Hello, I'm new to using radius servers and I have a few questions on best practices and design. We primarily use windows 7 on the machines that will authenticate, and they are all connected to cisco switches and access points. If I understand things correctly I have the option of authenticating based on users, certificates or users and certificates. In our environment I don't see the need to add users into the mix as almost all of the machines are shared machines where multiple users will authenticate on the same machines. We also push applications to the machines when users are not logged into them so we need the computer to authenticate on its own when it boots up.
From what I understand I need to create myself a certificate and install that certificate into the freeradius server and into each of my client computers. Then I need to configure my switches to connect use the freeradius server to allow the traffic through when the client computer wants to authenticate to the network. As far as the switches goes I don't have any questions, its fairly straight forward.
My questions are as follows: Which EAP type should I use if I only want the computers to authenticate using certificates? EAP-TLS? I am guessing I should be using WPA2/Enterprise on the clients for the 802.1x authentication on the Windows 7 clients? And set it to use computer authentication only? Do I need a signed third party certificate or can I use a self signed one? Could a user not just export the certificate from the computer and import it into there own computer, configure there network settings and get on the network? Or is there a mechanism to keep people from doing this? Perhaps a password encrypted in the certificate? Is there anything else I am missing? Thanks, Dan.
Dan Letkeman wrote:
From what I understand I need to create myself a certificate and install that certificate into the freeradius server and into each of my client computers.
Yes.
Then I need to configure my switches to connect use the freeradius server to allow the traffic through when the client computer wants to authenticate to the network.
No... you need to configure the switches to use 802.1X authentication. They will then automatically allow traffic for authenticated devices.
My questions are as follows:
Which EAP type should I use if I only want the computers to authenticate using certificates? EAP-TLS?
That will work.
I am guessing I should be using WPA2/Enterprise on the clients for the 802.1x authentication on the Windows 7 clients? And set it to use computer authentication only?
That will work.
Do I need a signed third party certificate or can I use a self signed one?
You can use a self-signed certificate. See the Wiki for an EAP-TLS "howto".
Could a user not just export the certificate from the computer and import it into there own computer, configure there network settings and get on the network? Or is there a mechanism to keep people from doing this? Perhaps a password encrypted in the certificate?
There is nothing to prevent the user from exporting the certificate.
Is there anything else I am missing?
No. Alan DeKok.
Thank you for the quick reply. Would you recommend doing anything differently? Perhaps a different EAP type? If I wanted redundancy should I just setup a secondary radius server with the same settings and add it to the list of servers that are available? Thanks, Dan. On Thu, Feb 2, 2012 at 1:16 AM, Alan DeKok <aland@deployingradius.com> wrote:
Dan Letkeman wrote:
From what I understand I need to create myself a certificate and install that certificate into the freeradius server and into each of my client computers.
Yes.
Then I need to configure my switches to connect use the freeradius server to allow the traffic through when the client computer wants to authenticate to the network.
No... you need to configure the switches to use 802.1X authentication. They will then automatically allow traffic for authenticated devices.
My questions are as follows:
Which EAP type should I use if I only want the computers to authenticate using certificates? EAP-TLS?
That will work.
I am guessing I should be using WPA2/Enterprise on the clients for the 802.1x authentication on the Windows 7 clients? And set it to use computer authentication only?
That will work.
Do I need a signed third party certificate or can I use a self signed one?
You can use a self-signed certificate. See the Wiki for an EAP-TLS "howto".
Could a user not just export the certificate from the computer and import it into there own computer, configure there network settings and get on the network? Or is there a mechanism to keep people from doing this? Perhaps a password encrypted in the certificate?
There is nothing to prevent the user from exporting the certificate.
Is there anything else I am missing?
No.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, On Wed, Feb 01, 2012 at 10:25:29PM -0600, Dan Letkeman wrote:
We primarily use windows 7 on the machines that will authenticate, and they are all connected to cisco switches and access points. If I understand things correctly I have the option of authenticating based on users, certificates or users and certificates.
