Best Authentication Method for Various Supplicant

[homyang cha]

Hi Alex
Thank you for the help. I am now able to authenticate users from both
windows xp(2) and windows 7 using PEAP authentication type. But in Windows
Vista I have a problem. Initially I am able to authenticate from windows
vista but after some time its diconnects itself. I have to disable the
network to authenticate again and the whole process starts again (i.e after
initial authentication and network connections success it disconnects ). Can
you shed some light on this.

Thank You in advance....

On Sat, Sep 4, 2010 at 2:42 AM, Alexander Clouter <alex at digriz.org.uk>wrote:

> homyang cha <homyang4u at gmail.com> wrote:
> >
> > Now my issues are: in my networks there are various kinds of OS
> > running for supplicants. To name a few are Windows XP (SP2, SP3),
> > Windows Vista, Windows 7, Fedora, CentOS, Ubuntu and Mac OS X. I have
> > to configure AAA applicants systems in such a way all this systems are
> > supported. Can someone help me suggest or have any idea/experience on
> > this. What could be the best authentiation method that I can use so
> > that all this supplicants using different OS are supported. Also I use
> > wired connection as well as wireless connection in the network. Does
> > anybody throw some light on this matter?
> >
> Here is a summary of my five years of experience being a network
> analyst at a UK university... :)  Mac OS X and Linux are really trivial
> and it is hard to write much about them, it is Microsoft that
> unsurprisingly once again excel at causing us so much pain.
>
> For Windows XP[1]/Vista/Win7 you have two options:
>  * PEAP
>  * TTLS - involves purchasing SecureW2[3]
>
> PEAP might seem appealing as it is built into Windows, however by the
> sounds of things all the workstations connecting are not part of your
> Microsoft AD (like ours) and so you cannot push out a group policy
> autoconfiguring everyones equipment.  This means you (or rather your
> helldesk minions) have to manually configure every workstation by hand
> which can lead to corners being cut (skipping certificate validation)
> and misconfiguration.
>
> Until recently there was no way to avoid this nasty choice of either AD
> importing or manual configuration.  Fortunately, one of my counterparts
> working also in academentia put together a collection of scripts/tools
> and called it SU1X[4] that lets you autoconfigure PEAP behind a single
> EXE.
>
> TTLS with SecureW2 is the other option and from day let you pre-seed the
> configuration so that everything got configured plus the handy popups
> and full customisation can be a nice touch if that sort of thing floats
> your boat, or rather your boss's.  Of course, SecureW2 comes with a
> price tag, we personally think a *very* good one when you think of the
> money in hours saved in your helpdesk team costs.  Things get even
> better when you wrap the lot up in a NSIS script like we have[5].
>
> There is actually a technical reason that might force you to choose
> between PEAP and TTLS which boils down to how your passwords were stored
> in your backend database.  If you have an LDAP backend only (where the
> plaintext password is not extractable) then TTLS/PAP is really your
> *only* option.  If you have a Microsoft AD backend for your user
> accounts, then you can use PEAP/MS-CHAPv2 (or TTLS/MS-CHAPv2).
>
> Originally we only had an LDAP backend database, but then 'upgraded' to
> using Novell's Universal Password so now we no longer have the TTLS
> constraint and can now offer TTLS/MS-CHAPv2 (but we actually choose
> *not* to offer PEAP).
>
> So, why pick one or the other, technical reasons only.  SecureW2 handles
> certificate chaining a *lot* better than the PEAP and due to it's
> commercial nature it's hard for the helpdesk to cut corners and *not*
> use your official hand crafted blessed installer as they cannot source
> their own copy.  PEAP however will offer you Statement of Health;
> speaking to the SecureW2 author though he is keen to work on adding
> support for this.  One other win for SecureW2 is you get GTC support
> too, so you can do fancy things like use one time passwords (the
> changing key is generated by your mobile phone) which works nicely too;
> well it would work nicely if Alan accepted trivial patches to the GTC
> FreeRADIUS module (along with the LDAP one I posted...) </rant>
>
> Lucky for you SU1X is free to play with and you can also get a fully
> enabled trial for free of SecureW2 (man, I must sound like a sales
> droid).  Play with both and decide what you prefer.
>
> As for the Mac OS X weenies I noticed as soon as I enabled
> TTLS/MS-CHAPv2 they (including the iPhones, iPads and iPods) started to
> automatically configure themselves.  No idea what they are like when
> confronted with PEAP but they would not autoconfigure TTLS/PAP :-/
>
> The Linux users, well we are fine, you can see what we do destructions
> wise on our support website[6].  One of our students is slowly getting
> around to testing amendments I suggested to the Wicd template that
> should improve things further; I myself am a Debian wpa_supplicant kinda
> person.
>
> As for your last question regarding simulateous wired and wireless
> access, look around the Internet and read up about 'routing metrics'.
> In short, make your wifi link have a higher (lower priority) routing
> metric; although this overlooks source based routing issues but that is
> not a FreeRADIUS problem or an issue that should be discussed here.
>
> If you have any more questions then do ask.
>
> Cheers
>
> [1] I strongly recommend you just say no to SP2, hell Microsoft will no
>        longer support it so why should you.  However, if you insist on
>        punishing yourself make sure you force an install of
>        KB917021[2].  Really you should make a condition of getting
>        onto the wifi/wired 802.1X network that the user has to update
>        to the latest service pack
> [2] http://support.microsoft.com/kb/917021/
> [3] http://www.securew2.com/
> [4]
> http://www.ja.net/services/authentication-and-authorisation/janet-roaming/su1x.html
> [5] http://stuff.digriz.org.uk/securew2-dev.zip
> [6] http://support.docs.lis.soas.ac.uk/connect#linux
>
> --
> Alexander Clouter
> .sigmonster says: Massachusetts has the best politicians money can buy.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
homyang (aka puran)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100907/b02b9bc7/attachment.html>