join the wireless network before log in so that they join the domain ok. -- Pete Savage - cbx33::silentk wiki.ubuntu.com/PeteSavage
Hi,
I have done all these steps except number 5. Are you saying that we can now get machine names to authenticate prior to the user actually logging in? I can get it working fine after the user has logged in. It's just getting the machine to join the wireless network before log in so that they join the domain ok.
oh for sure! and whats more, the login doesnt hang - because the wireless is on and working. it means you arent relying on cached login credentials. as a side affect, the network is 'real' when the windows box starts - so all the other parts of windows works on the wireless - eg stuff you must be in the doamin for. drive mappings, GPOs, SMS bits all 'just work(tm)' BUT BEWARE one thing doesnt work. microsoft, in their wisdom, decided that the machine<->AD renegotiation of AD password key CANNOT WORK OVER AN ENCRYPTED LINK. yes. that AD password will expire. on a wired network the machine will talk to the AD to gets its new key. if you are USING the key the machine knows for the login process then that key is invalid in the AD and cannot be upgraded over the PEAP encrypted wifi link. - it also cant be updated on a PPTP link from what I've read. the default time for this to occur is 30 days IIRC. change it on the AD to longer if you want less pain. alan
On 17/05/07, A.L.M.Buxey@lboro.ac.uk <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
I have done all these steps except number 5. Are you saying that we can now get machine names to authenticate prior to the user actually logging in? I can get it working fine after the user has logged in. It's just getting the machine to join the wireless network before log in so that they join the domain ok.
oh for sure! and whats more, the login doesnt hang - because the wireless is on and working. it means you arent relying on cached login credentials. as a side affect, the network is 'real' when the windows box starts - so all the other parts of windows works on the wireless - eg stuff you must be in the doamin for. drive mappings, GPOs, SMS bits all 'just work(tm)'
Wow, that's awesome, I read a post which said it wasn't working so I guess it's been fixed....hoo diddly rah!!! So now I just need to see why we're getting 0 length requests and mung about with the User-Name as was stated earlier. eeek! So If I have EAP-TLS working with PEAP ie, the AD users/passwords work....am I almost there? ;) BUT BEWARE
one thing doesnt work. microsoft, in their wisdom, decided that the machine<->AD renegotiation of AD password key CANNOT WORK OVER AN ENCRYPTED LINK.
yes. that AD password will expire. on a wired network the machine will talk to the AD to gets its new key. if you are USING the key the machine knows for the login process then that key is invalid in the AD and cannot be upgraded over the PEAP encrypted wifi link. - it also cant be updated on a PPTP link from what I've read. the default time for this to occur is 30 days IIRC. change it on the AD to longer if you want less pain.
-- Pete Savage - cbx33::silentk wiki.ubuntu.com/PeteSavage
Hi,
it's been fixed....hoo diddly rah!!! So now I just need to see why we're getting 0 length requests and mung about with the User-Name as was stated earlier. eeek! So If I have EAP-TLS working with PEAP ie, the AD users/passwords work....am I almost there? ;)
not just 'almost there' - yuo are there - next step is giving them all right network based on who they are..what time it is...where they are logged in from etc :-) alan
On 17/05/07, A.L.M.Buxey@lboro.ac.uk <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
it's been fixed....hoo diddly rah!!! So now I just need to see why we're getting 0 length requests and mung about with the User-Name as was stated earlier. eeek! So If I have EAP-TLS working with PEAP ie, the AD users/passwords work....am I almost there? ;)
not just 'almost there' - yuo are there - next step is giving them all right network based on who they are..what time it is...where they are logged in from etc :-)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I'm there on the user side, just not on the machine side...at the mo they must log in first to get authenticated ;) -- Pete Savage - cbx33::silentk wiki.ubuntu.com/PeteSavage
Peter Savage wrote:
Has anything happened in this area, to allow machine authentication against AD?
It works. It's worked for a long time. See the ChangeLog for 1.1.0, released over a year ago.
From reading the mailing list I believe it was a problem with ntlm_auth, is this any closer to getting fixed, if not, how do people work around it. We have laptops here that authenticate against the domain if it's available, or locally if not. There is a logon script if they are at the site. How best I work round this?
