(SOLVED) XP3 EAP-TLS was Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users

2009-07-16 Thread john
On Thu, Jul 16, 2009 at 8:12 AM, Nicolas Boullis wrote:
> Hi,
>
> DISCLAIMER: I'm no Windows specialist.
>
> john wrote:
>>
>> I am having a hard time figuring out how to make this work. Where/how
>> does the cert get imported. Do I need to make a registry change in
>> KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global
>> to make this work? I hope this is the part someone on the list will
>> have done before and be able to guide me or point me at a howto.
>
> I had a hard time with this as well, and finally succeeded, using
> Windows XP.
> There are many points that matter:
>  * You have to edit your registry to add a "AuthMode" dword key in
>   KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global
>   with value 2.
>  * You have to load your certificate and private key in the computer's
>   personal store. I did that with mmc.exe. Note that loading the
>   certificate and private key in a user's personal store and then
>   moving them to the computer's store did not work for me.
>  * Your certificate must have "X509v3 Extended Key Usage: TLS Web Client
>   Authentication" or Windows won't use it.
>  * The username Windows will use is the name in the certificate with
>   "host/" prepended.
>
> Note that things are quite different with Windows Vista.
>
> Hope this helps,
>
> --
> Nicolas Boullis
> Ecole Centrale Paris

Thanks for your very thorough answer Nicolas!

The solution you outline works perfectly for wired clients running
Windows XP SP2. However,more digging showed me that my problem was
specific to Windows XP/SP3.

Windows XP/SP3 doesn't use
KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global
to store the value for the AuthMode parameter. Rather it uses an XML
profile which you can export and edit and then re-import. For future
reference for other folks this can be round here
http://support.microsoft.com/kb/929847

I note that this was mentioned in an earlier post to the list
http://lists.cistron.nl/pipermail/freeradius-users/2009-January/msg00723.html
The author then had an identical problem, however he was trying to
troubleshoot the wireless interface.

Ivan or Alan, the information that Nicolas outlined, plus the caveat
for XP3 clients would be REALLY HELPFUL to have on the wiki. It
doesn't look like just anyone can edit it so would one of you be
willing to add something?

Thanks again to all for the help!

John

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users

2009-07-16 Thread Nik Alleyne

Hi Guys,
I think this is an excellent tutorial for what he is trying to achieve.
http://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos5
I've used this along with assistance from Ivan and have gotten everything I
wanted to work successfully.
Nik



Quoting Nicolas Boullis :


Hi,

DISCLAIMER: I'm no Windows specialist.

john wrote:


I am having a hard time figuring out how to make this work. Where/how
does the cert get imported. Do I need to make a registry change in
KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global
to make this work? I hope this is the part someone on the list will
have done before and be able to guide me or point me at a howto.


I had a hard time with this as well, and finally succeeded, using
Windows XP.
There are many points that matter:
* You have to edit your registry to add a "AuthMode" dword key in
  KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global
  with value 2.
* You have to load your certificate and private key in the computer's
  personal store. I did that with mmc.exe. Note that loading the
  certificate and private key in a user's personal store and then
  moving them to the computer's store did not work for me.
* Your certificate must have "X509v3 Extended Key Usage: TLS Web Client
  Authentication" or Windows won't use it.
* The username Windows will use is the name in the certificate with
  "host/" prepended.

Note that things are quite different with Windows Vista.

Hope this helps,

--
Nicolas Boullis
Ecole Centrale Paris
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html







Nik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users

2009-07-16 Thread Nicolas Boullis
Hi,

DISCLAIMER: I'm no Windows specialist.

john wrote:
> 
> I am having a hard time figuring out how to make this work. Where/how
> does the cert get imported. Do I need to make a registry change in
> KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global
> to make this work? I hope this is the part someone on the list will
> have done before and be able to guide me or point me at a howto.

I had a hard time with this as well, and finally succeeded, using
Windows XP.
There are many points that matter:
 * You have to edit your registry to add a "AuthMode" dword key in
   KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global
   with value 2.
 * You have to load your certificate and private key in the computer's
   personal store. I did that with mmc.exe. Note that loading the
   certificate and private key in a user's personal store and then
   moving them to the computer's store did not work for me.
 * Your certificate must have "X509v3 Extended Key Usage: TLS Web Client
   Authentication" or Windows won't use it.
 * The username Windows will use is the name in the certificate with
   "host/" prepended.

Note that things are quite different with Windows Vista.

