Re: Radius-based windows authentication
Julien MIOTTE wrote:
1. Using the windows native supplicant and machine account
authentication. Basically the process is this:
* machine powers on - no-one logged in
* machine uses its own domain account to login host/$machinename
* user presses ctrl+alt+del
* machine validates credentials to the domain controller, over the
current network connection
* machine downloads the users profile
* once the profile is download, the machine does an EAP-Logoff and
then re-authenticates using the user credentials
* when the user logs out, the machine does and EAP-Logoff and then
logs back in using the machine account
Hi, I've been trying to do as you told me.
There's no need to CC me. I read the list.
Using the native supplicant and MSCHAPv2 on PEAP, the machine sends now it's
own credentials. My problem is that the login is sent with the
prefix host/. In my LDAP, the entry of the machine is machine_name$.
I tried to fix this trough various ways, and I succeded by adding an entry in
the hint file :
DEFAULT Prefix == host/, Strip-User-Name = Yes
and by changing the filter in the LDAP section :
filter=(uid=%{Stripped-User-Name:-%{User-Name}})
to
filter=(uid=%{Stripped-User-Name:-%{User-Name}}$)
Now the authorization works fine, but when the authenticate section is
processed, the debug prints this :
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
Am I doing all of this right ?
There's a better way; use the mschap module expansion function, which
will both strip and suffix for you:
filter = (uid=%{mschap:User-Name})
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius-based windows authentication
Phil Mayers wrote :
There's no need to CC me. I read the list.
Sorry about that ^^*.
There's a better way; use the mschap module expansion function, which
will both strip and suffix for you:
filter = (uid=%{mschap:User-Name})
Thank you very much, everything works fine works fine now.
The machine doesn't do any EAP-logoff. is that normal ?
Is there a way to force the EAP-logoff, so that the user doesn't use the
machine credentials ?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius-based windows authentication
Hello, I'm working on VLAN assignement with FreeRadius, with windows XP users. The FreeRadius server is using openLdap, and works overs EAP-TTLS. The goal of my work is for the users to be on different Vlans depending on their status. The radius part is working fine, since the switch sets the right vlan when the user gives his login and password. My question was : is it possible to authenticate via radius at the windows login screen ? For now, it is using the samba database, but if I want to set up a dynamic vlan assignement, the network needs to be up before the samba partitions are mounted. Thanks ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius-based windows authentication
Mike Perdide wrote: Hello, I'm working on VLAN assignement with FreeRadius, with windows XP users. The FreeRadius server is using openLdap, and works overs EAP-TTLS. The goal of my work is for the users to be on different Vlans depending on their status. The radius part is working fine, since the switch sets the right vlan when the user gives his login and password. My question was : is it possible to authenticate via radius at the windows login screen ? Is the windows machine a domain member? For now, it is using the samba database, but if I want to set up a dynamic vlan assignement, the network needs to be up before the samba partitions are mounted. This last paragraph doesn't make sense to me. I don't know what samba database and samba partitions are. I think you are asking is it possible for the client to do 802.1x with the username/password typed into the login box and the answer is yes. There are three ways to achieve this (that I know of). 1. Using the windows native supplicant and machine account authentication. Basically the process is this: * machine powers on - no-one logged in * machine uses its own domain account to login host/$machinename * user presses ctrl+alt+del * machine validates credentials to the domain controller, over the current network connection * machine downloads the users profile * once the profile is download, the machine does an EAP-Logoff and then re-authenticates using the user credentials * when the user logs out, the machine does and EAP-Logoff and then logs back in using the machine account 2. Using cached profiles - the user logs in without a network connection using a cached profile, then 802.1x starts 3. Using a different supplicant which has a GINA plugin; I believe the Odyssey supplicant (which you have to pay for) can do this. SecureW2 (which is open source) may. Obviously you have to install software. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius-based windows authentication
Phil Mayers wrote: Is the windows machine a domain member? No it's not. Only the users are. I think you are asking is it possible for the client to do 802.1x with the username/password typed into the login box and the answer is yes. That's exactly my question, thanks ;). 1. Using the windows native supplicant and machine account authentication. Basically the process is this: * machine powers on - no-one logged in * machine uses its own domain account to login host/$machinename * user presses ctrl+alt+del When you say user presses ctrl+alt+del, you mean that he closes the session and uses his own login ? * machine validates credentials to the domain controller, over the current network connection How did the machine obtain network connection ? * machine downloads the users profile * once the profile is download, the machine does an EAP-Logoff and then re-authenticates using the user credentials * when the user logs out, the machine does and EAP-Logoff and then logs back in using the machine account 3. Using a different supplicant which has a GINA plugin; I believe the Odyssey supplicant (which you have to pay for) can do this. SecureW2 (which is open source) may. Obviously you have to install software. I am currently using SecureW2 TTLS, and I did not see such thing as GINA plugin. I am gonna look for documentation about that. Thanks for your help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius-based windows authentication
