Quantcast

Best Authentication Method for Various Supplicant

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Best Authentication Method for Various Supplicant

homyang cha
Hello
I am running freeradius-2.17 on CentOS-5.5 box with mysql-5.0.77 as backend and daloradius-0.9-8 as the web management. I have successfully configured an tested EAP-MD5, PEAP and PAP authentication using windows 7 as supplicant with wired 802.1x authentication (no certificates used) and NAS as a Huawei Switch (Quidway S5600 Series) and seems to be working fine.

Now my issues are: in my networks there are various kinds of OS running for supplicants. To name a few are Windows XP (SP2, SP3), Windows Vista, Windows 7, Fedora, CentOS, Ubuntu and Mac OS X. I have to configure AAA applicants systems in such a way all this systems are supported. Can someone help me suggest or have any idea/experience on this. What could be the best authentiation method that I can use so that all this supplicants using different OS are supported. Also I use wired connection as well as wireless connection in the network. Does anybody throw some light on this matter?

Thanks in Advance

--
homyang (aka puran)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Best Authentication Method for Various Supplicant

Alexander Clouter
homyang cha <[hidden email]> wrote:

>
> Now my issues are: in my networks there are various kinds of OS
> running for supplicants. To name a few are Windows XP (SP2, SP3),
> Windows Vista, Windows 7, Fedora, CentOS, Ubuntu and Mac OS X. I have
> to configure AAA applicants systems in such a way all this systems are
> supported. Can someone help me suggest or have any idea/experience on
> this. What could be the best authentiation method that I can use so
> that all this supplicants using different OS are supported. Also I use
> wired connection as well as wireless connection in the network. Does
> anybody throw some light on this matter?
>
Here is a summary of my five years of experience being a network
analyst at a UK university... :)  Mac OS X and Linux are really trivial
and it is hard to write much about them, it is Microsoft that
unsurprisingly once again excel at causing us so much pain.

For Windows XP[1]/Vista/Win7 you have two options:
 * PEAP
 * TTLS - involves purchasing SecureW2[3]

PEAP might seem appealing as it is built into Windows, however by the
sounds of things all the workstations connecting are not part of your
Microsoft AD (like ours) and so you cannot push out a group policy
autoconfiguring everyones equipment.  This means you (or rather your
helldesk minions) have to manually configure every workstation by hand
which can lead to corners being cut (skipping certificate validation)
and misconfiguration.

Until recently there was no way to avoid this nasty choice of either AD
importing or manual configuration.  Fortunately, one of my counterparts
working also in academentia put together a collection of scripts/tools
and called it SU1X[4] that lets you autoconfigure PEAP behind a single
EXE.

TTLS with SecureW2 is the other option and from day let you pre-seed the
configuration so that everything got configured plus the handy popups
and full customisation can be a nice touch if that sort of thing floats
your boat, or rather your boss's.  Of course, SecureW2 comes with a
price tag, we personally think a *very* good one when you think of the
money in hours saved in your helpdesk team costs.  Things get even
better when you wrap the lot up in a NSIS script like we have[5].

There is actually a technical reason that might force you to choose
between PEAP and TTLS which boils down to how your passwords were stored
in your backend database.  If you have an LDAP backend only (where the
plaintext password is not extractable) then TTLS/PAP is really your
*only* option.  If you have a Microsoft AD backend for your user
accounts, then you can use PEAP/MS-CHAPv2 (or TTLS/MS-CHAPv2).

Originally we only had an LDAP backend database, but then 'upgraded' to
using Novell's Universal Password so now we no longer have the TTLS
constraint and can now offer TTLS/MS-CHAPv2 (but we actually choose
*not* to offer PEAP).

So, why pick one or the other, technical reasons only.  SecureW2 handles
certificate chaining a *lot* better than the PEAP and due to it's
commercial nature it's hard for the helpdesk to cut corners and *not*
use your official hand crafted blessed installer as they cannot source
their own copy.  PEAP however will offer you Statement of Health;
speaking to the SecureW2 author though he is keen to work on adding
support for this.  One other win for SecureW2 is you get GTC support
too, so you can do fancy things like use one time passwords (the
changing key is generated by your mobile phone) which works nicely too;
well it would work nicely if Alan accepted trivial patches to the GTC
FreeRADIUS module (along with the LDAP one I posted...) </rant>

Lucky for you SU1X is free to play with and you can also get a fully
enabled trial for free of SecureW2 (man, I must sound like a sales
droid).  Play with both and decide what you prefer.

