Best Authentication Method for Various Supplicant
Hello I am running freeradius-2.17 on CentOS-5.5 box with mysql-5.0.77 as backend and daloradius-0.9-8 as the web management. I have successfully configured an tested EAP-MD5, PEAP and PAP authentication using windows 7 as supplicant with wired 802.1x authentication (no certificates used) and NAS as a Huawei Switch (Quidway S5600 Series) and seems to be working fine. Now my issues are: in my networks there are various kinds of OS running for supplicants. To name a few are Windows XP (SP2, SP3), Windows Vista, Windows 7, Fedora, CentOS, Ubuntu and Mac OS X. I have to configure AAA applicants systems in such a way all this systems are supported. Can someone help me suggest or have any idea/experience on this. What could be the best authentiation method that I can use so that all this supplicants using different OS are supported. Also I use wired connection as well as wireless connection in the network. Does anybody throw some light on this matter? Thanks in Advance -- homyang (aka puran)
homyang cha <homyang4u@gmail.com> wrote:
Now my issues are: in my networks there are various kinds of OS running for supplicants. To name a few are Windows XP (SP2, SP3), Windows Vista, Windows 7, Fedora, CentOS, Ubuntu and Mac OS X. I have to configure AAA applicants systems in such a way all this systems are supported. Can someone help me suggest or have any idea/experience on this. What could be the best authentiation method that I can use so that all this supplicants using different OS are supported. Also I use wired connection as well as wireless connection in the network. Does anybody throw some light on this matter?
Here is a summary of my five years of experience being a network analyst at a UK university... :) Mac OS X and Linux are really trivial and it is hard to write much about them, it is Microsoft that unsurprisingly once again excel at causing us so much pain. For Windows XP[1]/Vista/Win7 you have two options: * PEAP * TTLS - involves purchasing SecureW2[3] PEAP might seem appealing as it is built into Windows, however by the sounds of things all the workstations connecting are not part of your Microsoft AD (like ours) and so you cannot push out a group policy autoconfiguring everyones equipment. This means you (or rather your helldesk minions) have to manually configure every workstation by hand which can lead to corners being cut (skipping certificate validation) and misconfiguration. Until recently there was no way to avoid this nasty choice of either AD importing or manual configuration. Fortunately, one of my counterparts working also in academentia put together a collection of scripts/tools and called it SU1X[4] that lets you autoconfigure PEAP behind a single EXE. TTLS with SecureW2 is the other option and from day let you pre-seed the configuration so that everything got configured plus the handy popups and full customisation can be a nice touch if that sort of thing floats your boat, or rather your boss's. Of course, SecureW2 comes with a price tag, we personally think a *very* good one when you think of the money in hours saved in your helpdesk team costs. Things get even better when you wrap the lot up in a NSIS script like we have[5]. There is actually a technical reason that might force you to choose between PEAP and TTLS which boils down to how your passwords were stored in your backend database. If you have an LDAP backend only (where the plaintext password is not extractable) then TTLS/PAP is really your *only* option. If you have a Microsoft AD backend for your user accounts, then you can use PEAP/MS-CHAPv2 (or TTLS/MS-CHAPv2). Originally we only had an LDAP backend database, but then 'upgraded' to using Novell's Universal Password so now we no longer have the TTLS constraint and can now offer TTLS/MS-CHAPv2 (but we actually choose *not* to offer PEAP). So, why pick one or the other, technical reasons only. SecureW2 handles certificate chaining a *lot* better than the PEAP and due to it's commercial nature it's hard for the helpdesk to cut corners and *not* use your official hand crafted blessed installer as they cannot source their own copy. PEAP however will offer you Statement of Health; speaking to the SecureW2 author though he is keen to work on adding support for this. One other win for SecureW2 is you get GTC support too, so you can do fancy things like use one time passwords (the changing key is generated by your mobile phone) which works nicely too; well it would work nicely if Alan accepted trivial patches to the GTC FreeRADIUS module (along with the LDAP one I