Marco's observations about XP's supplicant behavior are true. Microsoft made a rather poor implementation of 802.1x in Windows XP. By default, XP does not respond to a 1x challenge, or attempt a 1x logon until the user enters credentials into GINA. This is unfortunate, because the host may require network access prior to this point. For example, a host joined to an AD domain will need to reach the AD controller in order to authenticate the user, but Microsoft's 1x supplicant will not yet have attempted a 1x logon. Nor will Windows have responded to a 1x challenge from the network. The port will be in an unauthorized state, so Windows will be unable to authenticate the user to AD.
Cisco provides a solution for this problem, with the directive (dot1x guest-vlan 555). If an attached host is unresponsive to 1x challenges within a configurable timeout (dot1x timeout tx-period 15), the port will be placed into a state similar to authorized, but assigned to the configured guest vlan. This works fine for non-1x hosts, such as printers, but creates a headache on XP hosts, because of the hosts DHCP client timeout, etc.
Windows XP also has a solution for this problem, which Marco was struggling with in this thread. The Network Connections -> Properties -> Authentication tab has an option "Authenticate as computer..." That option, along with a "Supplicant Mode" registry key tweak will cause XP to behave more like the Supplicant PAE State- Machine described in the IEEE standard, though not wholly so. It appears that the "Authenticate as computer..." option is the only way to pre-authenticate the network port.
Pre-authenticate, in my environment, means to place the port into an authenticated state, but in a tightly limited vlan. Hosts can reach nothing from this vlan, except the AD controller. The "Authenticate as computer..." option accomplishes this very well.
The problem with the "Authenticate as computer..." option is that it requires integration with Active Directory. You cannot choose one auth type for "as computer..." and another for the normal user login. The "as computer..." option uses the NT hostname and secret within the PEAP/MSCHAP conversation. It would be difficult to make those AD hostnames/passwords available to freeradius, so freeradius must proxy these requests to a Microsoft Authentication Server.
That is exactly what I'm doing, and it is working well enough... however I'm not happy about this forced dependence upon a Microsoft service, which has already shown some odd behavior and signs of unreliability. It bothers me that the great and flexible freeradius must bow to IAS.
I would like to simply accept all of these requests, and assign them into the restricted vlan. I have no need to authenticate them against AD, or at all. My purpose is to have XP behave properly, not to authenticate some service account on each hosts. If only I could configure rlm_eap to always EAP-Accept these host/hostname.domainname requests, I could avoid this overly complex scenario. I haven't found configuration directives that would allow this. I cannot send an Accept-Accept, because the NAS is expecting an EAP-Accept.
Does anyone know whether rlm_eap can be directed to immediately return success for an EAPOL-Start in an Access-Request packet?
Thanks,
Coates Carter University of Richmond, Virginia
From freeradius-users@lists.freeradius.org Mon Oct 4 09:37:15 2004 From: freeradius-users@lists.freeradius.org (M.Cerqui - PUBLISHERIA) Date: Mon, 04 Oct 2004 10:37:15 +0200 Subject: Freeradius, Cisco Catalyst 2950, Windwos Domain Message-ID: <[EMAIL PROTECTED]>
-----Original Message-----
From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Montag, 4. Oktober 2004 17:52 To: freeradius-users@lists.freeradius.org Subject: Re: Freeradius, Cisco Catalyst 2950, Windwos Domain
"M.Cerqui - PUBLISHERIA" <[EMAIL PROTECTED]> wrote: > Are you sure with this?
If cofnigured correctly, yes.
> The catalyst and Freeradius don't even move a bit before a > successful windows login if I only use this "use user information > from windows login" option.
So you've configured the AP && windows machine to NOT use FreeRADIUS for authentication.
> Only when I activate "Authenticate as computer when information is > available" the Freeradius Server "does something" before a > successful login.
Since you're not going to post the debug log to explain what "does something" means, even after you were asked to post it, I really help you.
Alan DeKok.
-----Original Message----- From freeradius-users@lists.freeradius.org Mon Oct 4 09:37:15 2004 From: freeradius-users@lists.freeradius.org (M.Cerqui - PUBLISHERIA) Date: Mon, 04 Oct 2004 10:37:15 +0200 Subject: Freeradius, Cisco Catalyst 2950, Windwos Domain Message-ID: <[EMAIL PROTECTED]>
Hello
I'm now trying more than a week to find a solution for my needs:
Equipment: Windows XP Client, Cisco Catalyst 2950, Freeradius Server (Debian Linux) and Windows 2000 Domain.
Scenario:
1. Windows XP Client boots up.
2. Windows XP authenticates and brings the port to the
authorized state.
3. User logs in to the Windows Domain.
My Questions:
1. How do I have to configure the Windows XP Client? I
found out, that the only setup that tries to authenticate before the
users logs in is PEAP with "Authenticate as computer when information is
available". Is that correct? Is there a possibility to send user name
and password of the user before the domain login?
2.How do I configure the FreeRadius server? I tried it
with PEAP and host/myhostname.mydomain.com but I got an error (see
below). Who do I have to specify the password for this?
3. What would be the best practice for this problem?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