As for the Mac OS X weenies I noticed as soon as I enabled
TTLS/MS-CHAPv2 they (including the iPhones, iPads and iPods) started to
automatically configure themselves.  No idea what they are like when
confronted with PEAP but they would not autoconfigure TTLS/PAP :-/

The Linux users, well we are fine, you can see what we do destructions
wise on our support website[6].  One of our students is slowly getting
around to testing amendments I suggested to the Wicd template that
should improve things further; I myself am a Debian wpa_supplicant kinda
person.

As for your last question regarding simulateous wired and wireless
access, look around the Internet and read up about 'routing metrics'.  
In short, make your wifi link have a higher (lower priority) routing
metric; although this overlooks source based routing issues but that is
not a FreeRADIUS problem or an issue that should be discussed here.

If you have any more questions then do ask.

Cheers

[1] I strongly recommend you just say no to SP2, hell Microsoft will no
        longer support it so why should you.  However, if you insist on
        punishing yourself make sure you force an install of
        KB917021[2].  Really you should make a condition of getting
        onto the wifi/wired 802.1X network that the user has to update
        to the latest service pack
[2] http://support.microsoft.com/kb/917021/
[3] http://www.securew2.com/
[4] http://www.ja.net/services/authentication-and-authorisation/janet-roaming/su1x.html
[5] http://stuff.digriz.org.uk/securew2-dev.zip
[6] http://support.docs.lis.soas.ac.uk/connect#linux

--
Alexander Clouter
.sigmonster says: Massachusetts has the best politicians money can buy.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Best Authentication Method for Various Supplicant

homyang cha
Hi Alex
Thank you for the help. I am now able to authenticate users from both windows xp(2) and windows 7 using PEAP authentication type. But in Windows Vista I have a problem. Initially I am able to authenticate from windows vista but after some time its diconnects itself. I have to disable the network to authenticate again and the whole process starts again (i.e after initial authentication and network connections success it disconnects ). Can you shed some light on this.

Thank You in advance....

On Sat, Sep 4, 2010 at 2:42 AM, Alexander Clouter <[hidden email]> wrote:
homyang cha <[hidden email]> wrote:
>
> Now my issues are: in my networks there are various kinds of OS
> running for supplicants. To name a few are Windows XP (SP2, SP3),
> Windows Vista, Windows 7, Fedora, CentOS, Ubuntu and Mac OS X. I have
> to configure AAA applicants systems in such a way all this systems are
> supported. Can someone help me suggest or have any idea/experience on
> this. What could be the best authentiation method that I can use so
> that all this supplicants using different OS are supported. Also I use
> wired connection as well as wireless connection in the network. Does
> anybody throw some light on this matter?
>
Here is a summary of my five years of experience being a network
analyst at a UK university... :)  Mac OS X and Linux are really trivial
and it is hard to write much about them, it is Microsoft that
unsurprisingly once again excel at causing us so much pain.

For Windows XP[1]/Vista/Win7 you have two options:
 * PEAP
 * TTLS - involves purchasing SecureW2[3]

PEAP might seem appealing as it is built into Windows, however by the
sounds of things all the workstations connecting are not part of your
Microsoft AD (like ours) and so you cannot push out a group policy
autoconfiguring everyones equipment.  This means you (or rather your
helldesk minions) have to manually configure every workstation by hand
which can lead to corners being cut (skipping certificate validation)
and misconfiguration.

Until recently there was no way to avoid this nasty choice of either AD
importing or manual configuration.  Fortunately, one of my counterparts
working also in academentia put together a collection of scripts/tools
and called it SU1X[4] that lets you autoconfigure PEAP behind a single
EXE.

TTLS with SecureW2 is the other option and from day let you pre-seed the
configuration so that everything got configured plus the handy popups
and full customisation can be a nice touch if that sort of thing floats
your boat, or rather your boss's.  Of course, SecureW2 comes with a
price tag, we personally think a *very* good one when you think of the
money in hours saved in your helpdesk team costs.  Things get even
better when you wrap the lot up in a NSIS script like we have[5].

