Emulate AD-based machine authentication
Our current wireless environment uses Microsoft Active Directory with Microsoft Network Policy Server to authenticate our 802.1x wireless network. As it is configured, it supports user authentication via PEAP and mschapv2, and it also supports what NPS calls "machine authentication". Which, based on its behavior allows any computer joined to the domain to access the network with user credentials. As an example, this is useful for loaner laptops where the computer needs access to the network in order to authenticate the user against AD. I am trying to replace our current Microsoft NPS server with freeradius. I was able to follow the docs and use winbind to get PEAP-mschap user authentication working flawlessly. The last piece of this puzzle is, NPS has a "magic checkbox" that enables machine-based authentication. I have been trying to figure out what that checkbox does, without much luck. My best guess is that it's using the Active Directory certificates to do EAP-TLS auth, but that is just my guess. Has anyone ever tried to replicate this feature? or have any insight? I realize this isn't strictly a freeradius question, but thought I would ask. -- Munroe Sollog Senior Network Engineer munroe@lehigh.edu
Hi Munroe, The Microsoft NPE is a blackbox like any other proprietary. Therefore, have you tried to capture/sniffer the packets between your NAS <-> NPS? Maybe It could be a good way to figure out which attributes/avps they are talking. Otherwise, it would be good if you could share with us the “radius -Xx” output of the communication between them. --- Jorge Pereira jpereira@freeradius.org
On 18 Feb 2020, at 12:28, Munroe Sollog <mus3@lehigh.edu> wrote:
Our current wireless environment uses Microsoft Active Directory with Microsoft Network Policy Server to authenticate our 802.1x wireless network. As it is configured, it supports user authentication via PEAP and mschapv2, and it also supports what NPS calls "machine authentication". Which, based on its behavior allows any computer joined to the domain to access the network with user credentials. As an example, this is useful for loaner laptops where the computer needs access to the network in order to authenticate the user against AD.
I am trying to replace our current Microsoft NPS server with freeradius. I was able to follow the docs and use winbind to get PEAP-mschap user authentication working flawlessly. The last piece of this puzzle is, NPS has a "magic checkbox" that enables machine-based authentication. I have been trying to figure out what that checkbox does, without much luck.
My best guess is that it's using the Active Directory certificates to do EAP-TLS auth, but that is just my guess. Has anyone ever tried to replicate this feature? or have any insight? I realize this isn't strictly a freeradius question, but thought I would ask.
-- Munroe Sollog Senior Network Engineer munroe@lehigh.edu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, if winbind works for you, the "machine auth" should too. When windows supplicant is set to do machine auth, it uses username in form of 'host/hostname.your.domain'. Internaly in AD, it's an object similar to user account, with additional class(es). It has it's own samaccountname. userprincipalname. Also it has password, which is changed by default every 30 days ( https://docs.microsoft.com/cs-cz/archive/blogs/askds/machine-account-passwor... ). Here is example machine auth request from debug log. (0) Received Access-Request Id 114 from 172.24.254.250:32774 to 172.24.1.6:1812 length 344 (0) User-Name = "host/PROBOOK.ABC.cz" (0) Chargeable-User-Identity = 0x00 (0) Location-Capable = Civic-Location (0) Calling-Station-Id = "20-10-7a-01-77-fe" (0) Called-Station-Id = "3c-ce-73-6d-3a-50:ABC" (0) NAS-Port = 1 (0) Cisco-AVPair = "audit-session-id=ac19646400016f415c666ce9" (0) Acct-Session-Id = "5c666ce9/20:10:7a:01:77:fe/96853" (0) Cisco-AVPair = "mDNS=true" (0) NAS-IP-Address = 172.25.100.100 (0) NAS-Identifier = "CT2504_100.100" (0) Airespace-Wlan-Id = 1 (0) Service-Type = Framed-User (0) Framed-MTU = 1300 (0) NAS-Port-Type = Wireless-802.11 (0) Tunnel-Type:0 = VLAN (0) Tunnel-Medium-Type:0 = IEEE-802 (0) Tunnel-Private-Group-Id:0 = "666" (0) EAP-Message = 0x... (0) Message-Authenticator = 0x... Run your radiusd in radiusd -X and set windows to do machine auth, and you will see something similar as above. The in post-auth you can for example do some checking like if ( &User-Name =~ /^host\/.*$/) { update reply { ... } ... Hope that helps, P. On Tue, Feb 18, 2020 at 4:28 PM Munroe Sollog <mus3@lehigh.edu> wrote:
I am trying to replace our current Microsoft NPS server with freeradius. I was able to follow the docs and use winbind to get PEAP-mschap user authentication working flawlessly. The last piece of this puzzle is, NPS has a "magic checkbox" that enables machine-based authentication. I have been trying to figure out what that checkbox does, without much luck.
