Re: 802.1x and authenticating machine account
Has anyone figured a way to authenticate the computer account in Active Directory? Other than pGina. I don't have the option of changing the client OS. radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=host/boy-it-tel-2528.campus.bridgew.edu --challenge=9e47edd1e773dd4c --nt-response=bc5c030f92963cf7941382091e672eca63f09945fa1f511c' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=host/boy-it-tel-2528.campus.bridgew.edu --challenge=9e47edd1e773dd4c --nt-response=bc5c030f92963cf7941382091e672eca63f09945fa1f511c Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x and authenticating machine account
Currently, there is no way to fully do this inside of FreeRADIUS. This is the reason we set up an IAS server as a home server for machine authentications. We proxy *only* machine authentications to an IAS server (member of the domain, of course). User authentications, however, stay inside of FreeRADIUS. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas King, Michael wrote: Has anyone figured a way to authenticate the computer account in Active Directory? Other than pGina. I don't have the option of changing the client OS. radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=host/boy-it-tel-2528.campus.bridgew.edu --challenge=9e47edd1e773dd4c --nt-response=bc5c030f92963cf7941382091e672eca63f09945fa1f511c' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=host/boy-it-tel-2528.campus.bridgew.edu --challenge=9e47edd1e773dd4c --nt-response=bc5c030f92963cf7941382091e672eca63f09945fa1f511c Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x and authenticating machine account
Could you share your proxy config? I have a radius server (Funk Steel Belted Radius) that can do machine authentications. Thanks. Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: Thursday, April 28, 2005 3:13 PM To: freeradius-users@lists.freeradius.org Subject: Re: 802.1x and authenticating machine account Currently, there is no way to fully do this inside of FreeRADIUS. This is the reason we set up an IAS server as a home server for machine authentications. We proxy *only* machine authentications to an IAS server (member of the domain, of course). User authentications, however, stay inside of FreeRADIUS. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x and authenticating machine account
Michael Griego [EMAIL PROTECTED] wrote: Currently, there is no way to fully do this inside of FreeRADIUS. What's so special about machine authentication? This is the reason we set up an IAS server as a home server for machine authentications. I'm sad to hear that. We proxy *only* machine authentications to an IAS server (member of the domain, of course). User authentications, however, stay inside of FreeRADIUS. Let's see what we can do to make IAS unnecessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x and authenticating machine account
Alan DeKok wrote: What's so special about machine authentication? Short Version. (Forgive my use of nomenclature) When your sitting at a logon prompt at windows (Hit CTRL-ALT-DELETE), it (the client machine) has no user credentials to perform an 802.1x session. Hence, it has no network access to talk to a domain controller to verified the given credentials to allow access to the machine. Classic Chicken and Egg argument. Using Computer Accounts, the client computer authenticates using it's Active Directory Computer Account. (Usually given as host/ComputerName) It now has Network access. When a client attempts a logon, it can reach the Domain Server to perform the authentication. When the User Desktop comes up, Windows XP drops the computer account credentials, and performs a new 802.1x session using the client's credentials. It allows a person to logon to a Windows 2000/XP laptop without having to depend on having a cached logon. (Cached Logon = You logged on successfully to the computer before, so the client machine allows it now, because it can not communicate with the domain controller) I think that covers it. Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x and authenticating machine account
Alan DeKok wrote: What's so special about machine authentication? I spent days and days trying to get this working. It won't happen without, at the very least, cooperation from the Samba group. Here's what I've been able to figure out so far (before I gave up as other things needed my attention). Windows Domain Controllers refuse to disclose the session key for Workstation/Server accounts. For user accounts, the NT key is provided. For machine accounts, though, you can't properly build an MSCHAPv2 response since you have no way of getting the NT key. I have been unable to find ANY API to handle this. I was, in fact, very interested and curious when Funk added that feature to their RADIUS implementation (which was fairly recently IIRC). I hacked and hacked to try to get it working under FreeRADIUS. I had to rewrite portions of ntlm_auth to get it to return a success (instead of a LOGON_OK_WORKSTATION_TRUST_ACCOUNT, I think it was), and some other things, like providing a fake NT key of all 0s. With all of this, I *was* able to get the domain to say Yup, that was a correct password, but I never was able to get FreeRADIUS to build a proper MSCHAPv2 responce since it didn't have the final bit (NT Key) necessary to do so. It was quite frustrating. I'm sad to hear that. I was sad to have to do it. :) Let's see what we can do to make IAS unnecessary. I'd love to, but it will very definitely be an uphill battle. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x and authenticating machine account