posted...) </rant> Lucky for you SU1X is free to play with and you can also get a fully enabled trial for free of SecureW2 (man, I must sound like a sales droid). Play with both and decide what you prefer. As for the Mac OS X weenies I noticed as soon as I enabled TTLS/MS-CHAPv2 they (including the iPhones, iPads and iPods) started to automatically configure themselves. No idea what they are like when confronted with PEAP but they would not autoconfigure TTLS/PAP :-/ The Linux users, well we are fine, you can see what we do destructions wise on our support website[6]. One of our students is slowly getting around to testing amendments I suggested to the Wicd template that should improve things further; I myself am a Debian wpa_supplicant kinda person. As for your last question regarding simulateous wired and wireless access, look around the Internet and read up about 'routing metrics'. In short, make your wifi link have a higher (lower priority) routing metric; although this overlooks source based routing issues but that is not a FreeRADIUS problem or an issue that should be discussed here. If you have any more questions then do ask. Cheers [1] I strongly recommend you just say no to SP2, hell Microsoft will no longer support it so why should you. However, if you insist on punishing yourself make sure you force an install of KB917021[2]. Really you should make a condition of getting onto the wifi/wired 802.1X network that the user has to update to the latest service pack [2] http://support.microsoft.com/kb/917021/ [3] http://www.securew2.com/ [4] http://www.ja.net/services/authentication-and-authorisation/janet-roaming/su... [5] http://stuff.digriz.org.uk/securew2-dev.zip [6] http://support.docs.lis.soas.ac.uk/connect#linux -- Alexander Clouter .sigmonster says: Massachusetts has the best politicians money can buy.
Hi Alex Thank you for the help. I am now able to authenticate users from both windows xp(2) and windows 7 using PEAP authentication type. But in Windows Vista I have a problem. Initially I am able to authenticate from windows vista but after some time its diconnects itself. I have to disable the network to authenticate again and the whole process starts again (i.e after initial authentication and network connections success it disconnects ). Can you shed some light on this. Thank You in advance.... On Sat, Sep 4, 2010 at 2:42 AM, Alexander Clouter <alex@digriz.org.uk>wrote:
homyang cha <homyang4u@gmail.com> wrote:
Now my issues are: in my networks there are various kinds of OS running for supplicants. To name a few are Windows XP (SP2, SP3), Windows Vista, Windows 7, Fedora, CentOS, Ubuntu and Mac OS X. I have to configure AAA applicants systems in such a way all this systems are supported. Can someone help me suggest or have any idea/experience on this. What could be the best authentiation method that I can use so that all this supplicants using different OS are supported. Also I use wired connection as well as wireless connection in the network. Does anybody throw some light on this matter?
Here is a summary of my five years of experience being a network analyst at a UK university... :) Mac OS X and Linux are really trivial and it is hard to write much about them, it is Microsoft that unsurprisingly once again excel at causing us so much pain.
For Windows XP[1]/Vista/Win7 you have two options: * PEAP * TTLS - involves purchasing SecureW2[3]
PEAP might seem appealing as it is built into Windows, however by the sounds of things all the workstations connecting are not part of your Microsoft AD (like ours) and so you cannot push out a group policy autoconfiguring everyones equipment. This means you (or rather your helldesk minions) have to manually configure every workstation by hand which can lead to corners being cut (skipping certificate validation) and misconfiguration.
Until recently there was no way to avoid this nasty choice of either AD importing or manual configuration. Fortunately, one of my counterparts working also in academentia put together a collection of scripts/tools and called it SU1X[4] that lets you autoconfigure PEAP behind a single EXE.
TTLS with SecureW2 is the other option and from day let you pre-seed the configuration so that everything got configured plus the handy popups and full customisation can be a nice touch if that sort of thing floats your boat, or rather your boss's. Of course, SecureW2 comes with a price tag, we personally think a *very* good one when you think of the money in hours saved in your helpdesk team costs. Things get even better when you wrap the lot up in a NSIS script like we have[5].
