Authenticate as computer .....

classic Classic list List threaded Threaded
5 messages Options
| Threaded
Open this post in threaded view
|

Authenticate as computer .....

Lorel hardy
Hi,

Since few days I succeed in PEAP auth with freeradius, but I've a
biggest problem.
I would like to check the "authenticate as computer when information is
available" box so my computer should be reachable even if nobody is
logged in.
I've read in previous post that it is only possible with an Active
Directory (AD) server, and as you well think I don't want an AD server...
So is somebody has an idea or a method to do that ? It seems I can
authenticate only the machine with certificate but I don't find any
recent howto to do that.


Please help :)  !

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Authenticate as computer .....

King, Michael

> On Behalf Of Lorel hardy
> I've read in previous post that it is only possible with an
> Active Directory (AD) server, and as you well think I don't
> want an AD server...


Actually, it hasn't been figured out yet, people are just proxieing it
off to a machine that can do machine authentications right now.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authenticate as computer .....

Lorel hardy
King, Michael a écrit :
On Behalf Of Lorel hardy
I've read in previous post that it is only possible with an 
Active Directory (AD) server, and as you well think I don't 
want an AD server...
    


Actually, it hasn't been figured out yet, people are just proxieing it
off to a machine that can do machine authentications right now.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  
hmmm big problem isn't it ? ....

Is somebody has a solution to have the same final effect with other kind of process ?
I've read something about maybe a vlan solution ....
Tomorow I'll test with mac authentication to see how it could help me.... but don't hesitate to have an idea ... :)
| Threaded
Open this post in threaded view
|

Re: Authenticate as computer .....

Lorel hardy
Lorel hardy a écrit :

> King, Michael a écrit :
>
>>>On Behalf Of Lorel hardy
>>>I've read in previous post that it is only possible with an
>>>Active Directory (AD) server, and as you well think I don't
>>>want an AD server...
>>>    
>>>
>>
>>
>>Actually, it hasn't been figured out yet, people are just proxieing it
>>off to a machine that can do machine authentications right now.
>>
>>-
>>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>  
>>
> hmmm big problem isn't it ? ....
>
> Is somebody has a solution to have the same final effect with other
> kind of process ?
> I've read something about maybe a vlan solution ....
> Tomorow I'll test with mac authentication to see how it could help
> me.... but don't hesitate to have an idea ... :)

Maybe I've found a solution but I don't know how doing it...
It would run without an AD server if freeradius reply an EAP-Accept when
a special string (like "domain/*") is sent in EAP-Access without asking
anymore ? so could I make it efficient and how ?
What do you think about this idea ?

thx

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authenticate as computer .....

Michael Griego
Lorel hardy wrote:

> Maybe I've found a solution but I don't know how doing it...
> It would run without an AD server if freeradius reply an EAP-Accept
> when a special string (like "domain/*") is sent in EAP-Access without
> asking anymore ? so could I make it efficient and how ?
> What do you think about this idea ?



It won't work.  PEAP's inner authentication (MSCHAPv2) relies on a
cryptographically correct success response from the server to the client
in order to complete.  Just sending an EAP-Success packet without having
the correct signature in the MSCHAPv2 response will cause any
correctly-written client to shutdown the conversation and refuse to connect.

--Mike

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html