Re: Confused with FreeRadius + Win2000 + Linksys + EAP + Certs

Tue, 08 Aug 2006 06:51:01 -0700
Hm, thats bad. Is it on the roadmap? I have seen a Howto, generating certs and switching eap-type to tls on freeradius? 


Yes Windows hosts can be authenticated with EAP-TLS by choosing 
something like "SmartCard or certificate" under the Authentication Tab 
of the adapter properties.



How can the PC be authentified, even if the user is not? We have a 
lot student pc in a pool, but the students have no individual 
account. I want to protect the Ethernet-ports against plugging in 
another computer, not verified from us. How can this be achieved?


You want a certificate per host and not a certificate per user.

I use the following procedure to enable Host EAP-TLS authentication:
* Set the "HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters
\General\Global\AuthMode" value to '2 in the windows registry. This means:
"Computer authentication is performed when the wireless client computer is
started. User authentication is never performed."
See http://www.microsoft.com/technet/itsolutions/network/wifi/wififaq.mspx

* Create a certificate per host:
- cn must contain the Netbios name of the PC

- the extension SubjectAltName must contain the Netbios name of the PC 
(I think)

- The field Extended Key Usage must contain the option 'TLS Web Client
Authentication' (OID 1.3.6.1.5.5.7.3.2)

- Note that the Radius server's certificate must contain the 
1.3.6.1.5.5.7.3.1 extension
- The certificate can be exported into a PKCS12 file .p12 (this 
includes the private key). The certificate MUST be installed in the 
HOST CERTIFICATE STORE (simply double clic the file will NOT work): Run 
'mmc' and Add the Snap-in 'Certificate>Local Computer', then in the 
private folder import the .p12 file and in the Trusted Root CA the CA 
certificate).



Authentication will use the following username: The string 'Host/' 
concatenated with the Netbios name of the host. For instance if then  
NetbiosName is MYPC, use the following rule format in the raddb/users 
file:


Host/MYPC                CheckItems, ...
       ReplyAttributes...,
       ReplyAttributes...,
       Fall-Through = no

There might be other solutions, but at least this is how it works for us...

HTH,
Thibault


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html













    











					Reply via email to