computer authentication
Matthew Newton
mcn4 at leicester.ac.uk
Fri Dec 7 21:23:13 CET 2012
On Fri, Dec 07, 2012 at 12:39:13PM -0600, Dan Letkeman wrote:
> Sorry, I was not clean with my setup information. We do not have a domain,
> these are stand alone windows 7 devices. We also have some tablets and
> some linux boxes. Concern right now is the Windows 7 devices. I didn't
> know that you cannot do machine authentication without a domain....
You can, but you'll need to handle the certificates on the hosts
manually. That's usually such a pain that the only real solution
is to use AD. If you've got a small number of devices, or can
write some other automated method of deploying certs, then it can
be possible to handle.
What you /can't/ do is both User auth (mschap - username +
password) *and* Computer auth (certificates - EAP-TLS) in the same
connection, as the default Windows supplicant, like most, doesn't
support client certificates with PEAP (and user auth - mschap -
needs to be inside PEAP).
> User authentication in my environment is just not an option because all of
> the devices need to have a connection to the network at all times even if
> nobody is logged in. Should I be using PEAP/EAP-TLS instead?
There are no good reasons for doing PEAP/EAP-TLS unless you want
to use SoH. PEAP adds overhead to the auth, with no added benefit.
> If so do you know of any good setup documentation for that?
I wrote up how to do PEAP/EAP-TLS a while back - you can find it
here: http://q.asd.me.uk/pet
That said - your connection is trying to do PEAP, so you've
configured your client for either 'certifiates' or mschap inside
PEAP. I forget the exact options in the interface, but you need to
choose 'certificates' rather than 'PEAP', then select the client
certificate that you want to auth with - which will be one that is
signed by the same CA that the CA_file option in your FreeRADIUS
eap.conf file points to. Make sure it's set to 'Computer' auth,
not 'User' or 'User + Computer'.
In theory, you'll then find that it Just Works. But the Windows
config interface takes a bit of head scratching to get around
until you understand what it's doing under the hood.
Cheers
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list