Design question

Fri Feb 3 01:27:31 CET 2012

On Thu, Feb 2, 2012 at 4:47 PM, Matthew Newton <mcn4 at leicester.ac.uk> wrote:
> Hi,
>
> On Wed, Feb 01, 2012 at 10:25:29PM -0600, Dan Letkeman wrote:
>> We primarily use windows 7 on the machines that will authenticate, and
>> they are all connected to cisco switches and access points.  If I
>> understand things correctly I have the option of authenticating based
>> on users, certificates or users and certificates.
>
> In Windows, using the built-in supplicant, you have the following
> choices:
>
> PEAP/MS-CHAPv2 - "user"
> EAP-TLS - certificate ("user" or "computer")
> PEAP/EAP-TLS - certificate, again user or computer.
>
> Windows barfs if you ask PEAP to supply a client certificate, so
> you can't do certificate auth AND user/password at the same time.
>
> If you install a third-party supplicant then it will likely have
> many different EAP methods, read up on what you're getting first.
>
>> In our environment I don't see the need to add users into the
>> mix as almost all of the machines are shared machines where
>> multiple users will authenticate on the same machines.  We also
>> push applications to the machines when users are not logged into
>> them so we need the computer to authenticate on its own when it
>> boots up.
>
> There are few reasons why you'd want to go to the extra config of
> PEAP/EAP-TLS [0], so your basic option is EAP-TLS. With computer
> auth (certificate in the computer 'personal' store, not in the
> user 'personal' store), the network will come up soon after the
> machine boots, before the GINA login (for wireless, assuming it's
> set to automatically connect). This sounds like what you want.
>
>
>> From what I understand I need to create myself a certificate and
>> install that certificate into the freeradius server and into each of
>> my client computers.
>
> That will work, but you shouldn't. Create a different certificate
> for each client, and for the radius server, all signed by the same
> CA.

This would be a nightmare to manage.  We have 2000+ clients.  I see
the advantage, if the certificate was compromised that this would be
important, but how in the world would you manage this?

>
>> Which EAP type should I use if I only want the computers to
>> authenticate using certificates?  EAP-TLS?
>
> See above. Built-in supplicant with EAP-TLS is probably your
> easiest route.
>
>> I am guessing I should be using WPA2/Enterprise on the clients for the
>> 802.1x authentication on the Windows 7 clients?  And set it to use
>> computer authentication only?
>
> That's one way to do it - you need WPA2 enterprise (the enterprise
> bit being the important word). "Computer auth only" set means it
> won't go looking for certs in users personal certificate store,
> which is probably what you want.
>
>> Do I need a signed third party certificate or can I use a self signed one?
>
> Best practise is to create your own CA & sign using that. You
> really must use your own CA for client cert validation with
> EAP-TLS unless you want to allow anyone on.
>
>> Could a user not just export the certificate from the computer and
>> import it into there own computer, configure there network settings
>> and get on the network?
>
> [certificate and key] Yes.
>
>> Or is there a mechanism to keep people from doing this?  Perhaps
>> a password encrypted in the certificate?
>
> You can generally set keys as 'non-exportable'. Of couse, that's
> just a flag, and doesn't actually mean that there isn't a way to
> get the key out. Google will give you an answer for extracting
> Windows keys after a quick search (I haven't tried it). Just
> remember, the cert is on the device that the user is holding.
>
> If you detect that a certificate has been compromised (heuristics
> such as checking certificate always comes from same MAC address
> might help) then you revoke the cert (CRL / OCSP) and haul the
> user in...
>
>> Is there anything else I am missing?
>
> Coffee. Drink lots of coffee.
>
>
> On Thu, Feb 02, 2012 at 11:51:39AM -0600, Dan Letkeman wrote:
>> If I wanted redundancy should I just setup a secondary radius server
>> with the same settings and add it to the list of servers that are
>> available?
>
> Yes. Your NAS should rotate round the available RADIUS servers if
> one stops responding.
>
> Cheers,
>
> Matthew
>
>
> [0] Am in the middle of doing PEAP/EAP-TLS myself. Wrote up why,
>    and a mini "how-to" at http://q.asd.me.uk/pet
>

Very nice.  This will be helpful.

> --
> Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
>
> Systems Architect (UNIX and Networks), Network Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html