(SOLVED) XP3 EAP-TLS was Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users
On Thu, Jul 16, 2009 at 8:12 AM, Nicolas Boullis wrote: > Hi, > > DISCLAIMER: I'm no Windows specialist. > > john wrote: >> >> I am having a hard time figuring out how to make this work. Where/how >> does the cert get imported. Do I need to make a registry change in >> KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global >> to make this work? I hope this is the part someone on the list will >> have done before and be able to guide me or point me at a howto. > > I had a hard time with this as well, and finally succeeded, using > Windows XP. > There are many points that matter: > * You have to edit your registry to add a "AuthMode" dword key in > KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global > with value 2. > * You have to load your certificate and private key in the computer's > personal store. I did that with mmc.exe. Note that loading the > certificate and private key in a user's personal store and then > moving them to the computer's store did not work for me. > * Your certificate must have "X509v3 Extended Key Usage: TLS Web Client > Authentication" or Windows won't use it. > * The username Windows will use is the name in the certificate with > "host/" prepended. > > Note that things are quite different with Windows Vista. > > Hope this helps, > > -- > Nicolas Boullis > Ecole Centrale Paris Thanks for your very thorough answer Nicolas! The solution you outline works perfectly for wired clients running Windows XP SP2. However,more digging showed me that my problem was specific to Windows XP/SP3. Windows XP/SP3 doesn't use KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global to store the value for the AuthMode parameter. Rather it uses an XML profile which you can export and edit and then re-import. For future reference for other folks this can be round here http://support.microsoft.com/kb/929847 I note that this was mentioned in an earlier post to the list http://lists.cistron.nl/pipermail/freeradius-users/2009-January/msg00723.html The author then had an identical problem, however he was trying to troubleshoot the wireless interface. Ivan or Alan, the information that Nicolas outlined, plus the caveat for XP3 clients would be REALLY HELPFUL to have on the wiki. It doesn't look like just anyone can edit it so would one of you be willing to add something? Thanks again to all for the help! John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users
Hi Guys, I think this is an excellent tutorial for what he is trying to achieve. http://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos5 I've used this along with assistance from Ivan and have gotten everything I wanted to work successfully. Nik Quoting Nicolas Boullis : Hi, DISCLAIMER: I'm no Windows specialist. john wrote: I am having a hard time figuring out how to make this work. Where/how does the cert get imported. Do I need to make a registry change in KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global to make this work? I hope this is the part someone on the list will have done before and be able to guide me or point me at a howto. I had a hard time with this as well, and finally succeeded, using Windows XP. There are many points that matter: * You have to edit your registry to add a "AuthMode" dword key in KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global with value 2. * You have to load your certificate and private key in the computer's personal store. I did that with mmc.exe. Note that loading the certificate and private key in a user's personal store and then moving them to the computer's store did not work for me. * Your certificate must have "X509v3 Extended Key Usage: TLS Web Client Authentication" or Windows won't use it. * The username Windows will use is the name in the certificate with "host/" prepended. Note that things are quite different with Windows Vista. Hope this helps, -- Nicolas Boullis Ecole Centrale Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users
Hi, DISCLAIMER: I'm no Windows specialist. john wrote: > > I am having a hard time figuring out how to make this work. Where/how > does the cert get imported. Do I need to make a registry change in > KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global > to make this work? I hope this is the part someone on the list will > have done before and be able to guide me or point me at a howto. I had a hard time with this as well, and finally succeeded, using Windows XP. There are many points that matter: * You have to edit your registry to add a "AuthMode" dword key in KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global with value 2. * You have to load your certificate and private key in the computer's personal store. I did that with mmc.exe. Note that loading the certificate and private key in a user's personal store and then moving them to the computer's store did not work for me. * Your certificate must have "X509v3 Extended Key Usage: TLS Web Client Authentication" or Windows won't use it. * The username Windows will use is the name in the certificate with "host/" prepended. Note that things are quite different with Windows Vista. Hope this helps, -- Nicolas Boullis Ecole Centrale Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users
