RADIUS Questions

Dan dan at liai.org
Tue Jul 26 22:10:25 CEST 2011 

Garber,

Thanks for your reply.

We do not manage every machine in the building. We allow for users to 
bring in there personal laptops to work and they vary in manufacture and 
OS. We have machines with Windows versions ranging from XP to 7. Same is 
true with Mac OS X, the oldest version we run is 10.4.11 and the newest 
is 10.6.8. We have some Linux clients be these are all hardwired so they 
aren't a concern.

All of the Macs in our building, that is the ones that aren't personal 
machines, are joined to our domain. The few PC machines that we do 
manage are joined to our AD server but I would say that the vast 
majority of the PCs are not managed and not joined to out AD server. All 
windows systems--XP through 7--have to be setup the way I described 
earlier in order for this to work.<http://www.liai.org>

I don't think that I'm using the supplicant but I could be wrong. I'm 
running FreeRadius 2.1.7-7.e15 ( I believe this is the latest) with 
freeradius2-krb5-2.1.7-7.e15 and freeradius2-utils-2.1.7-7.e15.

I'm pretty sure I'm using PEAP.

I realize that and I'm going to work on using our wild card cert to 
better secure this. However the question still arises on will our SSL 
cert validate properly on a Windows system. When I initially set this up 
I never saw anything regarding and 802.11x config. After updating I seem 
to remember seeing this config file mentioned.

"Why do you want to use manual authentication as opposed to
automatic?  If the machines that are connecting are joined
to your A/D domain, you may want to consider using machine
authentication. User authentication, in the current release, doesn't support MS-CHAP password change. Also, user authentication with the Windows supplicant requires the
presence of cached credentials (because you logon locally
first and then connect to the wireless network) which may
not match current A/D credentials."

Like I mentioned above not all, actually few machines, are managed via 
our AD server. I would love to change this but it would require far more 
administrative changes that I'm unable to make.

Dan


Like I mentioned our Windows versions vary from XP to 7.
On 7/26/11 12:30 PM, Garber, Neal wrote:
> You didn't give much information regarding your
> environment, so some of the responses below are
> based upon assumptions: that you manage all devices
> that are connecting, that they are joined to your
> A/D domain and that you are using the Windows
> supplicant.
>
> You haven't said what version of Windows you
> are running and what version of FreeRADIUS
> you are running!
>
>> Currently with Windows machines I can't just connect to
>> the SSID and enter in a username and password. I have
>> to go and manually add the SSID, modify some settings;
> If you are referring to PEAP vs. TLS, that's a Windows XP
> issue. XP defaults to TLS and won't connect automatically
> if you are using PEAP.  However, you can push wireless
> policy to your Windows devices using A/D group policy
> and set this up automatically.
>
>> specifically turning off validating server certificate
> This is a bad idea as you could be passing your credentials
> to someone else's RADIUS server.  It's best to generate a
> certificate signed by an internal Certificate Authority
> and require a cert signed by that CA in your 802.1x config.
> This too can be pushed to Windows devices as part of your
> A/D policy assuming they are joined to your domain and
> run Windows.
>
>> turning off automatically use my Windows login, and
>> turning on User or computer authentication mode.
> Why do you want to use manual authentication as opposed to
> automatic?  If the machines that are connecting are joined
> to your A/D domain, you may want to consider using machine
> authentication. User authentication, in the current release, doesn't support MS-CHAP password change. Also, user authentication with the Windows supplicant requires the
> presence of cached credentials (because you logon locally
> first and then connect to the wireless network) which may
> not match current A/D credentials.
>
>> error messsage was: winbind client not authorized to
>> use winbindd_pam_auth_crap. Ensure permissions on
>> /var/cache/samba/winbindd_privileged are set correctly.
> Use "sudo wbinfo" or run it as root if you don't use sudo.
> That said, wbinfo isn't used by FreeRADIUS to authenticate
> to A/D (ntlm_auth is used for PEAP/MS-CHAPv2).
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110726/9e6109e3/attachment.html>

More information about the Freeradius-Users mailing list