eap-peap username/password problem
i have implemented eap-peap using freeradius-2.1.1. i am using windows XP machines as clients. when users try to connect to server using the peap protocol,they are asked for their username and password. my problem is that once the users are connected to the server,they are not asked for a username/password when they try to connect after logging out of the network.the username/password that was used to connect to network initially, is used automatically for subsequent purposes to connect to the network. is it a problem of the XP clients?or is the radius server caching all the requests so that the next time no username/password is required?is there any way so that the users are asked for a username/password every time they want to connect after disconnecting(logging out)? -- View this message in context: http://www.nabble.com/eap-peap-username-password-problem-tp23915126p23915126... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi,
my problem is that once the users are connected to the server,they are not asked for a username/password when they try to connect after logging out of the network.the username/password that was used to connect to network initially, is used automatically for subsequent purposes to connect to the network.
correct. Windows caches the EAPOL credentials for that network after a successful connection. you could have a logout script that wipes the EAPOL stuff.. REGEDIT4 [-HKEY_CURRENT_USER\Software\Microsoft\Eapol\UserEapInfo] alan
hi alan,
Windows caches the EAPOL credentials for that network after a successful connection. Thanks for confirming,I had thought so.
I would like to inform you that i am working on the server side and not the client side.Hence it is not feasible to change the registry entry of every client.
you could have a logout script that wipes the EAPOL stuff.. is there any way to write this logout script at the server side and execute it at the client? Also,is there any other way so that the client is asked his username/password every time he tries to connect to the network? Is there any change to be made to the eap.conf file in the tls{} cache{} section so that this problem may be solved?
The relevant portion of my eap.conf file is: # # Session resumption / fast reauthentication # cache. # cache { # # Enable it. The default is "no". # Deleting the entire "cache" subsection # Also disables caching. # # You can disallow resumption for a # particular user by adding the following # attribute to the control item list: # # Allow-Session-Resumption = No # # If "enable = no" below, you CANNOT # enable resumption for just one user # by setting the above attribute to "yes". # enable = no # # Lifetime of the cached entries, in hours. # The sessions will be deleted after this # time. # lifetime = 1 # hours # # The maximum number of entries in the # cache. Set to "0" for "infinite". # # This could be set to the number of users # who are logged in... which can be a LOT. # max_entries = 255 } 2009/6/8 <A.L.M.Buxey@lboro.ac.uk>
Hi,
my problem is that once the users are connected to the server,they are not asked for a username/password when they try to connect after logging out of the network.the username/password that was used to connect to network initially, is used automatically for subsequent purposes to connect to the network.
correct. Windows caches the EAPOL credentials for that network after a successful connection.
you could have a logout script that wipes the EAPOL stuff..
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Eapol\UserEapInfo]
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Tough times dont last,Tough People Do.
Hi,
I would like to inform you that i am working on the server side and not the client side.Hence it is not feasible to change the registry entry of every client.
oh dear. you cant control the clients - the clients need to be changed, sorted etc. other supplicants can be configured to always ask.
The relevant portion of my eap.conf file is:
thats not relevant - all that does is cache the PEAP session so as to enable a very fast resumption with no need to go into all the inner stuff again. if you feel unhappy about it you can disable the server TLS caching (as you currently have it configured) but that isnt going to fix how the clients behave. alan
hi alan, thanks again. I your previous reply, you had asked me to change the registry entry of the client.
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Eapol\UserEapInfo]
I have found the relevant entry in the registry.But i am not able to understand what *change* should be made to this entry.Could you please tell me a bit more in detail? 2009/6/8 <A.L.M.Buxey@lboro.ac.uk>
Hi,
I would like to inform you that i am working on the server side and not the client side.Hence it is not feasible to change the registry entry of every client.
oh dear. you cant control the clients - the clients need to be changed, sorted etc. other supplicants can be configured to always ask.
The relevant portion of my eap.conf file is:
thats not relevant - all that does is cache the PEAP session so as to enable a very fast resumption with no need to go into all the inner stuff again. if you feel unhappy about it you can disable the server TLS caching (as you currently have it configured) but that isnt going to fix how the clients behave.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Tough times dont last,Tough People Do.
Hi, ---- REGEDIT4 [-HKEY_CURRENT_USER\Software\Microsoft\Eapol\UserEapInfo] ----
I have found the relevant entry in the registry.But i am not able to understand what *change* should be made to this entry.Could you please tell me a bit more in detail?
that bit i sent can be saved as a plain text file with a .reg extension and then run - all it does is delete the UserEapInfo key which holds the cached information. alan
On 8/6/09 12:49, devesh gade wrote:
hi alan,
Windows caches the EAPOL credentials for that network after a successful connection. Thanks for confirming,I had thought so.
I would like to inform you that i am working on the server side and not the client side.Hence it is not feasible to change the registry entry of every client.
you could have a logout script that wipes the EAPOL stuff.. is there any way to write this logout script at the server side and execute it at the client? Also,is there any other way so that the client is asked his username/password every time he tries to connect to the network? Is there any change to be made to the eap.conf file in the tls{} cache{} section so that this problem may be solved?
No. That section has absolutely nothing to do with credential caching. As stated it controls *session* caching which is something completely different, and should only be enabled to allow rapid re-authentication. Nothing you can do server side will stop the supplicant using cached credentials, other than issuing a reject every other authentication attempt (and this only works with windows, and not reliably); or using an OTP system like the RSA SecurID tokens. Arran -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Arran Cudbard-Bell -
devesh gade -
kalesameer