Hi John thanks for taking the time to reply, > > Ask the question "Who are you authenticating?" or "What has permission to > use the network?" Am I trying to restrict access to a specific set of users > or am I trying to restrict access to a specific set of machines? If it's the > later does that mean anyone who sits down at that machine has access? > In this instance I am trying to the network so that only computers which carry a credential are allowed to have port access. My users credentials are managed via Active Directory and I am trying to avoid issuing user certs if possible. More specifically we have a number of computer labs where users are in the habit of bringing in computers from home and plugging in, I'd like to prevent this. So what I am hoping to find out is that I can create a cert with the FQDN of the computer. Install it on the computer itself, and have the computer negotiate via the NAS with free-radius for access. I hope this process is completely transparent to the user. > In a very very simplified view a certificate is nothing more than a > password. Would you give the same password to every user? Would you put that > password on every machine? Sort of. I guess I see it as a sort of 2 factor auth scheme. The computer has a credential which is processed by free-radius and the user has a separate credential which is processed by Active Directory. > > > 2) The per user certificate is stored in a central location where only the > user can access it. Usually this requires OS support and another layer of > authentication. I am pretty sure that Windows XP can use a Computer Cert for dot1X auth via EAP. I've seen references to it. I've even found a mention of a registry hack that forces the computer to use machine auth for dot1X in lieu of user certs, but I am not sure how to correctly implement it when using free-radius, everythings written for IAS. > > If you want to do machine authentication then per machine certificates must > be generated and distributed (which is where your question began). There is > no easy secure way to do this for a large number of devices in the absence > of sophisticated certificate management software, this is why certificate > management software is a growth industry. I am willing to do it by hand if the process seems reasonably straight-forward. I've got about 200 machines and 1600 users, many users user multiple machines. You can see why I'd rather tackle the machines. :-> > > I'm not a Windows guy, but my understanding is that Microsoft offers > (expensive) solutions. In the Linux world you might consider DogTag > (http://pki.fedoraproject.org/wiki/PKI_Main_Page), this is the same > certificate management system used by the DoD (Dept of Defense) and other > high profile organizations which Red Hat has generously made available as > open source after it's acquisition from Netscape. Thanks for this resource. > Note that DogTag supports Auto-Enrollment Proxy (AEP) for Windows, which > allows users and computers in a Microsoft Windows domain to automatically > enroll for certificates issued from Certificate System. > > Of course if you don't want to deal with the complexity of certificate based > authentication you could just use passwords. Passwords are much less secure, > but much simpler. Yes but then we're back to the problem of a user just providing domain credentials to gain port access. I can imagine a student downloading secure-w2 or similar and providing domain credentials to get access for their laptop. Thanks again John. I appreciate your insights. John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users
On 07/15/2009 01:08 PM, john wrote: So are the following correct?: (1) I can create a single cert for a computer and distribute it to all users who may use that computer (2) I can create a cert for every user and distribute it to every computer that a user logs into. (3) I cannot create a generic "computer cert" that authenticates the computer and opens the port? Think long and hard about what you want authentication to accomplish from a security standpoint, then worry about the implementation details. Ask the question "Who are you authenticating?" or "What has permission to use the network?" Am I trying to restrict access to a specific set of users or am I trying to restrict access to a specific set of machines? If it's the later does that mean anyone who sits down at that machine has access? In a very very simplified view a certificate is nothing more than a password. Would you give the same password to every user? Would you put that password on every machine? What you're learning is that certificate management is complex and often requires additional certificate management support. If you want users to be authenticated no matter what machine they are logging in from *and* you want to use certificates as opposed to passwords, you essentially have two choices. 1) The user is in physical possession of the certificate, he carries it from machine to machine. This is the smart card (i.e. token) solution. To protect against theft or loss of the token the use has to unlock the token using a password upon insertion of the token in the device. 