Hello,
I'm connecting Windows clients to a LAN via Linksys access points and a
Freeradius server.
I'm using EAP/TLS with certificates installed on the clients and in
modules/mschap I defined:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=DOMAIN
--require-membership-of=DOMAIN\\WIFI_DATA --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
So the Windows clients must have a certificate and login with the credentials
of an Active Directory user member of the WIFI_DATA group.
This setup works fine. However, I'm seeing a major difference between a Windows
XP pro SP2 client and a Windows Vista:
if the Vista client (laptop) reboots the OS then access to the LAN via WIFI
requires the user to re-enter login username and password, as expected.
If the XP client reboots the OS then user credentials seem to be automatically
sent to the Radius server again, as if they were stored on the system (no user
interaction).
Can I change this behavior and require the user to re-send their login data
each time the Windows session is closed or the OS reboots?
I realize this is a "client-only" issue and that freeradius can't possibly
detect the difference between the 2 cases (or can it?) but I am concerned that
if, for example, the XP laptop is stolen (or unauthoritatively lent) then all
the "unwanted" user needs to do to access our LAN is boot the OS, unless the
legitimate user's password has expired. The laptop is for a hospital's
Emergency department so it's easy to imagine that it cannot be under 24-hour
surveillance (but usually, the legitimate users switch the device off when done
working or the laptop automatically turns off after an inactivity timeout).
Does anyone know:
why XP re-authenticates automatically and how to disable it?
why Vista doesn't behave the same way?
if installing SP3 on XP removes this feature?
if somethng can be done on freeradius to discriminate manual logins from
auto-logins?
I'm running freeradius 2.0.5 on Linux.
Thank you,
Vieri
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
