Best Authentication Method for Various Supplicant

Alexander Clouter alex at digriz.org.uk
Fri Sep 3 22:42:36 CEST 2010 

homyang cha <homyang4u at gmail.com> wrote:
>
> Now my issues are: in my networks there are various kinds of OS 
> running for supplicants. To name a few are Windows XP (SP2, SP3), 
> Windows Vista, Windows 7, Fedora, CentOS, Ubuntu and Mac OS X. I have 
> to configure AAA applicants systems in such a way all this systems are 
> supported. Can someone help me suggest or have any idea/experience on 
> this. What could be the best authentiation method that I can use so 
> that all this supplicants using different OS are supported. Also I use 
> wired connection as well as wireless connection in the network. Does 
> anybody throw some light on this matter?
> 
Here is a summary of my five years of experience being a network 
analyst at a UK university... :)  Mac OS X and Linux are really trivial 
and it is hard to write much about them, it is Microsoft that 
unsurprisingly once again excel at causing us so much pain.

For Windows XP[1]/Vista/Win7 you have two options:
 * PEAP
 * TTLS - involves purchasing SecureW2[3]

PEAP might seem appealing as it is built into Windows, however by the 
sounds of things all the workstations connecting are not part of your 
Microsoft AD (like ours) and so you cannot push out a group policy 
autoconfiguring everyones equipment.  This means you (or rather your 
helldesk minions) have to manually configure every workstation by hand 
which can lead to corners being cut (skipping certificate validation) 
and misconfiguration.

Until recently there was no way to avoid this nasty choice of either AD 
importing or manual configuration.  Fortunately, one of my counterparts 
working also in academentia put together a collection of scripts/tools 
and called it SU1X[4] that lets you autoconfigure PEAP behind a single 
EXE.

TTLS with SecureW2 is the other option and from day let you pre-seed the 
configuration so that everything got configured plus the handy popups 
and full customisation can be a nice touch if that sort of thing floats 
your boat, or rather your boss's.  Of course, SecureW2 comes with a 
price tag, we personally think a *very* good one when you think of the 
money in hours saved in your helpdesk team costs.  Things get even 
better when you wrap the lot up in a NSIS script like we have[5].

There is actually a technical reason that might force you to choose 
between PEAP and TTLS which boils down to how your passwords were stored 
in your backend database.  If you have an LDAP backend only (where the 
plaintext password is not extractable) then TTLS/PAP is really your 
*only* option.  If you have a Microsoft AD backend for your user 
accounts, then you can use PEAP/MS-CHAPv2 (or TTLS/MS-CHAPv2).

Originally we only had an LDAP backend database, but then 'upgraded' to 
using Novell's Universal Password so now we no longer have the TTLS 
constraint and can now offer TTLS/MS-CHAPv2 (but we actually choose 
*not* to offer PEAP).

So, why pick one or the other, technical reasons only.  SecureW2 handles 
certificate chaining a *lot* better than the PEAP and due to it's 
commercial nature it's hard for the helpdesk to cut corners and *not* 
use your official hand crafted blessed installer as they cannot source 
their own copy.  PEAP however will offer you Statement of Health; 
speaking to the SecureW2 author though he is keen to work on adding 
support for this.  One other win for SecureW2 is you get GTC support 
too, so you can do fancy things like use one time passwords (the 
changing key is generated by your mobile phone) which works nicely too; 
well it would work nicely if Alan accepted trivial patches to the GTC 
FreeRADIUS module (along with the LDAP one I posted...) </rant>

Lucky for you SU1X is free to play with and you can also get a fully 
enabled trial for free of SecureW2 (man, I must sound like a sales 
droid).  Play with both and decide what you prefer.

As for the Mac OS X weenies I noticed as soon as I enabled 
TTLS/MS-CHAPv2 they (including the iPhones, iPads and iPods) started to 
automatically configure themselves.  No idea what they are like when 
confronted with PEAP but they would not autoconfigure TTLS/PAP :-/

The Linux users, well we are fine, you can see what we do destructions 
wise on our support website[6].  One of our students is slowly getting 
around to testing amendments I suggested to the Wicd template that 
should improve things further; I myself am a Debian wpa_supplicant kinda 
person.

As for your last question regarding simulateous wired and wireless 
access, look around the Internet and read up about 'routing metrics'.  
In short, make your wifi link have a higher (lower priority) routing 
metric; although this overlooks source based routing issues but that is 
not a FreeRADIUS problem or an issue that should be discussed here.

If you have any more questions then do ask.

Cheers

[1] I strongly recommend you just say no to SP2, hell Microsoft will no 
	longer support it so why should you.  However, if you insist on 
	punishing yourself make sure you force an install of 
	KB917021[2].  Really you should make a condition of getting 
	onto the wifi/wired 802.1X network that the user has to update 
	to the latest service pack
[2] http://support.microsoft.com/kb/917021/
[3] http://www.securew2.com/
[4] http://www.ja.net/services/authentication-and-authorisation/janet-roaming/su1x.html
[5] http://stuff.digriz.org.uk/securew2-dev.zip
[6] http://support.docs.lis.soas.ac.uk/connect#linux

-- 
Alexander Clouter
.sigmonster says: Massachusetts has the best politicians money can buy.

More information about the Freeradius-Users mailing list