FreeRadius and WPA2-Enterprise machine authentication - With ActiveDirectory interconnection..

Chris Arg grkcharge at gmail.com
Wed Dec 17 20:05:32 CET 2014 

An issue that I've experienced when proxying requests from FR to NPS is
that NPS will not return the user-name attribute in the accept packet. This
impacts your accounting data as well as any user specific information your
AP may be displaying. Instead of showing you the inner identity, your
accounting data or AP will display the outer identity, also know as the
anonymous identity. This may be an issue for some environments.

There is a way to update the accept packet post proxy and add the user-name
attribute, but I've yet to get it working in the 3.0.x branch.

#!Chris

On Wed, Dec 17, 2014 at 1:10 PM, Philippe MARASSE <
philippe.marasse at ch-poitiers.fr> wrote:
>
> My 2p
>
> In our organization, I've configured FR 3.0.x for our wireless clients :
>   - PCs in AD domain (EAP-PEAP / MS-ChapV2)
>   - Mac and other devices (EAP-TLS)
>
> We only use computer authentication, pushed by GPO. WiFI profile is also
> pushed by GPO. We have Windows 7 clients only.
>
> AD members are proxyed by FR to NPS service, others are handled directly
> by FR, I find this configuration quite easy to do as AD members announce
> themselves as host/computer.domain.
>
> It works fine for half a year now...
>
> Regards.
>
> Le 15/12/2014 17:38, Tim Reimers a écrit :
>
>  That's what I'm aiming to do
>>
>> Thanks for confirming that NPSs can run as separate servers from being
>> _on_ the Domain Controllers.
>> Much documentation exists indicating NPS on the DC, but I hadn't yet had
>> time to check and wonder if it could run on it's own VM or as part of a VM
>> doing other tasks.
>>
>> Good also to see your thoughts on FR talking nicely to NPSs on the back
>> end and being more flexible.
>> That's the other reason I'd decided to do FR between the APs and the
>> (possible) NPSs server.
>> it gives me the ability to allow/disallow certain things independently of
>> Active Directory, such as for devices that cannot do AD or that we don't
>> want to integrate into AD.
>>
>> thanks, Tim
>>
>> ________________________________________
>> From: freeradius-users-bounces+treimers=ashevillenc.gov@
>> lists.freeradius.org [freeradius-users-bounces+treimers=ashevillenc.gov@
>> lists.freeradius.org] on behalf of Caines, Max [Max.Caines at wlv.ac.uk]
>> Sent: Monday, December 15, 2014 5:16 AM
>> To: FreeRadius users mailing list
>> Subject: RE: FreeRadius and WPA2-Enterprise machine authentication -
>> With       ActiveDirectory interconnection..
>>
>> If you are running NPS on your DCs, I can see why you might not want to
>> expose them to wireless clients. Here we have two separate NPS servers.
>> Anyway, FR is much more flexible than NPS as a front-end, and talks better
>> to NRPS. We're running NPS as a proxy behind it
>>
>> Regards
>>
>> Max
>>
>> -----Original Message-----
>> From: freeradius-users-bounces+max.caines=wlv.ac.uk at lists.freeradius.org
>> [mailto:freeradius-users-bounces+max.caines=wlv.ac.uk@
>> lists.freeradius.org] On Behalf Of Tim Reimers
>> Sent: 12 December 2014 19:47
>> To: FreeRadius users mailing list
>> Subject: RE: FreeRadius and WPA2-Enterprise machine authentication - With
>> ActiveDirectory interconnection..
>>
>> The Network Policy Server route is what Meraki describes, although they
>> want to have the Meraki access points talk directly to the NPS server, not
>> with FreeRadius in between.
>>
>> However, what we want to do is use Freeradius as a go-between for a
>> couple of reasons -
>> - One, it allows us to specially define non-AD devices and allow them
>> - Second, it stops the wireless users and APs on the DMZ from talking
>> directly to our domain controllers, which is a desired security stance from
>> our network users..
>>
>> -----Original Message-----
>> From: freeradius-users-bounces+treimers=ashevillenc.gov@
>> lists.freeradius.org [mailto:freeradius-users-bounces+treimers=
>> ashevillenc.gov at lists.freeradius.org] On Behalf Of Caines, Max
>> Sent: Friday, December 12, 2014 2:42 PM
>> To: FreeRadius users mailing list
>> Subject: RE: FreeRadius and WPA2-Enterprise machine authentication - With
>> ActiveDirectory interconnection..
>>
>> There are two ways to authenticate to AD from FreeRadius. One is to use
>> Winbind/Samba, as described in that document. The other is to proxy the
>> requests to NPS servers. It's mostly a question of which you find simpler.
>> NPS can be badly behaved; it's quite prone to discarding packets without
>> replying, which leads to other RADIUS servers marking it as dead. However,
>> the Eduroam site has some useful notes on making it a better citizen (see
>> https://community.ja.net/groups/eduroam/article/improving-reliability-
>> microsoft-nps-authentication-provider-eduroam), and we've been running
>> it successfully for several years. I found it easier to set up proxying to
>> NPS than to install Samba and set up Winbind/NTLM; you might feel
>> differently.
>>
>> I thought I had seen a document about proxying from FR to NPS in the pst,
>> but I'm afraid I can't track it down
>>
>> Regards
>>
>> Max
>> ________________________________________