2008/4/25 Phil Mayers [EMAIL PROTECTED]: Mike Perdide wrote: Hello, I'm working on VLAN assignement with FreeRadius, with windows XP users. The FreeRadius server is using openLdap, and works overs EAP-TTLS. The goal of my work is for the users to be on different Vlans depending on their status. The radius part is working fine, since the switch sets the right vlan when the user gives his login and password. My question was : is it possible to authenticate via radius at the windows login screen ? Is the windows machine a domain member? For now, it is using the samba database, but if I want to set up a dynamic vlan assignement, the network needs to be up before the samba partitions are mounted. This last paragraph doesn't make sense to me. I don't know what samba database and samba partitions are. I think you are asking is it possible for the client to do 802.1x with the username/password typed into the login box and the answer is yes. There are three ways to achieve this (that I know of). 1. Using the windows native supplicant and machine account authentication. Basically the process is this: * machine powers on - no-one logged in * machine uses its own domain account to login host/$machinename * user presses ctrl+alt+del * machine validates credentials to the domain controller, over the current network connection * machine downloads the users profile * once the profile is download, the machine does an EAP-Logoff and then re-authenticates using the user credentials * when the user logs out, the machine does and EAP-Logoff and then logs back in using the machine account 2. Using cached profiles - the user logs in without a network connection using a cached profile, then 802.1x starts 3. Using a different supplicant which has a GINA plugin; I believe the Odyssey supplicant (which you have to pay for) can do this. SecureW2 (which is open source) may. Obviously you have to install software. The Odyssey client can certainly do this but it is very important to note that GINA is not making use of the RADIUS server to actually authenticate the user to the Windows machine. It is simply stopping the windows login, taking a copy of the credentials typed into the windows login screen and using those to authenticate using 802.1x so that a secured port is open *before* the windows login is complete, then once the 802.1x process is complete, it returns control of the login process back to windows which authenticates the user either against the local database or using the Active Directory service. Normally, for this to work well, you would have the RADIUS server used for the 802.1x authentication make a call to the AD servers too (using either NTLM or LDAP). That way, you actually have two calls made to the AD, one by the RADIUS server and then another by the user's PC. The dynamic VLAN assignment is almost invariably performed as part of the 802.1x RADIUS authentication response and the actual mechanism used depends very much on the vendor of your Authenticator (the switch or AP). Rgds, Guy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius-based windows authentication
Mike Perdide wrote: Phil Mayers wrote: Is the windows machine a domain member? No it's not. Only the users are. ? When you sit at the login screen, and press ctrl+alt+del, are you logging in with a username and password which is checked against the domain controllers? If so, then the machine *is* joined into the domain. I think you are asking is it possible for the client to do 802.1x with the username/password typed into the login box and the answer is yes. That's exactly my question, thanks ;). 1. Using the windows native supplicant and machine account authentication. Basically the process is this: * machine powers on - no-one logged in * machine uses its own domain account to login host/$machinename * user presses ctrl+alt+del When you say user presses ctrl+alt+del, you mean that he closes the session and uses his own login ? No. The machine is sitting at the login prompt, and the user presses ctrl+alt+del to bring up the login box. * machine validates credentials to the domain controller, over the current network connection How did the machine obtain network connection ? * machine downloads the users profile * once the profile is download, the machine does an EAP-Logoff and then re-authenticates using the user credentials * when the user logs out, the machine does and EAP-Logoff and then logs back in using the machine account 3. Using a different supplicant which has a GINA plugin; I believe the Odyssey supplicant (which you have to pay for) can do this. SecureW2 (which is open source) may. Obviously you have to install software. I am currently using SecureW2 TTLS, and I did not see such thing as GINA plugin. I am gonna look for documentation about that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius-based windows authentication
Phil Mayers wrote: Is the windows machine a domain member? No it's not. Only the users are. ? When you sit at the login screen, and press ctrl+alt+del, are you logging in with a username and password which is checked against the domain controllers? If so, then the machine *is* joined into the domain. You're right, it is, I am not familiar with the windows domains. * machine validates credentials to the domain controller, over the current network connection How did the machine obtain network connection ? It has to go throught freeradius authorization, hasn't it ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius-based windows authentication
Hi, Phil Mayers wrote: Is the windows machine a domain member? No it's not. Only the users are. ? When you sit at the login screen, and press ctrl+alt+del, are you logging in with a username and password which is checked against the domain controllers? If so, then the machine *is* joined into the domain. You're right, it is, I am not familiar with the windows domains. * machine validates credentials to the domain controller, over the current network connection How did the machine obtain network connection ? It has to go throught freeradius authorization, hasn't it ? yep alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius-based windows authentication