There is actually a technical reason that might force you to choose
between PEAP and TTLS which boils down to how your passwords were stored
in your backend database.  If you have an LDAP backend only (where the
plaintext password is not extractable) then TTLS/PAP is really your
*only* option.  If you have a Microsoft AD backend for your user
accounts, then you can use PEAP/MS-CHAPv2 (or TTLS/MS-CHAPv2).

Originally we only had an LDAP backend database, but then 'upgraded' to
using Novell's Universal Password so now we no longer have the TTLS
constraint and can now offer TTLS/MS-CHAPv2 (but we actually choose
*not* to offer PEAP).

So, why pick one or the other, technical reasons only.  SecureW2 handles
certificate chaining a *lot* better than the PEAP and due to it's
commercial nature it's hard for the helpdesk to cut corners and *not*
use your official hand crafted blessed installer as they cannot source
their own copy.  PEAP however will offer you Statement of Health;
speaking to the SecureW2 author though he is keen to work on adding
support for this.  One other win for SecureW2 is you get GTC support
too, so you can do fancy things like use one time passwords (the
changing key is generated by your mobile phone) which works nicely too;
well it would work nicely if Alan accepted trivial patches to the GTC
FreeRADIUS module (along with the LDAP one I posted...) </rant>

Lucky for you SU1X is free to play with and you can also get a fully
enabled trial for free of SecureW2 (man, I must sound like a sales
droid).  Play with both and decide what you prefer.

As for the Mac OS X weenies I noticed as soon as I enabled
TTLS/MS-CHAPv2 they (including the iPhones, iPads and iPods) started to
automatically configure themselves.  No idea what they are like when
confronted with PEAP but they would not autoconfigure TTLS/PAP :-/

The Linux users, well we are fine, you can see what we do destructions
wise on our support website[6].  One of our students is slowly getting
around to testing amendments I suggested to the Wicd template that
should improve things further; I myself am a Debian wpa_supplicant kinda
person.

As for your last question regarding simulateous wired and wireless
access, look around the Internet and read up about 'routing metrics'.
In short, make your wifi link have a higher (lower priority) routing
metric; although this overlooks source based routing issues but that is
not a FreeRADIUS problem or an issue that should be discussed here.

If you have any more questions then do ask.

Cheers

[1] I strongly recommend you just say no to SP2, hell Microsoft will no
       longer support it so why should you.  However, if you insist on
       punishing yourself make sure you force an install of
       KB917021[2].  Really you should make a condition of getting
       onto the wifi/wired 802.1X network that the user has to update
       to the latest service pack
[2] http://support.microsoft.com/kb/917021/
[3] http://www.securew2.com/
[4] http://www.ja.net/services/authentication-and-authorisation/janet-roaming/su1x.html
[5] http://stuff.digriz.org.uk/securew2-dev.zip
[6] http://support.docs.lis.soas.ac.uk/connect#linux

--
Alexander Clouter
.sigmonster says: Massachusetts has the best politicians money can buy.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
homyang (aka puran)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Best Authentication Method for Various Supplicant

Alexander Clouter
homyang cha <[hidden email]> wrote:
>
> Thank you for the help. I am now able to authenticate users from both
> windows xp(2) and windows 7 using PEAP authentication type. But in Windows
> Vista I have a problem. Initially I am able to authenticate from windows
> vista but after some time its diconnects itself. I have to disable the
> network to authenticate again and the whole process starts again (i.e after
> initial authentication and network connections success it disconnects ).
>
As a network guy I do not deal with problems on the desktop, it's one of
those few things that I am permitted not to accept by default fault for.  
Also, bear in mind I did say "we do not use PEAP and never have done",
asking me to help you with a PEAP problem is unlikely to get you very
far.  :-/

My solution is to use TTLS (with SecureW2) as it makes XP, Vista and
Win7 all behave identically, and that's what I like.  The author has
done all the ball busting so I don't have to. :)

> Can you shed some light on this.
>
Debian provide a bunch of ISO's and network install options for their OS
over at their website...no doubt that will fix the workstation :)

Cheers

--
Alexander Clouter
.sigmonster says: I'm not a level-headed person...        -- Bruce Perens

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Loading...