2) The per user certificate is stored in a central location where only the user can access it. Usually this requires OS support and another layer of authentication. If you want to do machine authentication then per machine certificates must be generated and distributed (which is where your question began). There is no easy secure way to do this for a large number of devices in the absence of sophisticated certificate management software, this is why certificate management software is a growth industry. I'm not a Windows guy, but my understanding is that Microsoft offers (expensive) solutions. In the Linux world you might consider DogTag (http://pki.fedoraproject.org/wiki/PKI_Main_Page), this is the same certificate management system used by the DoD (Dept of Defense) and other high profile organizations which Red Hat has generously made available as open source after it's acquisition from Netscape. Note that DogTag supports Auto-Enrollment Proxy (AEP) for Windows, which allows users and computers in a Microsoft Windows domain to automatically enroll for certificates issued from Certificate System. Of course if you don't want to deal with the complexity of certificate based authentication you could just use passwords. Passwords are much less secure, but much simpler. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users
> >> (3) I cannot create a generic "computer cert" that authenticates the >> computer and opens the port? > > Yes, you can. But as soon as some user logs onto that computer ... > > Ivan Kalik > Kalik Informatika ISP Thanks for the reply Ivan. I am fine with folks logging in and having access from computer that have already been authenticate via a computer certificate. If my users make it that far they have domain credentials and are supposed to be there. What I am trying to prevent is users from bringing their laptops from home and plugging them into a spare port (or removing the cable from the back of a school computer) in one of our computer labs. I am pretty sure I can put a cert into the computer that will authenticate the computer *before* a user even logs in. Once they provide their domain credentials they should have access to all the services we provide int the lab. I am having a hard time figuring out how to make this work. Where/how does the cert get imported. Do I need to make a registry change in KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global to make this work? I hope this is the part someone on the list will have done before and be able to guide me or point me at a howto. Thanks! John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users
> So are the following correct?: > > (1) I can create a single cert for a computer and distribute it to all > users who may use that computer You can give same user certificate to any user using the computer - you can place it on the desktop with installatioon instructions. But don't you hear a voice in your head: "what is the point of these certificates?". > (2) I can create a cert for every user and distribute it to every > computer that a user logs into. Yes. In normal circumstances such user will have his certificate on the smart card and computers will be equiped with reders. So, user certificate is with the (mobile) user, not any possible computer he might use. > (3) I cannot create a generic "computer cert" that authenticates the > computer and opens the port? Yes, you can. But as soon as some user logs onto that computer ... Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users
On Wed, Jul 15, 2009 at 1:52 AM, Ivan Kalik wrote: >> Can I create a client cert for a computer so that any user that logs >> in may use it automatically under Windows XP? I have successfully >> created a client.p12 with the FQDN of the workstation I am using, >> installed it and been authenticated by Freeradius. However when I log >> in to the computer under a different windows profile authentication >> fails. > > Yes, that's how user certificates work. > >> How should I create this file and where do I place this cert so that >> it's available for any user logging on? > > The whole idea of user certificates is for this not to be possible. Thanks for the reply Ivan, So are the following correct?: (1) I can create a single cert for a computer and distribute it to all users who may use that computer (2) I can create a cert for every user and distribute it to every computer that a user logs into. (3) I cannot create a generic "computer cert" that authenticates the computer and opens the port? Thanks! John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users
> Can I create a client cert for a computer so that any user that logs > in may use it automatically under Windows XP? I have successfully > created a client.p12 with the FQDN of the workstation I am using, > installed it and been authenticated by Freeradius. However when I log > in to the computer under a different windows profile authentication > fails. Yes, that's how user certificates work. > How should I create this file and where do I place this cert so that > it's available for any user logging on? The whole idea of user certificates is for this not to be possible. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users
Hi all, I can't find this information anywhere. I have looked for days. Can I create a client cert for a computer so that any user that logs in may use it automatically under Windows XP? I have successfully created a client.p12 with the FQDN of the workstation I am using, installed it and been authenticated by Freeradius. However when I log in to the computer under a different windows profile authentication fails. How should I create this file and where do I place this cert so that it's available for any user logging on? Please help me figure this out! Thanks! John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html