Windows Client Authentification bevore Domain logon

Ben Walding ben.walding at gmail.com
Thu Aug 25 00:54:45 CEST 2005


You may need to add some extra configuration to your hints file:

# Wireless XP devices prefix the user name with host/
DEFAULT Prefix == "host/"
Hint = "Wireless-Workstation"


As far as I understand it, that will chop the host/ off for certain types of 
processing. I'm sure Alan will brutally correct me if I'm misleading you 
though :)

I've personally found the XP 802.1X w. EAP/TLS to be a bit finicky to get 
working - however an enterprise deployment I've been involved in has managed 
to get it working reliably using FreeRADIUS and the Windows wireless stack. 
There are some tricks to making machine certs get detected reliably on 
Windows using undocument attributes in the certificate. We use a custom CA 
and custom enrollment applications to get the certificates loaded quickly 
and correctly onto the machines / PDAs.

Cheers,

Ben



On 8/25/05, Armin Krämer <Kraemer.Armin at web.de> wrote:
> 
> Ok, the hole day i tried to get it to work but this time when i install 
> the certificate as a machine zertifikate the radius authentifikation log 
> ends up with this log below.
> 
> The Certificates where generated with openssl and all works fine as User 
> certificates but not as computer zertificate. I set the Registry Patch which 
> was diescribed in the mailing list to a value of 2. 
> 
> If anyone konws why this doesnt work please mail me. 
> 
> rad_recv: Access-Request packet from host 10.40.0.254:1024<http://10.40.0.254:1024>, 
> id=125, length=120
> NAS-IP-Address = 10.40.0.254 <http://10.40.0.254>
> NAS-Port-Type = Ethernet
> Service-Type = Framed-User
> Message-Authenticator = 0x75b32a36b118137416c352ac114ec00c
> NAS-Port = 8
> Framed-MTU = 1490
> User-Name = "host/Client5"
> Calling-Station-Id = "00-10-5A-F7-F0-BA"
> EAP-Message = 0x02ff001101686f73742f436c69! 656e7435
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: No '@' <%27@%27> in User-Name = "host/Client5", looking up 
> realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 0
> rlm_eap: EAP packet type response id 255 length 17
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 0
> users: Matched entry DEFAULT at line 181
> users: Matched entry DEFAULT at line 200
> modcall[authorize]: module "files" returns ok for request 0! 
> modcall: group authorize returns updated for request 0
> r ad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
> rlm_eap: EAP Identity
> rlm_eap: processing type tls
> rlm_eap_tls: Requiring client certificate
> rlm_eap_tls: Initiate
> rlm_eap_tls: Start returned 1
> modcall[authenticate]: module "eap" returns handled for request 0
> modcall: group authenticate returns handled for request 0
> Sending Access-Challenge of id 125 to 10.40.0.254:1024<http://10.40.0.254:1024>
> Framed-IP-Address = 255.255.255.254 <http://255.255.255.254>
> Framed-MTU = 576
> Service-Type = Framed-User
> EAP-Message = 0x010000060d20
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x3409168c713d79e19e09bf2f2ab092c9
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> --- Walking the entire reque! st list ---
> Cleaning up request 0 ID 125 with timestamp 430c8459
> Nothing to do. Sleeping until we see a request.
> 
> FreeRadius users mailing list <freeradius-users at lists.freeradius.org> 
> schrieb am 24.08.05 09:52:57:
> 
> 
> At 12:49 23/08/05, you wrote:
> 
> >Hi, thanks for your email!
> >
> >Ok, i tried it out but i have some problems. If i use the DWORT String 
> you 
> >sent me it has no efekkt. I found an other DWORT Key which Sounds 
> >"AuthMode" and with this DWORT he only tries to authentificate with the 
