Radius-based windows authentication
Hello, I'm working on VLAN assignement with FreeRadius, with windows XP users. The FreeRadius server is using openLdap, and works overs EAP-TTLS. The goal of my work is for the users to be on different Vlans depending on their status. The radius part is working fine, since the switch sets the right vlan when the user gives his login and password. My question was : is it possible to authenticate via radius at the windows login screen ? For now, it is using the samba database, but if I want to set up a dynamic vlan assignement, the network needs to be up before the samba partitions are mounted. Thanks !
Mike Perdide wrote:
Hello,
I'm working on VLAN assignement with FreeRadius, with windows XP users. The FreeRadius server is using openLdap, and works overs EAP-TTLS.
The goal of my work is for the users to be on different Vlans depending on their status.
The radius part is working fine, since the switch sets the right vlan when the user gives his login and password.
My question was : is it possible to authenticate via radius at the windows login screen ?
Is the windows machine a domain member?
For now, it is using the samba database, but if I want to set up a dynamic vlan assignement, the network needs to be up before the samba partitions are mounted.
This last paragraph doesn't make sense to me. I don't know what "samba database" and "samba partitions" are. I think you are asking "is it possible for the client to do 802.1x with the username/password typed into the login box" and the answer is "yes". There are three ways to achieve this (that I know of). 1. Using the windows native supplicant and machine account authentication. Basically the process is this: * machine powers on - no-one logged in * machine uses its own domain account to login "host/$machinename" * user presses ctrl+alt+del * machine validates credentials to the domain controller, over the current network connection * machine downloads the users profile * once the profile is download, the machine does an EAP-Logoff and then re-authenticates using the user credentials * when the user logs out, the machine does and EAP-Logoff and then logs back in using the machine account 2. Using cached profiles - the user logs in without a network connection using a cached profile, then 802.1x starts 3. Using a different supplicant which has a GINA plugin; I believe the Odyssey supplicant (which you have to pay for) can do this. SecureW2 (which is open source) may. Obviously you have to install software.
Phil Mayers wrote:
Is the windows machine a domain member? No it's not. Only the users are.
I think you are asking "is it possible for the client to do 802.1x with the username/password typed into the login box" and the answer is "yes". That's exactly my question, thanks ;).
1. Using the windows native supplicant and machine account authentication. Basically the process is this: * machine powers on - no-one logged in * machine uses its own domain account to login "host/$machinename" * user presses ctrl+alt+del When you say user presses ctrl+alt+del, you mean that he closes the session and uses his own login ?
* machine validates credentials to the domain controller, over the current network connection
How did the machine obtain network connection ?
* machine downloads the users profile * once the profile is download, the machine does an EAP-Logoff and then re-authenticates using the user credentials * when the user logs out, the machine does and EAP-Logoff and then logs back in using the machine account
3. Using a different supplicant which has a GINA plugin; I believe the Odyssey supplicant (which you have to pay for) can do this. SecureW2 (which is open source) may. Obviously you have to install software. I am currently using SecureW2 TTLS, and I did not see such thing as GINA plugin. I am gonna look for documentation about that.
Thanks for your help.
Mike Perdide wrote:
Phil Mayers wrote:
Is the windows machine a domain member? No it's not. Only the users are.
? When you sit at the login screen, and press ctrl+alt+del, are you logging in with a username and password which is checked against the domain controllers? If so, then the machine *is* joined into the domain.
I think you are asking "is it possible for the client to do 802.1x with the username/password typed into the login box" and the answer is "yes". That's exactly my question, thanks ;).
1. Using the windows native supplicant and machine account authentication. Basically the process is this: * machine powers on - no-one logged in * machine uses its own domain account to login "host/$machinename" * user presses ctrl+alt+del When you say user presses ctrl+alt+del, you mean that he closes the session and uses his own login ?
No. The machine is sitting at the login prompt, and the user presses ctrl+alt+del to bring up the login box.
* machine validates credentials to the domain controller, over the current network connection
How did the machine obtain network connection ?
* machine downloads the users profile * once the profile is download, the machine does an EAP-Logoff and then re-authenticates using the user credentials * when the user logs out, the machine does and EAP-Logoff and then logs back in using the machine account
3. Using a different supplicant which has a GINA plugin; I believe the Odyssey supplicant (which you have to pay for) can do this. SecureW2 (which is open source) may. Obviously you have to install software.