Mike Perdide wrote: Phil Mayers wrote: Is the windows machine a domain member? No it's not. Only the users are. ? When you sit at the login screen, and press ctrl+alt+del, are you logging in with a username and password which is checked against the domain controllers? If so, then the machine *is* joined into the domain. You're right, it is, I am not familiar with the windows domains. * machine validates credentials to the domain controller, over the current network connection How did the machine obtain network connection ? It has to go throught freeradius authorization, hasn't it ? Yes, using the machine account - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius and windows
Is it possible to get a Windows Domain Controller to authenticate via radius? Has anyone got this working? I think what I'm asking is: Is there a radclient for Windows Domain Controllers? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius and windows
On Fri, 2004-06-18 at 10:43, Maqbool Hashim wrote: Is it possible to get a Windows Domain Controller to authenticate via radius? Has anyone got this working? I think what I'm asking is: Is there a radclient for Windows Domain Controllers? You might want to try ntradping (www.mastersoft-group.com/download/) You'll need to also install the IAS product (an option of IIS I believe), onto the DC of your choice. Dave IMPORTANT - this email and the information in it may be confidential, legally privileged and/or protected by law. It is intended solely for the use of the person to whom it is addressed. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Please also delete all copies of this email and any attachments from your system. We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses or damages that you may suffer as a result of your receipt of this email including but not limited to computer service or system failure, access delays or interruption, data non-delivery or mis-delivery, computer viruses or other harmful components. Copyright in this email and any attachments belong to Compass Group. Should you communicate with anyone at Compass Group by email, you consent to us monitoring and reading any such correspondence. Nothing in this email shall be taken or read as suggesting, proposing or relating to any agreement concerted practice or other practice that could infringe UK or EC competition legislation. Compass Group, UK and Ireland Limited is a company registered in England and Wales (Company number 02272248) whose registered office is at Parklands Court, 24 Parklands, Birmingham Great Park, Rubery, Birmingham, West Midlands, B45 9PZ. Compass Group UK Ireland Limited is a wholly owned subsidiary of Compass Group PLC, registered in England and Wales (Company number 4083914) whose registered office is at Compass House, Guildford Street, Chertsey, Surrey, KT16 9BQ. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius and windows
Thanks, I suppose could just use LDAP to authenticate Windows Domain Controllers. I am not actually asking this question for Domain Controllers which I personally run, but for clients who might have these things and I would like to be able to authenticate these windows machines via our radius server. Am I right in thinking that LDAP would work? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius and windows
On Fri, 2004-06-18 at 12:07, Maqbool Hashim wrote: Thanks, I suppose could just use LDAP to authenticate Windows Domain Controllers. Sorry, you are confusing me. A Windows Domain Controller in my mind is what holds the SAM database, which contains the user data, so in this scenario no. However, you could authenticate a windows client machine against an LDAP backend, via your radius server, thus eliminating the need for your Windows Domain Controller in the authentication process. I am not actually asking this question for Domain Controllers which I personally run, but for clients who might have these things and I would like to be able to authenticate these windows machines via our radius server. Ignore the above then. Honestly, if you are running NT4, the IAS (microsofts radius server) product is a good solution, as it talks natively to your SAM database. All you need to do then is proxy these clients through your radius server to the IAS server and bobs your uncle. Am I right in thinking that LDAP would work? Yes. Dave IMPORTANT - this email and the information in it may be confidential, legally privileged and/or protected by law. It is intended solely for the use of the person to whom it is addressed. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Please also delete all copies of this email and any attachments from your system. We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses or damages that you may suffer as a result of your receipt of this email including but not limited to computer service or system failure, access delays or interruption, data non-delivery or mis-delivery, computer viruses or other harmful components. Copyright in this email and any attachments belong to Compass Group. Should you communicate with anyone at Compass Group by email, you consent to us monitoring and reading any such correspondence. Nothing in this email shall be taken or read as suggesting, proposing or relating to any agreement concerted practice or other practice that could infringe UK or EC competition legislation. Compass Group, UK and Ireland Limited is a company registered in England and Wales (Company number 02272248) whose registered office is at Parklands Court, 24 Parklands, Birmingham Great Park, Rubery, Birmingham, West Midlands, B45 9PZ. Compass Group UK Ireland Limited is a wholly owned subsidiary of Compass Group PLC, registered in England and Wales (Company number 4083914) whose registered office is at Compass House, Guildford Street, Chertsey, Surrey, KT16 9BQ. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius and windows
Maqbool Hashim [EMAIL PROTECTED] wrote: Is it possible to get a Windows Domain Controller to authenticate via radius? Has anyone got this working? For a Windows DC to issue RADIUS Access-Request packets when authenticating uses? It's not possible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius and windows
Dave Shepherd [EMAIL PROTECTED] IMPORTANT - this email and the information in it may be confidential, legally privileged and/or protected by law. ... Or it may not be. Can you please get rid of that signature? It's huge, annoying, and has zero legal validity. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