> >machine account. Maybe you have made a typing mistake in your email??
> 
> Whoops - You are right it was a typing mistake, it is AuthMode.
> 
> >Ok, but my problem ist, that when he tries to authentificate with the 
> >Computer Account i see in the radius debugg! ing modse that he only tried 
> to 
> >use the default entry in the u ser File and not the "Client3" Entry. It 
> >seems that he does not find the right Computer Certificate or the 
> >Freeradius does not find the Right Entry in his user File???
> 
> I am new to freeRADIUS myself in order to get my system working I followed 
> 
> the instructions in these web pages, 
> http://www.linuxjournal.com/article/8017, 
> http://www.linuxjournal.com/article/8095, 
> http://www.linuxjournal.com/article/8151.
> 
> It does look like a certificates problem, but then I am very new to 
> FreeRADIUS and I spent a considerable amount of time adjusting settings to 
> 
> make it work.
> 
> 
> >This is the output from Freeradius -X -A when the DWORT "AuthMode" is set 
> 
> >to 2
> >
> >
> >
> >Starting - reading configuration files ...
> >reread_config: reading radiusd.conf
> >Config: including file! : /etc/freeradius/proxy.conf
> >Config: including file: /etc/freeradius/clients.conf
> >Config: including file: /e! tc/freeradius/snmp.conf
> >Config: including file: /etc/freeradius/eap.conf
> >Config: including file: /etc/freeradius/sql.conf
> > main: prefix = "/usr"
> > main: localstatedir = "/var"
> > main: logdir = "/var/log/freeradius"
> > main: libdir = "/usr/lib/freeradius"
> > main: radacctdir = "/var/log/freeradius/radacct"
> > main: hostname_lookups = no
> > main: max_request_time = 30
> > main: cleanup_delay = 5
> > main: max_requests = 1024
> > main: delete_blocked_requests = 0
> > main: port = 0
> > main: allow_core_dumps = no
> > main: log_stripped_names = no
> > main: log_file = "/var/log/freeradius/radius.log"
> > main: log_auth = no
> > main: log_auth_badpass = no
> > main: log_auth_goodpass = no
> > main: pidfile = "/var/! run/freeradius/freeradius.pid"
> > main: user = "freerad"
> >&nbs
> >p;main: group = "freerad"
> > main: usercollide = no
> > main: lower_user = "! no"
> > main: lower_pass = "no"
> > main: nospace_user = "no"< BR>> main: nospace_pass = "no"
> > main: checkrad = "/usr/sbin/checkrad"
> > main: proxy_requests = yes
> > proxy: retry_delay = 5
> > proxy: retry_count = 3
> > proxy: synchronous = no
> > proxy: default_fallback = yes
> > proxy: dead_time = 120
> > proxy: post_proxy_authorize = yes
> > proxy: wake_all_if_all_dead = no
> > security: max_attributes = 200
> > security: reject_delay = 1
> > security: status_server = no
> > main: debug_level = 0
> >read_config_files: reading dictionary
> >read_config_files: reading naslist
> >Using deprecated naslist file. Support for this will go away soon.
> >read_config_files: reading clients
> >read_config_files: reading realms
> >radiusd: entering modules setup
> >Module: Library ! search path is /usr/lib/freeradius
> >Module: Loaded exec
> > exec: wait = yes
> > exec: program = "(null)"
> > exec: input_pairs = "request"
> > exec: output_! pairs = "(null)"
> > exec: packet_type = "(null)"
> >rlm_exec: Wait=yes but no output defined. Did you mean output=none?
> >Module: Instantiated exec (exec)
> >Module: Loaded expr
> >Module: Instantiated expr (expr)
> >Module: Loaded PAP
> > pap: encryption_scheme = "crypt"
> >Module: Instantiated pap (pap)
> >Module: Loaded CHAP
> >Module: Instantiated chap (chap)
> >Module: Loaded MS-CHAP
> > mschap: use_mppe = yes
> > mschap: require_encryption = no
> > mschap: require_strong = no
> > mschap: with_ntdomain_hack = no
> > mschap: passwd = "(null)"
> > mschap: authtype = "MS-CHAP"