In Windows, using the built-in supplicant, you have the following choices: PEAP/MS-CHAPv2 - "user" EAP-TLS - certificate ("user" or "computer") PEAP/EAP-TLS - certificate, again user or computer. Windows barfs if you ask PEAP to supply a client certificate, so you can't do certificate auth AND user/password at the same time. If you install a third-party supplicant then it will likely have many different EAP methods, read up on what you're getting first.
In our environment I don't see the need to add users into the mix as almost all of the machines are shared machines where multiple users will authenticate on the same machines. We also push applications to the machines when users are not logged into them so we need the computer to authenticate on its own when it boots up.
There are few reasons why you'd want to go to the extra config of PEAP/EAP-TLS [0], so your basic option is EAP-TLS. With computer auth (certificate in the computer 'personal' store, not in the user 'personal' store), the network will come up soon after the machine boots, before the GINA login (for wireless, assuming it's set to automatically connect). This sounds like what you want.
From what I understand I need to create myself a certificate and install that certificate into the freeradius server and into each of my client computers.
That will work, but you shouldn't. Create a different certificate for each client, and for the radius server, all signed by the same CA.
Which EAP type should I use if I only want the computers to authenticate using certificates? EAP-TLS?
See above. Built-in supplicant with EAP-TLS is probably your easiest route.
I am guessing I should be using WPA2/Enterprise on the clients for the 802.1x authentication on the Windows 7 clients? And set it to use computer authentication only?
That's one way to do it - you need WPA2 enterprise (the enterprise bit being the important word). "Computer auth only" set means it won't go looking for certs in users personal certificate store, which is probably what you want.
Do I need a signed third party certificate or can I use a self signed one?
Best practise is to create your own CA & sign using that. You really must use your own CA for client cert validation with EAP-TLS unless you want to allow anyone on.
Could a user not just export the certificate from the computer and import it into there own computer, configure there network settings and get on the network?
[certificate and key] Yes.
Or is there a mechanism to keep people from doing this? Perhaps a password encrypted in the certificate?
You can generally set keys as 'non-exportable'. Of couse, that's just a flag, and doesn't actually mean that there isn't a way to get the key out. Google will give you an answer for extracting Windows keys after a quick search (I haven't tried it). Just remember, the cert is on the device that the user is holding. If you detect that a certificate has been compromised (heuristics such as checking certificate always comes from same MAC address might help) then you revoke the cert (CRL / OCSP) and haul the user in...
Is there anything else I am missing?
Coffee. Drink lots of coffee. On Thu, Feb 02, 2012 at 11:51:39AM -0600, Dan Letkeman wrote:
If I wanted redundancy should I just setup a secondary radius server with the same settings and add it to the list of servers that are available?
Yes. Your NAS should rotate round the available RADIUS servers if one stops responding. Cheers, Matthew [0] Am in the middle of doing PEAP/EAP-TLS myself. Wrote up why, and a mini "how-to" at http://q.asd.me.uk/pet -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Thu, Feb 2, 2012 at 4:47 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
Hi,
On Wed, Feb 01, 2012 at 10:25:29PM -0600, Dan Letkeman wrote:
We primarily use windows 7 on the machines that will authenticate, and they are all connected to cisco switches and access points. If I understand things correctly I have the option of authenticating based on users, certificates or users and certificates.
In Windows, using the built-in supplicant, you have the following choices:
PEAP/MS-CHAPv2 - "user" EAP-TLS - certificate ("user" or "computer") PEAP/EAP-TLS - certificate, again user or computer.
Windows barfs if you ask PEAP to supply a client certificate, so you can't do certificate auth AND user/password at the same time.
If you install a third-party supplicant then it will likely have many different EAP methods, read up on what you're getting first.
In our environment I don't see the need to add users into the mix as almost all of the machines are shared machines where multiple users will authenticate on the same machines. We also push applications to the machines when users are not logged into them so we need the computer to authenticate on its own when it boots up.