Another way to achieve this is to use an 802.1x client with a GINA module. Immediately after you enter your credentials in the Windows login screen, the GINA module takes control and pauses the windows login process. It uses the user's windows credentials to connect the user to the network and, once the connection is complete, returns control to the windows login process. I use this method very successfully at home and at work. It totally removes the need for any credentials associated with the machine. I strongly recommend it. The downside, you can't do it with the default MS 802.1x supplicant. :-( Rgds, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of King, Michael Sent: 28 April 2005 20:48 To: freeradius-users@lists.freeradius.org Subject: RE: 802.1x and authenticating machine account Alan DeKok wrote: What's so special about machine authentication? Short Version. (Forgive my use of nomenclature) When your sitting at a logon prompt at windows (Hit CTRL-ALT-DELETE), it (the client machine) has no user credentials to perform an 802.1x session. Hence, it has no network access to talk to a domain controller to verified the given credentials to allow access to the machine. Classic Chicken and Egg argument. Using Computer Accounts, the client computer authenticates using it's Active Directory Computer Account. (Usually given as host/ComputerName) It now has Network access. When a client attempts a logon, it can reach the Domain Server to perform the authentication. When the User Desktop comes up, Windows XP drops the computer account credentials, and performs a new 802.1x session using the client's credentials. It allows a person to logon to a Windows 2000/XP laptop without having to depend on having a cached logon. (Cached Logon = You logged on successfully to the computer before, so the client machine allows it now, because it can not communicate with the domain controller) I think that covers it. Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x and authenticating machine account
Guy Davies wrote: The downside, you can't do it with the default MS 802.1x supplicant. :-( Exactly. In our environment, it's very important that we not have to install additional software on client machines. This rules out a GINA plugin or different supplicant. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x and authenticating machine account
I have been using 802.1x with PEAP/Windows XP/AD for a while. We now have some walkup stations in place that are giving me trouble. Since the machine does not have cached credentials of the user logging in, it cannot get past the login screen to start the EAP auth and activate the port on my switch. I enabled the checkbox to use the machine credentials, so now I see the request come in (host/machine.mydomain.corp.com). Is there a way I can auth the machine? Could I do this via the users file? Maybe use the realm file to modify the request to auth the machine against AD properly? Mark Capelle CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or privileged, undisclosed or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution of this message in whole or in part is strictly prohibited. Please inform the sender immediately and destroy the original transmittal. Thank you for your cooperation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x and authenticating machine account
Take a look at pGina. josh. --On Tuesday, April 12, 2005 09:14:31 -0500 [EMAIL PROTECTED] wrote: I have been using 802.1x with PEAP/Windows XP/AD for a while. We now have some walkup stations in place that are giving me trouble. Since the machine does not have cached credentials of the user logging in, it cannot get past the login screen to start the EAP auth and activate the port on my switch. I enabled the checkbox to use the machine credentials, so now I see the request come in (host/machine.mydomain.corp.com). Is there a way I can auth the machine? Could I do this via the users file? Maybe use the realm file to modify the request to auth the machine against AD properly? Mark Capelle CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or privileged, undisclosed or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution of this message in whole or in part is strictly prohibited. Please inform the sender immediately and destroy the original transmittal. Thank you for your cooperation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html