Hope this helps,

-- 
Nicolas Boullis
Ecole Centrale Paris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users

2009-07-15 Thread john
Hi John thanks for taking the time to reply,

>
> Ask the question "Who are you authenticating?" or "What has permission to
> use the network?" Am I trying to restrict access to a specific set of users
> or am I trying to restrict access to a specific set of machines? If it's the
> later does that mean anyone who sits down at that machine has access?
>

In this instance I am trying to the network so that only computers
which carry a credential are allowed to have port access. My users
credentials are managed via Active Directory and I am trying to avoid
issuing user certs if possible. More specifically we have a number of
computer labs where users are in the habit of bringing in computers
from home and plugging in, I'd like to prevent this. So what I am
hoping to find out is that I can create a cert with the FQDN of the
computer. Install it on the computer itself, and have the computer
negotiate via the NAS with free-radius for access. I hope this process
is completely transparent to the user.



> In a very very simplified view a certificate is nothing more than a
> password. Would you give the same password to every user? Would you put that
> password on every machine?

Sort of. I guess I see it as a sort of 2 factor auth scheme. The
computer has a credential which is processed by free-radius and the
user has a separate credential which is processed by Active Directory.


>

>
> 2) The per user certificate is stored in a central location where only the
> user can access it. Usually this requires OS support and another layer of
> authentication.

I am pretty sure that Windows XP can use a Computer Cert for dot1X
auth via EAP. I've seen references to it. I've even found a mention of
a registry hack that forces the computer to use machine auth for dot1X
in lieu of user certs, but I am not sure how to correctly implement it
when using free-radius, everythings written for IAS.

>
> If you want to do machine authentication then per machine certificates must
> be generated and distributed (which is where your question began). There is
> no easy secure way to do this for a large number of devices in the absence
> of sophisticated certificate management software, this is why certificate
> management software is a growth industry.

I am willing to do it by hand if the process seems reasonably
straight-forward. I've got about 200 machines and 1600 users, many
users user multiple machines. You can see why I'd rather tackle the
machines. :->
>
> I'm not a Windows guy, but my understanding is that Microsoft offers
> (expensive) solutions. In the Linux world you might consider DogTag
> (http://pki.fedoraproject.org/wiki/PKI_Main_Page), this is the same
> certificate management system used by the DoD (Dept of Defense) and other
> high profile organizations which Red Hat has generously made available as
> open source after it's acquisition from Netscape.

Thanks for this resource.

> Note that DogTag supports Auto-Enrollment Proxy (AEP) for Windows, which
> allows users and computers in a Microsoft Windows domain to automatically
> enroll for certificates issued from Certificate System.
>
> Of course if you don't want to deal with the complexity of certificate based
> authentication you could just use passwords. Passwords are much less secure,
> but much simpler.

Yes but then we're back to the problem of a user just providing domain
credentials to gain port access. I can imagine a student downloading
secure-w2 or similar and providing domain credentials to get access
for their laptop.

Thanks again John. I appreciate your insights.

John
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users

2009-07-15 Thread John Dennis

On 07/15/2009 01:08 PM, john wrote:

So are the following correct?:

(1) I can create a single cert for a computer and distribute it to all
users who may use that computer


(2) I can create a cert for every user and distribute it to every
computer that a user logs into.

(3) I cannot create a generic "computer cert" that authenticates the
computer and opens the port?


Think long and hard about what you want authentication to accomplish 
from a security standpoint, then worry about the implementation details.


Ask the question "Who are you authenticating?" or "What has permission 
to use the network?" Am I trying to restrict access to a specific set of 
users or am I trying to restrict access to a specific set of machines? 
If it's the later does that mean anyone who sits down at that machine 
has access?


In a very very simplified view a certificate is nothing more than a 
password. Would you give the same password to every user? Would you put 
that password on every machine?


What you're learning is that certificate management is complex and often 
requires additional certificate management support.


If you want users to be authenticated no matter what machine they are 
logging in from *and* you want to use certificates as opposed to 
passwords, you essentially have two choices.


1) The user is in physical possession of the certificate, he carries it 
from machine to machine. This is the smart card (i.e. token) solution. 
To protect against theft or loss of the token the use has to unlock the 
token using a password upon insertion of the token in the device.


2) The per user certificate is stored in a central location where only 
the user can access it. Usually this requires OS support and another 
layer of authentication.