There are few reasons why you'd want to go to the extra config of PEAP/EAP-TLS [0], so your basic option is EAP-TLS. With computer auth (certificate in the computer 'personal' store, not in the user 'personal' store), the network will come up soon after the machine boots, before the GINA login (for wireless, assuming it's set to automatically connect). This sounds like what you want.
From what I understand I need to create myself a certificate and install that certificate into the freeradius server and into each of my client computers.
That will work, but you shouldn't. Create a different certificate for each client, and for the radius server, all signed by the same CA.
This would be a nightmare to manage. We have 2000+ clients. I see the advantage, if the certificate was compromised that this would be important, but how in the world would you manage this?
Which EAP type should I use if I only want the computers to authenticate using certificates? EAP-TLS?
See above. Built-in supplicant with EAP-TLS is probably your easiest route.
I am guessing I should be using WPA2/Enterprise on the clients for the 802.1x authentication on the Windows 7 clients? And set it to use computer authentication only?
That's one way to do it - you need WPA2 enterprise (the enterprise bit being the important word). "Computer auth only" set means it won't go looking for certs in users personal certificate store, which is probably what you want.
Do I need a signed third party certificate or can I use a self signed one?
Best practise is to create your own CA & sign using that. You really must use your own CA for client cert validation with EAP-TLS unless you want to allow anyone on.
Could a user not just export the certificate from the computer and import it into there own computer, configure there network settings and get on the network?
[certificate and key] Yes.
Or is there a mechanism to keep people from doing this? Perhaps a password encrypted in the certificate?
You can generally set keys as 'non-exportable'. Of couse, that's just a flag, and doesn't actually mean that there isn't a way to get the key out. Google will give you an answer for extracting Windows keys after a quick search (I haven't tried it). Just remember, the cert is on the device that the user is holding.
If you detect that a certificate has been compromised (heuristics such as checking certificate always comes from same MAC address might help) then you revoke the cert (CRL / OCSP) and haul the user in...
Is there anything else I am missing?
Coffee. Drink lots of coffee.
On Thu, Feb 02, 2012 at 11:51:39AM -0600, Dan Letkeman wrote:
If I wanted redundancy should I just setup a secondary radius server with the same settings and add it to the list of servers that are available?
Yes. Your NAS should rotate round the available RADIUS servers if one stops responding.
Cheers,
Matthew
[0] Am in the middle of doing PEAP/EAP-TLS myself. Wrote up why, and a mini "how-to" at http://q.asd.me.uk/pet
Very nice. This will be helpful.
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Thu, Feb 02, 2012 at 06:27:31PM -0600, Dan Letkeman wrote:
On Thu, Feb 2, 2012 at 4:47 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
That will work, but you shouldn't. Create a different certificate for each client, and for the radius server, all signed by the same CA.
This would be a nightmare to manage. We have 2000+ clients. I see the advantage, if the certificate was compromised that this would be important, but how in the world would you manage this?
This is probably the main argument people have against EAP-TLS - managing certificates. Yes, you _could_ put the same private key and certificate on one device, but then when that key gets copied/compromised, when one laptop gets stolen and you want it off your network, what do you do? You've now got to update ALL your clients with a new key/cert, rather than just revoke the key of the one that got compromised. ...and you probably have no clue where the key was copied from, so which user to blame. Looking at it the other way, would you let all your users log in with the same username and password? In short, don't. If you've got a Windows domain you should be able to use Microsoft Certificate Services to do it for you. At least, I think that's what the guys here do. All clients automatically get a certificate (I assume as part of the domain join procedure & associated policy, but I'm not knowledgeable enough in that area to be sure). I don't know if you can use that when not in a domain. Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Il 03/02/2012 01:27, Dan Letkeman ha scritto:
That will work, but you shouldn't. Create a different certificate for each client, and for the radius server, all signed by the same CA.
This would be a nightmare to manage. We have 2000+ clients. I see the advantage, if the certificate was compromised that this would be important, but how in the world would you manage this? The other method is worse, as Matthew said :) Just email every user the cert to install together with the instructions to do so.
