HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users

john lists.john at gmail.com
Wed Jul 15 22:45:53 CEST 2009


Hi John thanks for taking the time to reply,

>
> Ask the question "Who are you authenticating?" or "What has permission to
> use the network?" Am I trying to restrict access to a specific set of users
> or am I trying to restrict access to a specific set of machines? If it's the
> later does that mean anyone who sits down at that machine has access?
>

In this instance I am trying to the network so that only computers
which carry a credential are allowed to have port access. My users
credentials are managed via Active Directory and I am trying to avoid
issuing user certs if possible. More specifically we have a number of
computer labs where users are in the habit of bringing in computers
from home and plugging in, I'd like to prevent this. So what I am
hoping to find out is that I can create a cert with the FQDN of the
computer. Install it on the computer itself, and have the computer
negotiate via the NAS with free-radius for access. I hope this process
is completely transparent to the user.



> In a very very simplified view a certificate is nothing more than a
> password. Would you give the same password to every user? Would you put that
> password on every machine?

Sort of. I guess I see it as a sort of 2 factor auth scheme. The
computer has a credential which is processed by free-radius and the
user has a separate credential which is processed by Active Directory.


>

>
> 2) The per user certificate is stored in a central location where only the
> user can access it. Usually this requires OS support and another layer of
> authentication.

I am pretty sure that Windows XP can use a Computer Cert for dot1X
auth via EAP. I've seen references to it. I've even found a mention of
a registry hack that forces the computer to use machine auth for dot1X
in lieu of user certs, but I am not sure how to correctly implement it
when using free-radius, everythings written for IAS.

>
> If you want to do machine authentication then per machine certificates must
> be generated and distributed (which is where your question began). There is
> no easy secure way to do this for a large number of devices in the absence
> of sophisticated certificate management software, this is why certificate
> management software is a growth industry.

I am willing to do it by hand if the process seems reasonably
straight-forward. I've got about 200 machines and 1600 users, many
users user multiple machines. You can see why I'd rather tackle the
machines. :->
>
> I'm not a Windows guy, but my understanding is that Microsoft offers
> (expensive) solutions. In the Linux world you might consider DogTag
> (http://pki.fedoraproject.org/wiki/PKI_Main_Page), this is the same
> certificate management system used by the DoD (Dept of Defense) and other
> high profile organizations which Red Hat has generously made available as
> open source after it's acquisition from Netscape.

Thanks for this resource.

> Note that DogTag supports Auto-Enrollment Proxy (AEP) for Windows, which
> allows users and computers in a Microsoft Windows domain to automatically
> enroll for certificates issued from Certificate System.
>
> Of course if you don't want to deal with the complexity of certificate based
> authentication you could just use passwords. Passwords are much less secure,
> but much simpler.

Yes but then we're back to the problem of a user just providing domain
credentials to gain port access. I can imagine a student downloading
secure-w2 or similar and providing domain credentials to get access
for their laptop.

Thanks again John. I appreciate your insights.

John



More information about the Freeradius-Users mailing list