802.1x host/machine authentication

James S. Smith JSmith at WindMobile.ca
Wed Oct 20 13:51:51 CEST 2010


This isn't a comment on FreeRadius, but in our recent experiences with 802.1x and Windows XP clients it was a total waste of time. The built-in XP dot1x client is not up to the job. We had contractors in trying to make it work and everything was perfect on the network setup. In the end, Windows XP simple had issues authenticating 100% of the time (probably closer to 65%). When you do get it to authenticate properly you'll run into problems with anyone else doing an RDP to the Windows server (say your helpdesk folks) because re-authentication will kick in and drop the connection.

Your best bets are: Windows 7 for the improved dot1x client; scrap dot1x and do port-based access-lists; do VMPS with FreeRadius.

________________________________
From: freeradius-users-bounces+jsmith=windmobile.ca at lists.freeradius.org <freeradius-users-bounces+jsmith=windmobile.ca at lists.freeradius.org>
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Sent: Wed Oct 20 07:22:56 2010
Subject: 802.1x host/machine authentication

Hi,

I have following setup

where windows host  is connected to Cisco 2960  which is connected to Microsoft AD via RADIUS proxy

Windows host (XP SP3) -> Cisco 2960 -> freeRADIUS proxy (2.1.10) -> Microsoft AD (2003)

In the above setup user authentication goes fine. I am using PEAP v1 authentication.

I am struggling hard to make host authentication successful.

When the machine boots I see radius Access-Request with User-Name = "host/radhost1.testad1.com<http://radhost1.testad1.com>" which qualifies to IPASS type realm and searches for realm as "host" and things do not work.

Please point me to links/docs or give me pointer where/how to start.

rad_recv: Access-Request packet from host 192.168.6.200 port 1645, id=141, length=165
User-Name = "host/radhost1.testad1.com<http://radhost1.testad1.com>"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-21-D7-00-51-89"
Calling-Station-Id = "00-13-20-38-33-27"
EAP-Message = 0x021a001e01686f73742f726164686f7374312e746573746164312e636f6d
Message-Authenticator = 0x2deded3294b409a59441b3e5777a9a87
NAS-Port-Type = Ethernet
NAS-Port = 50009
NAS-IP-Address = 192.168.6.200
Wed Oct 20 07:27:48 2010 : Info: # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
Wed Oct 20 07:27:48 2010 : Info: +- entering group authorize {...}
Wed Oct 20 07:27:48 2010 : Info: ++[preprocess] returns ok
Wed Oct 20 07:27:48 2010 : Info: ++[chap] returns noop
Wed Oct 20 07:27:48 2010 : Info: ++[mschap] returns noop
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Looking up realm "host" for User-Name = "host/radhost1.testad1.com<http://radhost1.testad1.com>"
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Found realm "DEFAULT"
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Adding Stripped-User-Name = "radhost1.testad1.com<http://radhost1.testad1.com>"
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Adding Realm = "DEFAULT"
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Authentication realm is LOCAL.
Wed Oct 20 07:27:48 2010 : Info: ++[IPASS] returns ok
Wed Oct 20 07:27:48 2010 : Info: [suffix] Request already proxied. Ignoring.
Wed Oct 20 07:27:48 2010 : Info: ++[suffix] returns ok
Wed Oct 20 07:27:48 2010 : Info: [ntdomain] Request already proxied. Ignoring.
Wed Oct 20 07:27:48 2010 : Info: ++[ntdomain] returns ok
Wed Oct 20 07:27:48 2010 : Info: [realmpercent] Request already proxied. Ignoring.
Wed Oct 20 07:27:48 2010 : Info: ++[realmpercent] returns ok
Wed Oct 20 07:27:48 2010 : Info: [eap] EAP packet type response id 26 length 30
Wed Oct 20 07:27:48 2010 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Wed Oct 20 07:27:48 2010 : Info: ++[eap] returns updated
Wed Oct 20 07:27:48 2010 : Info: ++[unix] returns notfound
Wed Oct 20 07:27:48 2010 : Info: ++[files] returns noop
Wed Oct 20 07:27:48 2010 : Info: ++[expiration] returns noop
Wed Oct 20 07:27:48 2010 : Info: ++[logintime] returns noop
Wed Oct 20 07:27:48 2010 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
Wed Oct 20 07:27:48 2010 : Info: ++[pap] returns noop
Wed Oct 20 07:27:48 2010 : Info: Found Auth-Type = EAP
Wed Oct 20 07:27:48 2010 : Info: # Executing group from file /usr/local/etc/raddb/sites-enabled/default
Wed Oct 20 07:27:48 2010 : Info: +- entering group authenticate {...}
Wed Oct 20 07:27:48 2010 : Info: [eap] EAP Identity
Wed Oct 20 07:27:48 2010 : Info: [eap] processing type md5
Wed Oct 20 07:27:48 2010 : Debug: rlm_eap_md5: Issuing Challenge
Wed Oct 20 07:27:48 2010 : Info: ++[eap] returns handled
Sending Access-Challenge of id 141 to 192.168.6.200 port 1645
EAP-Message = 0x011b001604100675c546c11b2ad0f1a7341b757af909
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6d4e1d1a6d5519217cdc7f95e535c25b
Wed Oct 20 07:27:48 2010 : Info: Finished request 48.
Wed Oct 20 07:27:48 2010 : Debug: Going to the next request
Wed Oct 20 07:27:48 2010 : Debug: Waking up in 4.9 seconds.


Thanks & Regards

--
Chidanand Gangur
Pune.

________________________________
This message contains confidential information and is intended only for the individual named. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101020/8749cc70/attachment.html>


More information about the Freeradius-Users mailing list