My best guess is that it's using the Active Directory certificates to do EAP-TLS auth, but that is just my guess. Has anyone ever tried to replicate this feature? or have any insight? I realize this isn't strictly a freeradius question, but thought I would ask.
-- Munroe Sollog Senior Network Engineer munroe@lehigh.edu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Interesting, thanks for the help.
On Wed, Feb 19, 2020 at 4:00 AM Josef Vybíhal <josef.vybihal@gmail.com>
wrote:
> Hi,
> if winbind works for you, the "machine auth" should too. When windows
> supplicant is set to do machine auth, it uses username in form of
> 'host/hostname.your.domain'. Internaly in AD, it's an object similar to
> user account, with additional class(es). It has it's own samaccountname.
> userprincipalname. Also it has password, which is changed by default every
> 30 days (
>
> https://docs.microsoft.com/cs-cz/archive/blogs/askds/machine-account-password-process-2
> ).
>
> Here is example machine auth request from debug log.
> (0) Received Access-Request Id 114 from 172.24.254.250:32774 to
> 172.24.1.6:1812 length 344
> (0) User-Name = "host/PROBOOK.ABC.cz"
> (0) Chargeable-User-Identity = 0x00
> (0) Location-Capable = Civic-Location
> (0) Calling-Station-Id = "20-10-7a-01-77-fe"
> (0) Called-Station-Id = "3c-ce-73-6d-3a-50:ABC"
> (0) NAS-Port = 1
> (0) Cisco-AVPair = "audit-session-id=ac19646400016f415c666ce9"
> (0) Acct-Session-Id = "5c666ce9/20:10:7a:01:77:fe/96853"
> (0) Cisco-AVPair = "mDNS=true"
> (0) NAS-IP-Address = 172.25.100.100
> (0) NAS-Identifier = "CT2504_100.100"
> (0) Airespace-Wlan-Id = 1
> (0) Service-Type = Framed-User
> (0) Framed-MTU = 1300
> (0) NAS-Port-Type = Wireless-802.11
> (0) Tunnel-Type:0 = VLAN
> (0) Tunnel-Medium-Type:0 = IEEE-802
> (0) Tunnel-Private-Group-Id:0 = "666"
> (0) EAP-Message = 0x...
> (0) Message-Authenticator = 0x...
>
> Run your radiusd in radiusd -X and set windows to do machine auth, and you
> will see something similar as above.
>
>
> The in post-auth you can for example do some checking like
> if ( &User-Name =~ /^host\/.*$/) {
> update reply {
> ...
> }
> ...
>
>
> Hope that helps,
>
> P.
>
>
>
>
> On Tue, Feb 18, 2020 at 4:28 PM Munroe Sollog <mus3@lehigh.edu> wrote:
>
> > I am trying to replace our current Microsoft NPS server with
> freeradius. I
> > was able to follow the docs and use winbind to get PEAP-mschap user
> > authentication working flawlessly. The last piece of this puzzle is, NPS
> > has a "magic checkbox" that enables machine-based authentication. I have
> > been trying to figure out what that checkbox does, without much luck.
> >
> > My best guess is that it's using the Active Directory certificates to do
> > EAP-TLS auth, but that is just my guess. Has anyone ever tried to
> > replicate this feature? or have any insight? I realize this isn't
> strictly
> > a freeradius question, but thought I would ask.
> >
> >
> >
> > --
> > Munroe Sollog
> > Senior Network Engineer
> > munroe@lehigh.edu
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
Munroe Sollog
Senior Network Engineer
munroe@lehigh.edu
I was able to track down the problem a bit and wanted to share my findings
for the next guy.
It seems that Windows 10 (didn't test older OSes) will automatically trust
a certificate presented to it by a radius server *if* the certificate is
signed by a CA that exists in the systems CA store (GoDaddy, Thawte,
Verisign, etc...) when doing machine-based authentication. In my
environment, our NPS (Microsoft) server was using a GoDaddy certificate
while my freeradius server was using a self-signed cert.
