On Thu, Feb 2, 2012 at 4:47 PM, Matthew Newton <m...@leicester.ac.uk> wrote: > Hi, > > On Wed, Feb 01, 2012 at 10:25:29PM -0600, Dan Letkeman wrote: >> We primarily use windows 7 on the machines that will authenticate, and >> they are all connected to cisco switches and access points. If I >> understand things correctly I have the option of authenticating based >> on users, certificates or users and certificates. > > In Windows, using the built-in supplicant, you have the following > choices: > > PEAP/MS-CHAPv2 - "user" > EAP-TLS - certificate ("user" or "computer") > PEAP/EAP-TLS - certificate, again user or computer. > > Windows barfs if you ask PEAP to supply a client certificate, so > you can't do certificate auth AND user/password at the same time. > > If you install a third-party supplicant then it will likely have > many different EAP methods, read up on what you're getting first. > >> In our environment I don't see the need to add users into the >> mix as almost all of the machines are shared machines where >> multiple users will authenticate on the same machines. We also >> push applications to the machines when users are not logged into >> them so we need the computer to authenticate on its own when it >> boots up. > > There are few reasons why you'd want to go to the extra config of > PEAP/EAP-TLS [0], so your basic option is EAP-TLS. With computer > auth (certificate in the computer 'personal' store, not in the > user 'personal' store), the network will come up soon after the > machine boots, before the GINA login (for wireless, assuming it's > set to automatically connect). This sounds like what you want. > > >> From what I understand I need to create myself a certificate and >> install that certificate into the freeradius server and into each of >> my client computers. > > That will work, but you shouldn't. Create a different certificate > for each client, and for the radius server, all signed by the same > CA.
This would be a nightmare to manage. We have 2000+ clients. I see the advantage, if the certificate was compromised that this would be important, but how in the world would you manage this? > >> Which EAP type should I use if I only want the computers to >> authenticate using certificates? EAP-TLS? > > See above. Built-in supplicant with EAP-TLS is probably your > easiest route. > >> I am guessing I should be using WPA2/Enterprise on the clients for the >> 802.1x authentication on the Windows 7 clients? And set it to use >> computer authentication only? > > That's one way to do it - you need WPA2 enterprise (the enterprise > bit being the important word). "Computer auth only" set means it > won't go looking for certs in users personal certificate store, > which is probably what you want. > >> Do I need a signed third party certificate or can I use a self signed one? > > Best practise is to create your own CA & sign using that. You > really must use your own CA for client cert validation with > EAP-TLS unless you want to allow anyone on. > >> Could a user not just export the certificate from the computer and >> import it into there own computer, configure there network settings >> and get on the network? > > [certificate and key] Yes. > >> Or is there a mechanism to keep people from doing this? Perhaps >> a password encrypted in the certificate? > > You can generally set keys as 'non-exportable'. Of couse, that's > just a flag, and doesn't actually mean that there isn't a way to > get the key out. Google will give you an answer for extracting > Windows keys after a quick search (I haven't tried it). Just > remember, the cert is on the device that the user is holding. > > If you detect that a certificate has been compromised (heuristics > such as checking certificate always comes from same MAC address > might help) then you revoke the cert (CRL / OCSP) and haul the > user in... > >> Is there anything else I am missing? > > Coffee. Drink lots of coffee. > > > On Thu, Feb 02, 2012 at 11:51:39AM -0600, Dan Letkeman wrote: >> If I wanted redundancy should I just setup a secondary radius server >> with the same settings and add it to the list of servers that are >> available? > > Yes. Your NAS should rotate round the available RADIUS servers if > one stops responding. > > Cheers, > > Matthew > > > [0] Am in the middle of doing PEAP/EAP-TLS myself. Wrote up why, > and a mini "how-to" at http://q.asd.me.uk/pet > Very nice. This will be helpful. > -- > Matthew Newton, Ph.D. <m...@le.ac.uk> > > Systems Architect (UNIX and Networks), Network Services, > I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom > > For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk> > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html