Windows Client Authentification bevore Domain logon

classic Classic list List threaded Threaded
9 messages Options
| Threaded
Open this post in threaded view
|

Windows Client Authentification bevore Domain logon

Jérémy Cluzel
Sorry, but I didn't find any references of this OID in the creation scripts in the "scripts" directory (Ca.all, CA.certs...).
The only OID added seem to be 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2 (in "xpextensions").
Is there any way to do this without patching openssl (like explained there http://lists.cistron.nl/pipermail/freeradius-users/2004-July/034141.html) ?

Regards,

Jeremy

Alan DeKok <aland at ox.org <http://lists.freeradius.org/mailman/listinfo/freeradius-users>> wrote:
>/ /
>/ /  That OID is added by the cert creation script in the "scripts"
>/ /directory, but it should be made more prominent in eap.conf, too.
>/ /
>/ /  Alan DeKok.
>/ /

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Windows Client Authentification bevore Domain logon

jgruwell
check this out Jeremy

http://www.linuxjournal.com/article/8095

On Wed, 2005-08-31 at 14:22 +0200, Jérémy Cluzel wrote:

> Sorry, but I didn't find any references of this OID in the creation scripts in the "scripts" directory (Ca.all, CA.certs...).
> The only OID added seem to be 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2 (in "xpextensions").
> Is there any way to do this without patching openssl (like explained there http://lists.cistron.nl/pipermail/freeradius-users/2004-July/034141.html) ?
>
> Regards,
>
> Jeremy
>
> Alan DeKok <aland at ox.org <http://lists.freeradius.org/mailman/listinfo/freeradius-users>> wrote:
> >/ /
> >/ /  That OID is added by the cert creation script in the "scripts"
> >/ /directory, but it should be made more prominent in eap.conf, too.
> >/ /
> >/ /  Alan DeKok.
> >/ /
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Windows Client Authentification bevore Domain logon

Alan DeKok
In reply to this post by Jérémy Cluzel
=?ISO-8859-1?Q?J=E9r=E9my_Cluzel?= <[hidden email]> wrote:
> Sorry, but I didn't find any references of this OID in the creation scripts in the "scripts" directory (Ca.all, CA.certs...).
> The only OID added seem to be 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2 (in "xpextensions").
> Is there any way to do this without patching openssl (like explained there http://lists.cistron.nl/pipermail/freeradius-users/2004-July/034141.html) ?

  You can use that OID just like the other ones.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Windows Client Authentification bevore Domain logon

Marc-Henri Boisis-delavaud

Le 31 août 05 à 18:53, Alan DeKok a écrit :

> =?ISO-8859-1?Q?J=E9r=E9my_Cluzel?= <[hidden email]> wrote:
>
>> Sorry, but I didn't find any references of this OID in the  
>> creation scripts in the "scripts" directory (Ca.all, CA.certs...).
>> The only OID added seem to be 1.3.6.1.5.5.7.3.1 and  
>> 1.3.6.1.5.5.7.3.2 (in "xpextensions").
>> Is there any way to do this without patching openssl (like  
>> explained there http://lists.cistron.nl/pipermail/freeradius-users/ 
>> 2004-July/034141.html) ?
>>
>
>   You can use that OID just like the other ones.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
> users.html
>

Can you explain how we can activate 802.1x authentification before  
logon on xp. And what are the prerequisites ?
Marc



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Windows Client Authentification bevore Domain logon

Guy Davies
In reply to this post by Jérémy Cluzel
Hi Marc,

The only way to do this with the supplicant included with XP is to use machine auth.  This must use the same method used by the individual (i.e. EAP-TLS or PEAP/MS-CHAPv2).

There is a checkbox that says something like "Use machine credentials if available".  Check that and the machine will authenticate before the user.  Once the user authenticates, the machine auth is killed and the user's auth is used.  This requires that the machine has either a PEAP/MS-CHAPv2 username/password or an EAP-TLS certificate.  These are stored in AD so you have to backoff your request to AD.  If you want to do that for PEAP/MS-CHAPv2, you'll need NTLM access to the AD server, LDAP won't do because it can't get the cleartext password (unless it is replicated to a non-standard attribute).

A better method, in my experience, is to use a supplicant with a GINA module.  That stops the windows login process immediately after the user has entered the credentials, takes the user's credentials and uses them to login to the network, then it returns control to the windows login process.  This doesn't require any authentication of the machine.