>> From: freeradius-users-bounces+max.caines=wlv.ac.uk at lists.freeradius.org
>> [freeradius-users-bounces+max.caines=wlv.ac.uk at lists.freeradius.org] on
>> behalf of Tim Reimers [treimers at ashevillenc.gov]
>> Sent: 12 December 2014 15:54
>> To: FreeRadius users mailing list
>> Subject: RE: FreeRadius and WPA2-Enterprise machine authentication -
>> With       ActiveDirectory interconnection..
>>
>> Is this the correct document to follow?
>>
>> http://wiki.freeradius.org/guide/FreeRADIUS-Active-
>> Directory-Integration-HOWTO
>>
>>
>> -----Original Message-----
>> From: freeradius-users-bounces+treimers=ashevillenc.gov@
>> lists.freeradius.org [mailto:freeradius-users-bounces+treimers=
>> ashevillenc.gov at lists.freeradius.org] On Behalf Of Tim Reimers
>> Sent: Friday, December 12, 2014 10:28 AM
>> To: FreeRadius users mailing list
>> Subject: RE: FreeRadius and WPA2-Enterprise machine authentication - With
>> ActiveDirectory interconnection..
>>
>> Thanks Max and Alan --
>>
>> Can someone point me to the best and newest documentation to use in
>> setting this up?
>> I see docs that refer to Freeradius 1.X and 2.X, but I'm not sure if
>> everything in those is accurate for 3.0
>>
>> thanks, Tim
>>
>> -----Original Message-----
>> From: freeradius-users-bounces+treimers=ashevillenc.gov@
>> lists.freeradius.org [mailto:freeradius-users-bounces+treimers=
>> ashevillenc.gov at lists.freeradius.org] On Behalf Of Caines, Max
>> Sent: Friday, December 12, 2014 8:43 AM
>> To: FreeRadius users mailing list
>> Subject: RE: FreeRadius and WPA2-Enterprise machine authentication - With
>> ActiveDirectory interconnection..
>>
>> As I understand it, when you configure 802.1x authentication on Windows,
>> provided you tick the relevant box, Windows will authenticate twice, using
>> the computer account and then the user account. Only after that does domain
>> authentication direct to a DC kick in. It is possible to omit either stage,
>> but I think only group policy can force use of the computer account only
>>
>> Regards
>>
>> Max
>>
>> -----Original Message-----
>> From: freeradius-users-bounces+max.caines=wlv.ac.uk at lists.freeradius.org
>> [mailto:freeradius-users-bounces+max.caines=wlv.ac.uk@
>> lists.freeradius.org] On Behalf Of Franks Andy (RLZ) IT Systems Engineer
>> Sent: 12 December 2014 11:43
>> To: FreeRadius users mailing list
>> Subject: RE: FreeRadius and WPA2-Enterprise machine authentication - With
>> ActiveDirectory interconnection..
>>
>> I wouldn't contradict anything others have said about this one, they know
>> their stuff more than me, but we *sort of* do this - user auth using 802.1x
>> plus mac address auth with macs stored in AD. Most wireless controllers
>> I've seen will support 802.1x + MAC , and do it as 2 separate
>> authentication transactions. Some will also let you decide the order the
>> transactions appear in.
>> Mac auth isn't great on its own, but in addition to 802.1x you are
>> authing the user/whole computer with certs and the computer with mac
>> addresses.
>> Just my 2p, possibly off track or wrong practice though!
>> Andy
>>
>> -----Original Message-----
>> From:
>> freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org
>> [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradiu
>> s.org] On Behalf Of Tim Reimers
>> Sent: 11 December 2014 20:17
>> To: freeradius-users at lists.freeradius.org
>> Subject: FreeRadius and WPA2-Enterprise machine authentication - With
>> ActiveDirectory interconnection..
>>
>>
>> Hi everyone -
>>
>> I'm trying to design something here that I'm sure has been done before,
>> but AFAIK, it crosses through a few different howto documents, and being
>> new to this, I'm just not certain that I have pieced together all the
>> relevant HOWTo docs and not missed a point at which the design won't
>> communicate the needed information.
>>
>> The plan is to authenticate wireless users AND their computers. (so that
>> a user cannot BYOD to the secure network; only laptops joined to the domain
>> will work)
>>
>> I know that WPA2-Enterprise is what I need, to be able to have rotating
>> keys, use Radius for authentication, etc.
>> I know that WPA2-Enterprise requires certificates to validate the machines
>>
>> I already have a Microsoft CA server running in my AD environment, with
>> the GPO needed to push out workstation certificate enrollment and so on,
>> for other applications.
>>
>> My question is -
>> Can FreeRadius (3.0.1) on centos 7
>> be configured to do the machine authentication using certs from the
>> Microsoft CA server?
>> Meraki is the wireless infrastructure, if that helps.
>>
>> Thanks, Tim
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
>> --
>> Scanned by iCritical.
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
>> --
>> Scanned by iCritical.
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
>> --
>> Scanned by iCritical.
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
>>
>
> --
> Philippe MARASSE
>
> Responsable pôle Infrastructures - DSIO
> Centre Hospitalier Henri Laborit
> CS 10587 - 370 avenue Jacques Coeur
> 86021 Poitiers Cedex
> Tel : 05.49.44.57.19
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141217/cb845310/attachment-0001.html>

More information about the Freeradius-Users mailing list