> > mschap: ntlm_auth = "(null)"
> >Module: Instantiated mschap (mschap)
> >Module: Loaded System
> > unix: cache = no
> > unix: passwd = "(null)"
> > ! ;unix: shadow = "/etc/shadow"
> > unix: group = "(null)"
> > ;unix: radwtmp = "/var/log/freeradius/radwtmp"
> > unix: usegroup = no
> > uni! x: cache_reload = 600
> >Module: Instantiated unix (unix)
> >M odule: Loaded eap
> > eap: default_eap_type = "tls"
> > eap: timer_expire = 60
> > eap: ignore_unknown_eap_types = no
> > eap: cisco_accounting_username_bug = no
> >rlm_eap: Loaded and initialized type md5
> >rlm_eap: Loaded and initialized type leap
> > gtc: challenge = "Password: "
> > gtc: auth_type = "PAP"
> >rlm_eap: Loaded and initialized type gtc
> > tls: rsa_key_exchange = no
> > tls: dh_key_exchange = yes
> > tls: rsa_key_length = 512
> > tls: dh_key_length = 512
> > tls: verify_depth = 0
> > tls: CA_path = "(null)"
> > tls: pem_file_type = yes
> > tls: private_key_file = "/etc/ssl/certs/8021x-server.pem"
> > tls: certificate_file = "/etc/ssl/certs/8021x-server.pem"
> > tls: CA_file = "/etc/ssl/certs/root.pem"
> > tls: private_key_pa! ssword = "whatever"
> > tls: dh_file = "/etc/ssl/certs/dh"
> > tls: random_file = "/etc/ssl/certs/random"
> > tls: fragment_size = 1024
> >! tls: include_length = yes
> > tls: check_crl = no
> > tls: check_cert_cn = "(null)"
> >rlm_eap: Loaded and initialized type tls
> > mschapv2: with_ntdomain_hack = no
> >rlm_eap: Loaded and initialized type mschapv2
> >Module: Instantiated eap (eap)
> >Module: Loaded preprocess
> > preprocess: huntgroups = "/etc/freeradius/huntgroups"
> > preprocess: hints = "/etc/freeradius/hints"
> > preprocess: with_ascend_hack = no
> > preprocess: ascend_channels_per_line = 23
> > preprocess: with_ntdomain_hack = no
> > preprocess: with_specialix_jetstream_hack = no
> > preprocess: with_cisco_vsa_hack = no
> >Module: Instantiated preprocess (preprocess)
> >Module: Loaded realm
> > realm: format = "suffix"
> > realm: delimiter = "@"
> > realm: ignore_default = no realm: ignore_null = no
> >Module: Instantiated realm (suffix )
> >Module: Loaded files
> > files: usersfile = "/etc/freeradius/users"
> &g! t; files: acctusersfile = "/etc/freeradius/acct_users"
> > files: preproxy_usersfile = "/etc/freeradius/preproxy_users"
> > files: compat = "no"
> >Module: Instantiated files (files)
> >Module: Loaded Acct-Unique-Session-Id
> > acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, 
> > Client-IP-Address, NAS-Port"
> >Module: Instantiated acct_unique (acct_unique)
> >Module: Loaded detail
> > detail: detailfile = 
> > "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
> > detail: detailperm = 384
> > detail: dirperm = 493
> > detail: locking = no
> >Module: Instantiated detail (detail)
> >Module: Loaded radutmp
> > radutmp: filename = "/var/log/freeradius/radutmp"
> > radutmp: username = "%{User-Name}"
> > radutmp: case_sensitive = yes
> > radutmp: check_with_nas = yes
> > radutmp: perm = 384
> > radutmp: ca! llerid = yes
> >Module: Instantiated radutmp (radutmp)
> >Listening on authentication *:1812
> >Listening on accounting! *:1813
> >Listening on proxy *:1814
> >Ready to process requests.
> >rad_recv: Access-Request packet from host 10.40.0.254:1024<http://10.40.0.254:1024>, 
> id=103, length=120
> > NAS-IP-Address = 10.40.0.254 <http://10.40.0.254>
> > NAS-Port-Type = Ethernet
> > Service-Type = Framed-User
> > Message-Authenticator = 0x8e013b02cf39c8b291f8a9d790f3bd6a
> > NAS-Port = 8
> > Framed-MTU = 1490
> > User-Name = "host/Client3"
> > Calling-Station-Id = "00-10-5A-F7-F0-BA"
> > EAP-Message = 0x02ff001101686f73742f436c69656e7433
> > Processing the authorize section of radiusd.conf