There is actually a technical reason that might force you to choose between PEAP and TTLS which boils down to how your passwords were stored in your backend database. If you have an LDAP backend only (where the plaintext password is not extractable) then TTLS/PAP is really your *only* option. If you have a Microsoft AD backend for your user accounts, then you can use PEAP/MS-CHAPv2 (or TTLS/MS-CHAPv2).
Originally we only had an LDAP backend database, but then 'upgraded' to using Novell's Universal Password so now we no longer have the TTLS constraint and can now offer TTLS/MS-CHAPv2 (but we actually choose *not* to offer PEAP).
So, why pick one or the other, technical reasons only. SecureW2 handles certificate chaining a *lot* better than the PEAP and due to it's commercial nature it's hard for the helpdesk to cut corners and *not* use your official hand crafted blessed installer as they cannot source their own copy. PEAP however will offer you Statement of Health; speaking to the SecureW2 author though he is keen to work on adding support for this. One other win for SecureW2 is you get GTC support too, so you can do fancy things like use one time passwords (the changing key is generated by your mobile phone) which works nicely too; well it would work nicely if Alan accepted trivial patches to the GTC FreeRADIUS module (along with the LDAP one I posted...) </rant>
Lucky for you SU1X is free to play with and you can also get a fully enabled trial for free of SecureW2 (man, I must sound like a sales droid). Play with both and decide what you prefer.
As for the Mac OS X weenies I noticed as soon as I enabled TTLS/MS-CHAPv2 they (including the iPhones, iPads and iPods) started to automatically configure themselves. No idea what they are like when confronted with PEAP but they would not autoconfigure TTLS/PAP :-/
The Linux users, well we are fine, you can see what we do destructions wise on our support website[6]. One of our students is slowly getting around to testing amendments I suggested to the Wicd template that should improve things further; I myself am a Debian wpa_supplicant kinda person.
As for your last question regarding simulateous wired and wireless access, look around the Internet and read up about 'routing metrics'. In short, make your wifi link have a higher (lower priority) routing metric; although this overlooks source based routing issues but that is not a FreeRADIUS problem or an issue that should be discussed here.
If you have any more questions then do ask.
Cheers
[1] I strongly recommend you just say no to SP2, hell Microsoft will no longer support it so why should you. However, if you insist on punishing yourself make sure you force an install of KB917021[2]. Really you should make a condition of getting onto the wifi/wired 802.1X network that the user has to update to the latest service pack [2] http://support.microsoft.com/kb/917021/ [3] http://www.securew2.com/ [4] http://www.ja.net/services/authentication-and-authorisation/janet-roaming/su... [5] http://stuff.digriz.org.uk/securew2-dev.zip [6] http://support.docs.lis.soas.ac.uk/connect#linux
-- Alexander Clouter .sigmonster says: Massachusetts has the best politicians money can buy.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- homyang (aka puran)
homyang cha <homyang4u@gmail.com> wrote:
Thank you for the help. I am now able to authenticate users from both windows xp(2) and windows 7 using PEAP authentication type. But in Windows Vista I have a problem. Initially I am able to authenticate from windows vista but after some time its diconnects itself. I have to disable the network to authenticate again and the whole process starts again (i.e after initial authentication and network connections success it disconnects ).
As a network guy I do not deal with problems on the desktop, it's one of those few things that I am permitted not to accept by default fault for. Also, bear in mind I did say "we do not use PEAP and never have done", asking me to help you with a PEAP problem is unlikely to get you very far. :-/ My solution is to use TTLS (with SecureW2) as it makes XP, Vista and Win7 all behave identically, and that's what I like. The author has done all the ball busting so I don't have to. :)
Can you shed some light on this.
Debian provide a bunch of ISO's and network install options for their OS over at their website...no doubt that will fix the workstation :) Cheers -- Alexander Clouter .sigmonster says: I'm not a level-headed person... -- Bruce Perens
participants (2)
-
Alexander Clouter -
homyang cha