Confused with FreeRadius + Win2000 + Linksys + EAP + Certs

Thibault Le Meur Thibault.LeMeur at supelec.fr
Tue Aug 8 15:32:27 CEST 2006 

> Hm, thats bad. Is it on the roadmap? I have seen a Howto, generating 
> certs and switching eap-type to tls on freeradius?

Yes Windows hosts can be authenticated with EAP-TLS by choosing 
something like "SmartCard or certificate" under the Authentication Tab 
of the adapter properties.

> How can the PC be authentified, even if the user is not? We have a 
> lot student pc in a pool, but the students have no individual 
> account. I want to protect the Ethernet-ports against plugging in 
> another computer, not verified from us. How can this be achieved?

You want a certificate per host and not a certificate per user.

I use the following procedure to enable Host EAP-TLS authentication:
* Set the "HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters
\General\Global\AuthMode" value to '2 in the windows registry. This means:
"Computer authentication is performed when the wireless client computer is
started. User authentication is never performed."
See http://www.microsoft.com/technet/itsolutions/network/wifi/wififaq.mspx

* Create a certificate per host:
- cn must contain the Netbios name of the PC
- the extension SubjectAltName must contain the Netbios name of the PC 
(I think)
- The field Extended Key Usage must contain the option 'TLS Web Client
Authentication' (OID 1.3.6.1.5.5.7.3.2)
- Note that the Radius server's certificate must contain the 
1.3.6.1.5.5.7.3.1 extension
- The certificate can be exported into a PKCS12 file .p12 (this 
includes the private key). The certificate MUST be installed in the 
HOST CERTIFICATE STORE (simply double clic the file will NOT work): Run 
'mmc' and Add the Snap-in 'Certificate>Local Computer', then in the 
private folder import the .p12 file and in the Trusted Root CA the CA 
certificate).

Authentication will use the following username: The string 'Host/' 
concatenated with the Netbios name of the host. For instance if then  
NetbiosName is MYPC, use the following rule format in the raddb/users 
file:

Host/MYPC                CheckItems, ...
        ReplyAttributes...,
        ReplyAttributes...,
        Fall-Through = no

There might be other solutions, but at least this is how it works for us...

HTH,
Thibault

More information about the Freeradius-Users mailing list