Regards,

Guy

> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On
> Behalf Of Marc-Henri Boisis-delavaud
> Sent: 01 September 2005 15:19
> To: FreeRadius users mailing list
> Subject: Re: Windows Client Authentification bevore Domain logon
>
>
>
> Le 31 août 05 à 18:53, Alan DeKok a écrit :
>
> > =?ISO-8859-1?Q?J=E9r=E9my_Cluzel?= <[hidden email]> wrote:
> >
> >> Sorry, but I didn't find any references of this OID in the
> >> creation scripts in the "scripts" directory (Ca.all, CA.certs...).
> >> The only OID added seem to be 1.3.6.1.5.5.7.3.1 and  
> >> 1.3.6.1.5.5.7.3.2 (in "xpextensions").
> >> Is there any way to do this without patching openssl (like  
> >> explained there
> http://lists.cistron.nl/pipermail/freeradius-users/ 
> >> 2004-July/034141.html) ?
> >>
> >
> >   You can use that OID just like the other ones.
> >
> >   Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/ 
> > users.html
> >
>
> Can you explain how we can activate 802.1x authentification before  
> logon on xp. And what are the prerequisites ?
> Marc
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

This e-mail is private and may be confidential and is for the intended recipient only.  If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed.  If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it.  We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free.  You should undertake your own virus checking.  The right to monitor e-mail communications through our network is reserved by us.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Windows Client Authentification bevore Domain logon

Thor Spruyt
Please use correct terminology.

It's "AUTHENTICATION", not "authentification"!

To authenticate => authentication
To authorize => authorization
To account => accounting
To identify => identification

--
Groeten, Regards, Salutations,

Thor Spruyt
M: +32 (0)475 67 22 65
E: [hidden email]
W: www.thor-spruyt.com

www.salesguide.be
www.telenethotspot.be

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Windows Client Authentification bevore Domain logon

Jérémy Cluzel
In reply to this post by Jérémy Cluzel
Hi Guy,

Do you know working supplicants with a GINA module ? aegis ? secureW2 ?

Regards,

Jeremy

[hidden email] a écrit :
Date: Thu, 1 Sep 2005 17:10:14 +0100
From: "Guy Davies" [hidden email]
Subject: RE: Windows Client Authentification bevore Domain logon 
To: "FreeRadius users mailing list"
	[hidden email]
Message-ID:
	[hidden email]
Content-Type: text/plain;	charset="iso-8859-1"

Hi Marc,

The only way to do this with the supplicant included with XP is to use machine auth.  This must use the same method used by the individual (i.e. EAP-TLS or PEAP/MS-CHAPv2).

There is a checkbox that says something like "Use machine credentials if available".  Check that and the machine will authenticate before the user.  Once the user authenticates, the machine auth is killed and the user's auth is used.  This requires that the machine has either a PEAP/MS-CHAPv2 username/password or an EAP-TLS certificate.  These are stored in AD so you have to backoff your request to AD.  If you want to do that for PEAP/MS-CHAPv2, you'll need NTLM access to the AD server, LDAP won't do because it can't get the cleartext password (unless it is replicated to a non-standard attribute).

A better method, in my experience, is to use a supplicant with a GINA module.  That stops the windows login process immediately after the user has entered the credentials, takes the user's credentials and uses them to login to the network, then it returns control to the windows login process.  This doesn't require any authentication of the machine.

Regards,

Guy

  
-----Original Message-----
From: [hidden email] 
[[hidden email]] On 
Behalf Of Marc-Henri Boisis-delavaud
Sent: 01 September 2005 15:19
To: FreeRadius users mailing list
Subject: Re: Windows Client Authentification bevore Domain logon 



Le 31 août 05 à 18:53, Alan DeKok a écrit :

    
=?ISO-8859-1?Q?J=E9r=E9my_Cluzel?= [hidden email] wrote:

      
Sorry, but I didn't find any references of this OID in the
creation scripts in the "scripts" directory (Ca.all, CA.certs...).
The only OID added seem to be 1.3.6.1.5.5.7.3.1 and  
1.3.6.1.5.5.7.3.2 (in "xpextensions").
Is there any way to do this without patching openssl (like  
explained there 
        
http://lists.cistron.nl/pipermail/freeradius-users/ 
    
2004-July/034141.html) ?

        
  You can use that OID just like the other ones.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See 
      
http://www.freeradius.org/list/ 
    
users.html

      
Can you explain how we can activate 802.1x authentification before  
logon on xp. And what are the prerequisites ?
Marc



- 
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

    

This e-mail is private and may be confidential and is for the intended recipient only.  If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed.  If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it.  We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free.  You should undertake your own virus checking.  The right to monitor e-mail communications through our network is reserved by us. 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Windows Client Authentification bevore Domain logon

Guy Davies
In reply to this post by Jérémy Cluzel
Message
Hi,
 
I use Funk Odyssey.  It works really well with EAP-TTLS/PAP.  We use an LDAP connection to our AD Global Catalogs to just query the validity of the user credentials and obtain the memberOf attributes.
 
The Odyssey GINA module seems pretty reliable.
 
