Windows Client Authentification bevore Domain logon
Armin Krämer
Kraemer.Armin at web.de
Tue Aug 23 13:49:40 CEST 2005
Hi, thanks for your email!
Ok, i tried it out but i have some problems. If i use the DWORT String you sent me it has no efekkt. I found an other DWORT Key which Sounds "AuthMode" and with this DWORT he only tries to authentificate with the machine account. Maybe you have made a typing mistake in your email?? Ok, but my problem ist, that when he tries to authentificate with the Computer Account i see in the radius debugging modse that he only tried to use the default entry in the user File and not the "Client3" Entry. It seems that he does not find the right Computer Certificate or the Freeradius does not find the Right Entry in his user File???
This is the output from Freeradius -X -A when the DWORT "AuthMode" is set to 2
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/freeradius/proxy.conf
Config: including file: /etc/freeradius/clients.conf
Config: including file: /etc/freeradius/snmp.conf
Config: including file: /etc/freeradius/eap.conf
Config: including file: /etc/freeradius/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/freeradius"
main: libdir = "/usr/lib/freeradius"
main: radacctdir = "/var/log/freeradius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/freeradius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/freeradius/freeradius.pid"
main: user = "freerad"
main: group = "freerad"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "/etc/shadow"
unix: group = "(null)"
unix: radwtmp = "/var/log/freeradius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/ssl/certs/8021x-server.pem"
tls: certificate_file = "/etc/ssl/certs/8021x-server.pem"
tls: CA_file = "/etc/ssl/certs/root.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/etc/ssl/certs/dh"
tls: random_file = "/etc/ssl/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/freeradius/huntgroups"
preprocess: hints = "/etc/freeradius/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/freeradius/users"
files: acctusersfile = "/etc/freeradius/acct_users"
files: preproxy_usersfile = "/etc/freeradius/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/freeradius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.40.0.254:1024, id=103, length=120
NAS-IP-Address = 10.40.0.254
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Message-Authenticator = 0x8e013b02cf39c8b291f8a9d790f3bd6a
NAS-Port = 8
Framed-MTU = 1490
User-Name = "host/Client3"
Calling-Station-Id = "00-10-5A-F7-F0-BA"
EAP-Message = 0x02ff001101686f73742f436c69656e7433
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "host/Client3", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 255 length 17
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry DEFAULT at line 181
users: Matched entry DEFAULT at line 200
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 103 to 10.40.0.254:1024
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x010000060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1814a65439afaa74487aa379af48ead9
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 103 with timestamp 430b0c7e
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 10.40.0.254:1024, id=104, length=120
NAS-IP-Address = 10.40.0.254
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Message-Authenticator = 0xe3868d2de84c592e7e54eb355b23752f
NAS-Port = 8
Framed-MTU = 1490
User-Name = "host/Client3"
Calling-Station-Id = "00-10-5A-F7-F0-BA"
EAP-Message = 0x0201001101686f73742f436c69656e7433
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "host/Client3", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 1 length 17
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched entry DEFAULT at line 181
users: Matched entry DEFAULT at line 200
modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
FreeRadius users mailing list <freeradius-users at lists.freeradius.org> schrieb am 23.08.05 09:15:13:
At 16:26 22/08/05, you wrote:
>Hi, i sucessfully installed a Radius authentificated Network with EAP-TLS
>Authentifikation. But I cant get logon to my Domain Controller when
>themachines boot up.. Ok, I know this Problem is not new, but is there any
>chance to solve this problem without additional software like AEGIS?? Or is
>there an other Software for Windows XP and or 2000 which is free from
>license? And is itpossible to set a default vlan group where the Domain
>Controller exists and all Clients firstly get in and later change the
>VLANID??? Would this be possible and how would it work?
>
>Greetings Armin
I have managed to do this by three different routes.
1. Use the Microsoft built in wireless client. To do this you need to use
mmc and the certificate plug in to install a CA certificate & personal
certificate for the local machine. Create a wireless profile in XP which
connects to your network using the CA certificate you installed. Then add a
DWORD registry entry AuthType with a value of 2 to
HKLMSOFTWAREMicrosoftEAPOLParametersGeneralGlobal. This causes XP to
use the machine account to authenticate to the network. This only uses the
machine account to authenticate against the network, at no time does it use
the users account. Other values to use are 0 - Use the default XP
authentication, 1 - Always perform user authentication when a user logs on,
2 - Perform computer authentication only.
2. As above, but don't add the registry entry. This time the machine will
authenticate itself to the network before logon which allows the computer
to see the network and the domain. Once the user logs on to the domain the
connection is lost and the user account is then used to authenticate
against the network. The problem here is that unless the user also has a
valid personal certificate the authentication fails. This means going round
to each user and installing a certificate, unless you can do it via Active
Directory, we are using a Samba PDC here so that is not possible. I decided
against this option with having 1500 potential users.
3. If you are using Intel wireless cards download the full version of the
ProSet drivers, mine were 2200BG. This allows for different profiles which
work as the machine before logon, or during logon to validate the user
against the network. It also adds TTLS as well as TLS. There is a problem
with this software if you are using roaming profiles. During logoff the
network connection is dropped and it is impossible to upload the profile to
the servers. According to Intel this is a know problem and at this time
they have not replied to say if there is going to be a fix for it. This
method worked very well upto the point of saving the profile, it is also
much easier to distribute the settings to other machine using the profile
import feature the ProSet drivers provide.
Steve Atkinson
Deputy Network Manager
Fallibroome High School
Priory Lane
Macclesfield
Cheshire
SK10 4AF
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20050823/209086b0/attachment.html>
More information about the Freeradius-Users
mailing list