> >modcall: entering group authorize for request 0
> > modcall[authorize]: module "preprocess" returns ok for request 0
> > modcall[authorize]: module "chap" returns noop for request 0
> > modcall[authorize]: module "mschap" returns noop for request 0
> > &nbs!
> >p; rlm_realm: No <mailto:'@'>'@' in User-Name = "host/Cli ent3", looking 
> >up realm NULL
> > rlm_re! alm: No such realm "NULL"
> > modcall[authorize]: module "suffix" returns noop for request 0
> > rlm_eap: EAP packet type response id 255 length 17
> > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> > modcall[authorize]: module "eap" returns updated for request 0
> > users: Matched entry DEFAULT at line 181
> > users: Matched entry DEFAULT at line 200
> > modcall[authorize]: module "files" returns ok for request 0
> >modcall: group authorize returns updated for request 0
> > rad_check_password: Found Auth-Type EAP
> >auth: type "EAP"
> > Processing the authenticate section of radiusd.conf
> >modcall: entering group authenticate for request 0
> > rlm_eap: EAP Identity
> > rlm_eap: processing type tls
> > rlm_eap_tls: Requiring client certificate
> > rlm_eap_tls: Initiate
> > rlm_eap_tls: ! Start returned 1
> > modcall[authenticate]: module "eap" returns handled for request 0
> >modcall: group authenticate returns handled for request 0
> >Sending! Access-Challenge of id 103 to 10.40.0.254:1024<http://10.40.0.254:1024>
> > Framed-IP-Address = 255.255.255.254 <http://255.255.255.254>
> > Framed-MTU = 576
> > Service-Type = Framed-User
> > EAP-Message = 0x010000060d20
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x1814a65439afaa74487aa379af48ead9
> >Finished request 0
> >Going to the next request
> >--- Walking the entire request list ---
> >Waking up in 6 seconds...
> >--- Walking the entire request list ---
> >Cleaning up request 0 ID 103 with timestamp 430b0c7e
> >Nothing to do. Sleeping until we see a request.
> >rad_recv: Access-Request packet from host 10.40.0.254:1024<http://10.40.0.254:1024>, 
> id=104, length=120
> > NAS-IP-Address = 10.40.0.254 <http://10.40.0.254>
> > NAS-Port-Type = Ethernet
> > Service-Type = Framed-User
> > Message-Authenticator = 0xe3868d2! de84c592e7e54eb355b23752f
> > NAS-Port = 8
> > Framed-MTU = 1490
> > User-Name = "host/Client3"
> > Calling-Station-Id = "00-10-5A! -F7-F0-BA"
> > EAP-Message = 0x0201001101686f73742f436c69656e7433< BR>> Processing the 
> authorize section of radiusd.conf
> >modcall: entering group authorize for request 1
> > modcall[authorize]: module "preprocess" returns ok for request 1
> > modcall[authorize]: module "chap" returns noop for request 1
> > modcall[authorize]: module "mschap" returns noop for request 1
> > rlm_realm: No <mailto:'@'>'@' in User-Name = "host/Client3", looking 
> > up realm NULL
> > rlm_realm: No such realm "NULL"
> > modcall[authorize]: module "suffix" returns noop for request 1
> > rlm_eap: EAP packet type response id 1 length 17
> > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> > modcall[authorize]: module "eap" returns updated for request 1
> > users: Matched entry DEFAULT at li! ne 181
> > users: Matched entry DEFAULT at line 200
> > modcall[authorize]: module "files" returns ok for request 1
> >modcall: group authorize returns updated for request 1
> > rad_che! ck_password: Found Auth-Type EAP
> >auth: type "EAP"
> > Processing the authenticate section of radiusd.conf
> >modcall: entering group authenticate for request 1
> >
> >
> 
> Fallibroome High School
> Priory Lane
> Macclesfield
> Cheshire
> SK10 4AF
> 
> - 
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20050825/cc43aabe/attachment.html>


More information about the Freeradius-Users mailing list