As soon as we dropped the self-signed certificate in the trusted cert store
of the laptop, machine authentication "just worked". As an aside, it also
looks like at some point windows has stopped displaying any information
about the certificate presented for wireless authentication except for the
thumbprint, which is a departure from older versions that displayed a lot
more information about it.
On Wed, Feb 19, 2020 at 7:52 AM Munroe Sollog <mus3@lehigh.edu> wrote:
> Interesting, thanks for the help.
>
> On Wed, Feb 19, 2020 at 4:00 AM Josef Vybíhal <josef.vybihal@gmail.com>
> wrote:
>
>> Hi,
>> if winbind works for you, the "machine auth" should too. When windows
>> supplicant is set to do machine auth, it uses username in form of
>> 'host/hostname.your.domain'. Internaly in AD, it's an object similar to
>> user account, with additional class(es). It has it's own samaccountname.
>> userprincipalname. Also it has password, which is changed by default every
>> 30 days (
>>
>> https://docs.microsoft.com/cs-cz/archive/blogs/askds/machine-account-password-process-2
>> ).
>>
>> Here is example machine auth request from debug log.
>> (0) Received Access-Request Id 114 from 172.24.254.250:32774 to
>> 172.24.1.6:1812 length 344
>> (0) User-Name = "host/PROBOOK.ABC.cz"
>> (0) Chargeable-User-Identity = 0x00
>> (0) Location-Capable = Civic-Location
>> (0) Calling-Station-Id = "20-10-7a-01-77-fe"
>> (0) Called-Station-Id = "3c-ce-73-6d-3a-50:ABC"
>> (0) NAS-Port = 1
>> (0) Cisco-AVPair = "audit-session-id=ac19646400016f415c666ce9"
>> (0) Acct-Session-Id = "5c666ce9/20:10:7a:01:77:fe/96853"
>> (0) Cisco-AVPair = "mDNS=true"
>> (0) NAS-IP-Address = 172.25.100.100
>> (0) NAS-Identifier = "CT2504_100.100"
>> (0) Airespace-Wlan-Id = 1
>> (0) Service-Type = Framed-User
>> (0) Framed-MTU = 1300
>> (0) NAS-Port-Type = Wireless-802.11
>> (0) Tunnel-Type:0 = VLAN
>> (0) Tunnel-Medium-Type:0 = IEEE-802
>> (0) Tunnel-Private-Group-Id:0 = "666"
>> (0) EAP-Message = 0x...
>> (0) Message-Authenticator = 0x...
>>
>> Run your radiusd in radiusd -X and set windows to do machine auth, and you
>> will see something similar as above.
>>
>>
>> The in post-auth you can for example do some checking like
>> if ( &User-Name =~ /^host\/.*$/) {
>> update reply {
>> ...
>> }
>> ...
>>
>>
>> Hope that helps,
>>
>> P.
>>
>>
>>
>>
>> On Tue, Feb 18, 2020 at 4:28 PM Munroe Sollog <mus3@lehigh.edu> wrote:
>>
>> > I am trying to replace our current Microsoft NPS server with
>> freeradius. I
>> > was able to follow the docs and use winbind to get PEAP-mschap user
>> > authentication working flawlessly. The last piece of this puzzle is,
>> NPS
>> > has a "magic checkbox" that enables machine-based authentication. I
>> have
>> > been trying to figure out what that checkbox does, without much luck.
>> >
>> > My best guess is that it's using the Active Directory certificates to do
>> > EAP-TLS auth, but that is just my guess. Has anyone ever tried to
>> > replicate this feature? or have any insight? I realize this isn't
>> strictly
>> > a freeradius question, but thought I would ask.
>> >
>> >
>> >
>> > --
>> > Munroe Sollog
>> > Senior Network Engineer
>> > munroe@lehigh.edu
>> > -
>> > List info/subscribe/unsubscribe? See
>> > http://www.freeradius.org/list/users.html
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>
>
> --
> Munroe Sollog
> Senior Network Engineer
> munroe@lehigh.edu
>
--
Munroe Sollog
Senior Network Engineer
munroe@lehigh.edu
participants (3)
-
Jorge Pereira -
Josef Vybíhal -
Munroe Sollog