I'm not sure what you mean. So far as FreeRADIUS is concerned, "machine authentication" is just like doing user authentication. The machine uses 802.1x to get network access, and FreeRADIUS checks the credentials against Active Directory. This is *not* the same as the machine logging into the domain. It is completely different. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
On 17/05/07, Alan DeKok <aland@deployingradius.com> wrote:
Peter Savage wrote:
Has anything happened in this area, to allow machine authentication against AD?
It works. It's worked for a long time. See the ChangeLog for 1.1.0, released over a year ago.
From reading the mailing list I believe it was a problem with ntlm_auth, is this any closer to getting fixed, if not, how do people work around it. We have laptops here that authenticate against the domain if it's available, or locally if not. There is a logon script if they are at the site. How best I work round this?
I'm not sure what you mean.
Bsically we need to authenticate and be joined to the network, before a user logs in. IAS does this with machine/computer domain based authentication. So far as FreeRADIUS is concerned, "machine authentication" is just
like doing user authentication. The machine uses 802.1x to get network access, and FreeRADIUS checks the credentials against Active Directory.
This is *not* the same as the machine logging into the domain. It is completely different.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Pete Savage - cbx33::silentk wiki.ubuntu.com/PeteSavage
I also got this as a log when the machine was trying to authenticate WARNING: Malformed RADIUS packet from host 172.29.99.82: too short (received 0 < minimum 20) --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. WARNING: Malformed RADIUS packet from host 172.29.99.82: too short (received 0 < minimum 20) --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. WARNING: Malformed RADIUS packet from host 172.29.99.82: too short (received 0 < minimum 20) --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. WARNING: Malformed RADIUS packet from host 172.29.99.82: too short (received 0 < minimum 20) --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. WARNING: Malformed RADIUS packet from host 172.29.99.82: too short (received 0 < minimum 20) --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. WARNING: Malformed RADIUS packet from host 172.29.99.82: too short (received 0 < minimum 20) --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. -- Pete Savage - cbx33::silentk wiki.ubuntu.com/PeteSavage
Hi,
WARNING: Malformed RADIUS packet from host 172.29.99.82: too short (received 0 < minimum 20)
received 0? I'm sure that they cant be THAT short. I'd advise that you get all the windows XP KB's installed...especially this one: http://support.microsoft.com/kb/885453 and of course our perenial favs - http://support.microsoft.com/kb/893357 http://support.microsoft.com/kb/917021 you'll also need to ensure that the systems are configured to use PEAP (not EAP-TLS) and dont use guest - these are settings that can be nicely pushed out via GPO. especially from an AD 2003 box which can also push WPA2 policies alan
On 17/05/07, A.L.M.Buxey@lboro.ac.uk <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
WARNING: Malformed RADIUS packet from host 172.29.99.82: too short (received 0 < minimum 20)
received 0? I'm sure that they cant be THAT short. I'd advise that you get all the windows XP KB's installed...especially this one:
http://support.microsoft.com/kb/885453
and of course our perenial favs -
http://support.microsoft.com/kb/893357 http://support.microsoft.com/kb/917021
you'll also need to ensure that the systems are configured to use PEAP (not EAP-TLS) and dont use guest - these are settings that can be nicely pushed out via GPO. especially from an AD 2003 box which can also push WPA2 policies
I'll check all those, The machine itself is using PEAP, but I think the radius server is using EAP-TLS, as per the wiki, which for user authentication works fine alan
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Pete Savage - cbx33::silentk wiki.ubuntu.com/PeteSavage
Peter Savage wrote:
I also got this as a log when the machine was trying to authenticate
WARNING: Malformed RADIUS packet from host 172.29.99.82 <http://172.29.99.82>: too short (received 0 < minimum 20)
That's fairly stupid. The access point is sending empty UDP packets to the RADIUS server. I've never seen that before. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
On 17/05/07, Alan DeKok <aland@deployingradius.com> wrote:
Peter Savage wrote:
I also got this as a log when the machine was trying to authenticate
WARNING: Malformed RADIUS packet from host 172.29.99.82 <http://172.29.99.82>: too short (received 0 < minimum 20)
That's fairly stupid. The access point is sending empty UDP packets to the RADIUS server.
I've never seen that before.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
~Ahhh.....hmm.....they work ok when authenticating user based, just not computer/machine based. Maybe Netgear stuff just isn;t up to it? -- Pete Savage - cbx33::silentk wiki.ubuntu.com/PeteSavage
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Peter Savage