I am currently using SecureW2 TTLS, and I did not see such thing as GINA plugin. I am gonna look for documentation about that.
Phil Mayers wrote:
Is the windows machine a domain member? No it's not. Only the users are. ?
When you sit at the login screen, and press ctrl+alt+del, are you logging in with a username and password which is checked against the domain controllers? If so, then the machine *is* joined into the domain. You're right, it is, I am not familiar with the windows domains.
* machine validates credentials to the domain controller, over the current network connection
How did the machine obtain network connection ? It has to go throught freeradius authorization, hasn't it ?
Hi,
Phil Mayers wrote:
Is the windows machine a domain member? No it's not. Only the users are. ?
When you sit at the login screen, and press ctrl+alt+del, are you logging in with a username and password which is checked against the domain controllers? If so, then the machine *is* joined into the domain. You're right, it is, I am not familiar with the windows domains.
* machine validates credentials to the domain controller, over the current network connection
How did the machine obtain network connection ? It has to go throught freeradius authorization, hasn't it ?
yep alan
Mike Perdide wrote:
Phil Mayers wrote:
Is the windows machine a domain member? No it's not. Only the users are. ?
When you sit at the login screen, and press ctrl+alt+del, are you logging in with a username and password which is checked against the domain controllers? If so, then the machine *is* joined into the domain. You're right, it is, I am not familiar with the windows domains.
* machine validates credentials to the domain controller, over the current network connection
How did the machine obtain network connection ? It has to go throught freeradius authorization, hasn't it ?
Yes, using the machine account
2008/4/25 Phil Mayers <p.mayers@imperial.ac.uk>:
Mike Perdide wrote:
Hello,
I'm working on VLAN assignement with FreeRadius, with windows XP users. The FreeRadius server is using openLdap, and works overs EAP-TTLS. The goal of my work is for the users to be on different Vlans depending on their status. The radius part is working fine, since the switch sets the right vlan when the user gives his login and password.
My question was : is it possible to authenticate via radius at the windows login screen ?
Is the windows machine a domain member?
For now, it is using the samba database, but if I want to set up a dynamic
vlan assignement, the network needs to be up before the samba partitions are mounted.
This last paragraph doesn't make sense to me. I don't know what "samba database" and "samba partitions" are.
I think you are asking "is it possible for the client to do 802.1x with the username/password typed into the login box" and the answer is "yes". There are three ways to achieve this (that I know of).
1. Using the windows native supplicant and machine account authentication. Basically the process is this: * machine powers on - no-one logged in * machine uses its own domain account to login "host/$machinename" * user presses ctrl+alt+del * machine validates credentials to the domain controller, over the current network connection * machine downloads the users profile * once the profile is download, the machine does an EAP-Logoff and then re-authenticates using the user credentials * when the user logs out, the machine does and EAP-Logoff and then logs back in using the machine account
2. Using cached profiles - the user logs in without a network connection using a cached profile, then 802.1x starts
3. Using a different supplicant which has a GINA plugin; I believe the Odyssey supplicant (which you have to pay for) can do this. SecureW2 (which is open source) may. Obviously you have to install software.
The Odyssey client can certainly do this but it is very important to note that GINA is not making use of the RADIUS server to actually authenticate the user to the Windows machine. It is simply stopping the windows login, taking a copy of the credentials typed into the windows login screen and using those to authenticate using 802.1x so that a secured port is open *before* the windows login is complete, then once the 802.1x process is complete, it returns control of the login process back to windows which authenticates the user either against the local database or using the Active Directory service. Normally, for this to work well, you would have the RADIUS server used for the 802.1x authentication make a call to the AD servers too (using either NTLM or LDAP). That way, you actually have two calls made to the AD, one by the RADIUS server and then another by the user's PC. The dynamic VLAN assignment is almost invariably performed as part of the 802.1x RADIUS authentication response and the actual mechanism used depends very much on the vendor of your Authenticator (the switch or AP). Rgds, Guy
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Guy Davies -
Mike Perdide -
Phil Mayers