Two different user-names while using computer authentification with client certificate
Hi! I have a question just for my understanding. I installed a Radius client certificate (RadiusClient) on a Win10 client and enabled user authentification on this WLAN profile. This all works fine. Just for my education I switched the client WLAN profile to computer (!) authentification (instead of user), just to see what will happen with freeradius. First thing I saw is: (7) Received Access-Request Id 152 from 192.168.188.45:37569 to 192.168.188.50:1812 length 226 (7) User-Name = "host/RadiusClient" (7) NAS-IP-Address = 192.168.1.245 (7) NAS-Port = 0 (7) Called-Station-Id = "88-90-8D-42-55-70:ciscosb" So User-Name changed from RadiusClient to host/RadiusClient which I understood. But later in the same session I saw: 7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state WAITING FOR INNER IDENTITY (7) eap_peap: Identity - host/DESKTOP-FLOQN5Q (7) eap_peap: Got inner identity 'host/DESKTOP-FLOQN5Q' (7) eap_peap: Setting default EAP type for tunneled EAP session (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x0207001901686f73742f4445534b544f502d464c4f514e3551 (7) eap_peap: Setting User-Name to host/DESKTOP-FLOQN5Q (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x0207001901686f73742f4445534b544f502d464c4f514e3551 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "host/DESKTOP-FLOQN5Q" (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x0207001901686f73742f4445534b544f502d464c4f514e3551 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "host/DESKTOP-FLOQN5Q" Now the User-Name is the real PC hostname "host/DESKTOP-FLOQN5Q". So it seems the outer and the inner tunnel see different User-Names. Is this on intention? Any chance to have one User-Name only, e.g. the client certificate name: RadiusClient. Thanks Uwe
On Jan 28, 2020, at 9:36 AM, uj2.hahn@posteo.de wrote:
I have a question just for my understanding. I installed a Radius client certificate (RadiusClient) on a Win10 client and enabled user authentification on this WLAN profile. This all works fine.
That's good.
Just for my education I switched the client WLAN profile to computer (!) authentification (instead of user), just to see what will happen with freeradius.
FreeRADIUS just processes packets it receives. It does NOT create those packets, or any information in them.
Now the User-Name is the real PC hostname "host/DESKTOP-FLOQN5Q". So it seems the outer and the inner tunnel see different User-Names. Is this on intention?
Ask Microsoft how their software works. FreeRADIUS just reports on what it sees. It does not (and can not) cause the Windows system to send different User-Names.
Any chance to have one User-Name only, e.g. the client certificate name: RadiusClient.
Ask Microsoft how to configure their software. If you receive an email from someone, you're not responsible for the contents. The sender is responsible. The same applies here. Alan DeKok.
On 28 Jan 2020, at 09:54, Alan DeKok <aland@deployingradius.com> wrote:
On Jan 28, 2020, at 9:36 AM, uj2.hahn@posteo.de wrote:
I have a question just for my understanding. I installed a Radius client certificate (RadiusClient) on a Win10 client and enabled user authentification on this WLAN profile. This all works fine.
That's good.
Just for my education I switched the client WLAN profile to computer (!) authentification (instead of user), just to see what will happen with freeradius.
FreeRADIUS just processes packets it receives. It does NOT create those packets, or any information in them.
Now the User-Name is the real PC hostname "host/DESKTOP-FLOQN5Q". So it seems the outer and the inner tunnel see different User-Names. Is this on intention?
Ask Microsoft how their software works.
FreeRADIUS just reports on what it sees. It does not (and can not) cause the Windows system to send different User-Names.
In this instance "host/RadiusClient" comes from the EAP-Identity-Response packet sent by the Windows device just as it's starting 802.1X authentication, and "host/DESKTOP-FLOQN5Q" is the identity received within the TLS protected inner-tunnel of the PEAP protocol. Looks like the Windows 10 supplicant is implementing identity privacy for host authentication, and that's why the first (unprotected) identity is generic, and the second (protected) identity is specific to the host. You can likely control the unprotected identity by configuring a specific anonymous outer identity in the supplicant. That option used to be there for user-based authentication, not sure if it still exists or is configurable for host-based authentication. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hi, Arran and Alan! You were both right. I found a setting in Win10 WLAN profile which defines a generic username (RadiusClient) which was used for the outer tunnel. The inner tunnel used the real hostname (host/DESKTOP-FLOQN5Q). Once I cleared the RadiusClient field both tunnels reported the real hostname. The plan is to setup some school owned Win10 clients (in opposite to private devices) in a way they can connect to WLAN automatically w/o user/passwd setting. This is already working with user-based authentication and client certs. As an alternative way I like to try host-based authentication. This would probably work when I add each hostname to AD which is a lot of work. Do you think there is a way to use the anonymous outer identity name (RadiusClient) for authorization? In that case each of these clients can have the same anonymous outer identity name. This would minimize maintenance for new devices. Thanks Uwe Am 28.01.2020 19:36 schrieb Arran Cudbard-Bell:
On 28 Jan 2020, at 09:54, Alan DeKok <aland@deployingradius.com> wrote:
On Jan 28, 2020, at 9:36 AM, uj2.hahn@posteo.de wrote:
I have a question just for my understanding. I installed a Radius client certificate (RadiusClient) on a Win10 client and enabled user authentification on this WLAN profile. This all works fine.
That's good.
Just for my education I switched the client WLAN profile to computer (!) authentification (instead of user), just to see what will happen with freeradius.
FreeRADIUS just processes packets it receives. It does NOT create those packets, or any information in them.
Now the User-Name is the real PC hostname "host/DESKTOP-FLOQN5Q". So it seems the outer and the inner tunnel see different User-Names. Is this on intention?
Ask Microsoft how their software works.
FreeRADIUS just reports on what it sees. It does not (and can not) cause the Windows system to send different User-Names.
In this instance "host/RadiusClient" comes from the EAP-Identity-Response packet sent by the Windows device just as it's starting 802.1X authentication, and "host/DESKTOP-FLOQN5Q" is the identity received within the TLS protected inner-tunnel of the PEAP protocol.
Looks like the Windows 10 supplicant is implementing identity privacy for host authentication, and that's why the first (unprotected) identity is generic, and the second (protected) identity is specific to the host.
You can likely control the unprotected identity by configuring a specific anonymous outer identity in the supplicant. That option used to be there for user-based authentication, not sure if it still exists or is configurable for host-based authentication.
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 29, 2020, at 10:32 AM, uj2.hahn@posteo.de wrote:
I found a setting in Win10 WLAN profile which defines a generic username (RadiusClient) which was used for the outer tunnel. The inner tunnel used the real hostname (host/DESKTOP-FLOQN5Q). Once I cleared the RadiusClient field both tunnels reported the real hostname.
That's good.
The plan is to setup some school owned Win10 clients (in opposite to private devices) in a way they can connect to WLAN automatically w/o user/passwd setting. This is already working with user-based authentication and client certs.
OK.
As an alternative way I like to try host-based authentication. This would probably work when I add each hostname to AD which is a lot of work. Do you think there is a way to use the anonymous outer identity name (RadiusClient) for authorization? In that case each of these clients can have the same anonymous outer identity name. This would minimize maintenance for new devices.
The outer name can be anonymous, and can be the same for many machines. The rest of the RADIUS packet contains MAC addresses, which lets you distinguish between machines, if you need that. Alan DeKok.
participants (3)
-
Alan DeKok -
Arran Cudbard-Bell -
uj2.hahn@posteo.de