If you want to do machine authentication then per machine certificates 
must be generated and distributed (which is where your question began). 
There is no easy secure way to do this for a large number of devices in 
the absence of sophisticated certificate management software, this is 
why certificate management software is a growth industry.


I'm not a Windows guy, but my understanding is that Microsoft offers 
(expensive) solutions. In the Linux world you might consider DogTag 
(http://pki.fedoraproject.org/wiki/PKI_Main_Page), this is the same 
certificate management system used by the DoD (Dept of Defense) and 
other high profile organizations which Red Hat has generously made 
available as open source after it's acquisition from Netscape.


Note that DogTag supports Auto-Enrollment Proxy (AEP) for Windows, which 
allows users and computers in a Microsoft Windows domain to 
automatically enroll for certificates issued from Certificate System.


Of course if you don't want to deal with the complexity of certificate 
based authentication you could just use passwords. Passwords are much 
less secure, but much simpler.



--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users

2009-07-15 Thread john
>
>> (3) I cannot create a generic "computer cert" that authenticates the
>> computer and opens the port?
>
> Yes, you can. But as soon as some user logs onto that computer ...
>
> Ivan Kalik
> Kalik Informatika ISP

Thanks for the reply Ivan. I am fine with folks logging in and having
access from computer that have already been authenticate via a
computer certificate. If my users make it that far they have domain
credentials and are supposed to be there. What I am trying to prevent
is users from bringing their laptops from home and plugging them into
a spare port (or removing the cable from the back of a school
computer) in one of our computer labs.

I am pretty sure I can put a cert into the computer that will
authenticate the computer *before* a user even logs in. Once they
provide their domain credentials they should have access to all the
services we provide int the lab.

I am having a hard time figuring out how to make this work. Where/how
does the cert get imported. Do I need to make a registry change in
KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global
to make this work? I hope this is the part someone on the list will
have done before and be able to guide me or point me at a howto.

Thanks!

John
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users

2009-07-15 Thread Ivan Kalik
> So are the following correct?:
>
> (1) I can create a single cert for a computer and distribute it to all
> users who may use that computer

You can give same user certificate to any user using the computer - you
can place it on the desktop with installatioon instructions. But don't you
hear a voice in your head: "what is the point of these certificates?".

> (2) I can create a cert for every user and distribute it to every
> computer that a user logs into.

Yes. In normal circumstances such user will have his certificate on the
smart card and computers will be equiped with reders. So, user certificate
is with the (mobile) user, not any possible computer he might use.

> (3) I cannot create a generic "computer cert" that authenticates the
> computer and opens the port?

Yes, you can. But as soon as some user logs onto that computer ...

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users

2009-07-15 Thread john
On Wed, Jul 15, 2009 at 1:52 AM, Ivan Kalik wrote:
>> Can I create a client cert for a computer so that any user that logs
>> in may use it automatically under Windows XP? I have successfully
>> created a client.p12 with the FQDN of the workstation I am using,
>> installed it and been authenticated by Freeradius. However when I log
>> in to the computer under a different windows profile authentication
>> fails.
>
> Yes, that's how user certificates work.
>
>> How should I create this file and where do I place this cert so that
>> it's available for any user logging on?
>
> The whole idea of user certificates is for this not to be possible.

Thanks for the reply Ivan,

So are the following correct?:

(1) I can create a single cert for a computer and distribute it to all
users who may use that computer


(2) I can create a cert for every user and distribute it to every
computer that a user logs into.

(3) I cannot create a generic "computer cert" that authenticates the
computer and opens the port?

Thanks!

John
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users

2009-07-15 Thread Ivan Kalik
> Can I create a client cert for a computer so that any user that logs
> in may use it automatically under Windows XP? I have successfully
> created a client.p12 with the FQDN of the workstation I am using,
> installed it and been authenticated by Freeradius. However when I log
> in to the computer under a different windows profile authentication
> fails.

Yes, that's how user certificates work.

> How should I create this file and where do I place this cert so that
> it's available for any user logging on?

The whole idea of user certificates is for this not to be possible.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users

2009-07-14 Thread john
Hi all,

I can't find this information anywhere. I have looked for days.

Can I create a client cert for a computer so that any user that logs
in may use it automatically under Windows XP? I have successfully
created a client.p12 with the FQDN of the workstation I am using,
installed it and been authenticated by Freeradius. However when I log
in to the computer under a different windows profile authentication
fails.

How should I create this file and where do I place this cert so that
it's available for any user logging on?

Please help me figure this out!

Thanks!

John
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html