Windows Client Authentification bevore Domain logon

Guy Davies Guy.Davies at telindus.co.uk
Fri Sep 2 11:36:46 CEST 2005 

Hi,
 
I use Funk Odyssey.  It works really well with EAP-TTLS/PAP.  We use an
LDAP connection to our AD Global Catalogs to just query the validity of
the user credentials and obtain the memberOf attributes.
 
The Odyssey GINA module seems pretty reliable.
 
Rgds,
 
Guy

	-----Original Message-----
	From: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of
Jérémy Cluzel
	Sent: 02 September 2005 00:37
	To: freeradius-users at lists.freeradius.org
	Subject: RE: Windows Client Authentification bevore Domain logon
	
	
	Hi Guy,
	
	Do you know working supplicants with a GINA module ? aegis ?
secureW2 ?
	
	Regards,
	
	Jeremy
	
	freeradius-users-request at lists.freeradius.org a écrit : 

		Date: Thu, 1 Sep 2005 17:10:14 +0100
		From: "Guy Davies" <Guy.Davies at telindus.co.uk>
<mailto:Guy.Davies at telindus.co.uk> 
		Subject: RE: Windows Client Authentification bevore
Domain logon 
		To: "FreeRadius users mailing list"
			<freeradius-users at lists.freeradius.org>
<mailto:freeradius-users at lists.freeradius.org> 
		Message-ID:
	
<A00F4E8D8C7E8847A8ABFFE22F48033701B3692A at tuk1mx1.telindus.intra>
<mailto:A00F4E8D8C7E8847A8ABFFE22F48033701B3692A at tuk1mx1.telindus.intra>
Content-Type: text/plain;	charset="iso-8859-1"
		
		Hi Marc,
		
		The only way to do this with the supplicant included
with XP is to use machine auth.  This must use the same method used by
the individual (i.e. EAP-TLS or PEAP/MS-CHAPv2).
		
		There is a checkbox that says something like "Use
machine credentials if available".  Check that and the machine will
authenticate before the user.  Once the user authenticates, the machine
auth is killed and the user's auth is used.  This requires that the
machine has either a PEAP/MS-CHAPv2 username/password or an EAP-TLS
certificate.  These are stored in AD so you have to backoff your request
to AD.  If you want to do that for PEAP/MS-CHAPv2, you'll need NTLM
access to the AD server, LDAP won't do because it can't get the
cleartext password (unless it is replicated to a non-standard
attribute).
		
		A better method, in my experience, is to use a
supplicant with a GINA module.  That stops the windows login process
immediately after the user has entered the credentials, takes the user's
credentials and uses them to login to the network, then it returns
control to the windows login process.  This doesn't require any
authentication of the machine.
		
		Regards,
		
		Guy
		
		  

			-----Original Message-----
			From:
freeradius-users-bounces at lists.freeradius.org 
	
[mailto:freeradius-users-bounces at lists.freeradius.org] On 
			Behalf Of Marc-Henri Boisis-delavaud
			Sent: 01 September 2005 15:19
			To: FreeRadius users mailing list
			Subject: Re: Windows Client Authentification
bevore Domain logon 
			
			
			
			Le 31 août 05 à 18:53, Alan DeKok a écrit :
			
			    

				=?ISO-8859-1?Q?J=E9r=E9my_Cluzel?=
<j.cluzel at online.fr> <mailto:j.cluzel at online.fr>  wrote:
				
				      

				Sorry, but I didn't find any references
of this OID in the
				creation scripts in the "scripts"
directory (Ca.all, CA.certs...).
				The only OID added seem to be
1.3.6.1.5.5.7.3.1 and  
				1.3.6.1.5.5.7.3.2 (in "xpextensions").
				Is there any way to do this without
patching openssl (like  
				explained there 
				        

	
http://lists.cistron.nl/pipermail/freeradius-users/ 
			    

				2004-July/034141.html) ?
				
				        

				  You can use that OID just like the
other ones.
				
				  Alan DeKok.
				-
				List info/subscribe/unsubscribe? See 
				      

			http://www.freeradius.org/list/ 
			    

				users.html
				
				      

			Can you explain how we can activate 802.1x
authentification before  
			logon on xp. And what are the prerequisites ?
			Marc
			
			
			
			- 
			List info/subscribe/unsubscribe? See 
			http://www.freeradius.org/list/users.html
			
			    

		
		This e-mail is private and may be confidential and is
for the intended recipient only.  If misdirected, please notify us by
telephone and confirm that it has been deleted from your system and any
copies destroyed.  If you are not the intended recipient you are
strictly prohibited from using, printing, copying, distributing or
disseminating this e-mail or any information contained in it.  We use
reasonable endeavours to virus scan all e-mails leaving the Company but
no warranty is given that this e-mail and any attachments are virus
free.  You should undertake your own virus checking.  The right to
monitor e-mail communications through our network is reserved by us. 

This e-mail is private and may be confidential and is for the intended
recipient only. If misdirected, please notify us by telephone and
confirm that it has been deleted from your system and any copies
destroyed. If you are not the intended recipient you are strictly
prohibited from using, printing, copying, distributing or disseminating
this e-mail or any information contained in it. We use reasonable
endeavours to virus scan all e-mails leaving the Company but no warranty
is given that this e-mail and any attachments are virus free. You should
undertake your own virus checking. The right to monitor e-mail
communications through our network is reserved by us. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20050902/8882d05d/attachment.html>

More information about the Freeradius-Users mailing list