Rgds,
 
Guy
-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Jérémy Cluzel
Sent: 02 September 2005 00:37
To: [hidden email]
Subject: RE: Windows Client Authentification bevore Domain logon

Hi Guy,

Do you know working supplicants with a GINA module ? aegis ? secureW2 ?

Regards,

Jeremy

[hidden email] a écrit :
Date: Thu, 1 Sep 2005 17:10:14 +0100
From: "Guy Davies" [hidden email]
Subject: RE: Windows Client Authentification bevore Domain logon 
To: "FreeRadius users mailing list"
	[hidden email]
Message-ID:
	[hidden email]
Content-Type: text/plain;	charset="iso-8859-1"

Hi Marc,

The only way to do this with the supplicant included with XP is to use machine auth.  This must use the same method used by the individual (i.e. EAP-TLS or PEAP/MS-CHAPv2).

There is a checkbox that says something like "Use machine credentials if available".  Check that and the machine will authenticate before the user.  Once the user authenticates, the machine auth is killed and the user's auth is used.  This requires that the machine has either a PEAP/MS-CHAPv2 username/password or an EAP-TLS certificate.  These are stored in AD so you have to backoff your request to AD.  If you want to do that for PEAP/MS-CHAPv2, you'll need NTLM access to the AD server, LDAP won't do because it can't get the cleartext password (unless it is replicated to a non-standard attribute).

A better method, in my experience, is to use a supplicant with a GINA module.  That stops the windows login process immediately after the user has entered the credentials, takes the user's credentials and uses them to login to the network, then it returns control to the windows login process.  This doesn't require any authentication of the machine.

Regards,

Guy

  
-----Original Message-----
From: [hidden email] 
[[hidden email]] On 
Behalf Of Marc-Henri Boisis-delavaud
Sent: 01 September 2005 15:19
To: FreeRadius users mailing list
Subject: Re: Windows Client Authentification bevore Domain logon 



Le 31 août 05 à 18:53, Alan DeKok a écrit :

    
=?ISO-8859-1?Q?J=E9r=E9my_Cluzel?= [hidden email] wrote:

      
Sorry, but I didn't find any references of this OID in the
creation scripts in the "scripts" directory (Ca.all, CA.certs...).
The only OID added seem to be 1.3.6.1.5.5.7.3.1 and  
1.3.6.1.5.5.7.3.2 (in "xpextensions").
Is there any way to do this without patching openssl (like  
explained there 
        
http://lists.cistron.nl/pipermail/freeradius-users/ 
    
2004-July/034141.html) ?

        
  You can use that OID just like the other ones.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See 
      
http://www.freeradius.org/list/ 
    
users.html

      
Can you explain how we can activate 802.1x authentification before  
logon on xp. And what are the prerequisites ?
Marc



- 
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

    

This e-mail is private and may be confidential and is for the intended recipient only.  If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed.  If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it.  We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free.  You should undertake your own virus checking.  The right to monitor e-mail communications through our network is reserved by us. 

This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Windows Client Authentification bevore Domain logon

bwalding
In reply to this post by Marc-Henri Boisis-delavaud
Things to look for for machine auth:
 * SP2 or at least KB826942 loaded
 * AuthMode key set to 2
 * certs + ca loaded into machine store
 * certs with the correct attributes + the magic attribute I've mentioned before
 * make sure you select the correct CA in "Validate server certificate" section
 * send a big bouquet of flowers to Microsoft for having an utterly unscriptable interface for wireless
 
If you've got multiple private certs loaded into the machine store then you might have issues with the selection process - as far as I can tell it chooses the certificate with the newest "Not Before" attribute (but that could be an artifact of some other selection criteria).

Also watch for timing issues - XP won't use certificates if the time is outside the validity period (i.e. your CA time is ahead of your workstation time).

Most of the tutorials cover most of this, but they almost never talk about untangling the knots from slight misconfiguration issues.

(Yes, I've dealt with almost every quirk there is to do with EAP-TLS; until tomorrow when we find some more)

Cheers,

Ben

On 9/2/05, Marc-Henri Boisis-delavaud <[hidden email]> wrote:

Le 31 août 05 à 18:53, Alan DeKok a écrit :

> =?ISO-8859-1?Q?J=E9r=E9my_Cluzel?= < [hidden email]> wrote:
>
>> Sorry, but I didn't find any references of this OID in the
>> creation scripts in the "scripts" directory (Ca.all , CA.certs...).
>> The only OID added seem to be 1.3.6.1.5.5.7.3.1 and
>> 1.3.6.1.5.5.7.3.2 (in "xpextensions").
>> Is there any way to do this without patching openssl (like
>> explained there http://lists.cistron.nl/pipermail/freeradius-users/
>> 2004-July/034141.html) ?
>>
>
>   You can use that OID just like the other ones.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
> users.html
>

Can you explain how we can activate 802.1x authentification before
logon on xp. And what are the prerequisites ?
Marc



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html