Or you could evaluate joining machines to AD, then perform just machine authentication or choose to do both machine auth and user auth so you could place machines with no domain user logged in on a VLAN and machines with specific domain users on another. This way local users can only have "minimal" network access, while authenticated users can access "reserved" portions of your network. And you can remotely manage machines as soon as they're connected. BYtE, Diego.
On 02/03/2012 12:27 AM, Dan Letkeman wrote:
This would be a nightmare to manage. We have 2000+ clients. I see the advantage, if the certificate was compromised that this would be important, but how in the world would you manage this?
Use the Microsoft CA, and use machine auto-enrollment. It's the only sensible way, if you want to use certs. Personally we (plan to) use PEAP/MS-CHAP, and check the machine account against AD using ntlm_auth.
Ok, so there are two problems with these scenarios in our environment. We do not run AD, we run eEdirectory, and the computers are not assgined to the users, they are all shared computer labs. This is why having separate certs for each machine is impossible as we would have to go around and install each cert manually on each machine. I think I am stuck with using at best using the same cert for each computer lab. I think that would make more sense. Dan. On Fri, Feb 3, 2012 at 7:33 AM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
Personally we (plan to) use PEAP/MS-CHAP, and check the machine account against AD using ntlm_auth.
this is what we do for machine authentication (wired/wireless)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 02/03/2012 02:08 PM, Dan Letkeman wrote:
Ok, so there are two problems with these scenarios in our environment. We do not run AD, we run eEdirectory, and the computers are not assgined to the users, they are all shared computer labs. This is why
Ah. This has come up on the list before. I seem to recall you are correct, and that it's hard to make this work.
having separate certs for each machine is impossible as we would have to go around and install each cert manually on each machine. I think I am stuck with using at best using the same cert for each computer lab.
I think that would make more sense.
Well, it's not very secure, but if that's your only option...
When private key corresponding to digital certificate is stored on computer's hard disk it is not stored securely. The only way to store private key securely is using smart card. Private key is stored on smart card in a way that it cannot be read. Computer send data to the smart card and smart card will perform cryptography with stored private key and send result to the computer. So the private key is never transported outside smart card. You can connect a smart card to each computer. There are USB smart card readers. To avoid smart card theft you can connect reader to mother board internal usb header and mount smart card reader inside the computer case. You also need to protect each computer case with electromechanical (solenoid) lock. There are motherboards with integrated cryptographic processor (so named trusted platform module). I think TPM should provide features similar to smart card. But I don't have one and I'm not sure. -- Iliya Peregoudov Dan Letkeman wrote:
Ok, so there are two problems with these scenarios in our environment. We do not run AD, we run eEdirectory, and the computers are not assgined to the users, they are all shared computer labs. This is why having separate certs for each machine is impossible as we would have to go around and install each cert manually on each machine. I think I am stuck with using at best using the same cert for each computer lab.
I think that would make more sense.
Dan.
Hi,
Personally we (plan to) use PEAP/MS-CHAP, and check the machine account against AD using ntlm_auth. this is what we do for machine authentication (wired/wireless)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, Feb 3, 2012 at 7:33 AM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Il 04/02/2012 07:51, Iliya Peregoudov ha scritto:
When private key corresponding to digital certificate is stored on computer's hard disk it is not stored securely. The only way to store private key securely is using smart card. The best security is when you generate the key on the card: you can be quite sure nobody else will be able to read that key. To avoid using a "big" smartcard paired with an even bigger card reader, you can use a "token": it's like a small USB pen, but incorporates both a card and a reader.
Many motherboards have an onboard USB type-A port exactly for this purpose. While TPM in Linux is handled quite in the same way as a SmartCard, I have no idea about how it's handled in Win (but probably it integrates well in the login chain). BYtE, Diego.
participants (7)
-
Alan Buxey -
Alan DeKok -
Dan Letkeman -
Iliya Peregoudov -
Matthew Newton -
NdK -
Phil Mayers