Re: Windows WPA
I have to admit that I'm using a paid for client (Funk Odyssey). It's very good but at around £25 to £30 per seat (depending upon numbers) it isn't cheap. SecureW2 used to be free and wasvery good. I seem to remember them going open source but I've not really investigated that product in a while. I would say that the time taken to correctly configure the client is no different than the windows supplicant. It generally takes me a couple of minutes a seat to configure a user with EAP-TTLS/PAP against a RADIUS server with existing LDAP links to an AD server. I'd also have to specifically identify the CACertificate that the client should use to authenticate the RADIUS server's certificate. So I don't consider that an extra cost. Rgds, Guy On 22/12/05, Phil Mayers [EMAIL PROTECTED] wrote: Guy Davies wrote: The other alternative is to use a third party 802.1x supplicant with a decent GINA module.This behaves *exactly* as you want.It accepts the users' credentials at the windows login, stops the windows login process, logs the user into the network, then returns control to windows to login the user to the AD.I've been doing this with EAP-TTLS/PAP to an AD backend with LDAP (no NTLM :-) for a while.Sure, though there's typically cost (sometimes money, sometimes justtime) and of course the need for custom software there.Are you using a for-pay one, or are they any good free ones these days? -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows WPA
Stefan Adams wrote: Does anyone know how it's possible to log into a windows domain (no local account) from a Windows XP computer using WPA when the user has never logged in before (making cached credentials impossible)? I work at a high school. We have several mobile carts with laptop computers that do NOT have local accounts for each student. Therefore, each student is required to logon to the windows domain using wireless. This works fine using WEP. However, using WPA, with the automatically supply windows username/password/domain checkbox selected, a user that has never logged into that machine before is not able to log on. The Windows computer complains that the domain controller is not available. This, of course, is true because there are no 'up' network interfaces. But wouldn't it be logical for Windows to first supply the entered credentials to the access point for authorization to the WPA WLAN and then supply those same credentials to the domain controller? It would be logical. It does not do that. See the archives for machine AND PEAP - basically, you need to make the machines authenticate themselves with their machine account first, then those creds are used for the network login during profile download, at which point windows will switch to the user creds. One point to note: apparently the inbuilt windows supplicant has to use the *same method* for both the machine and user creds (e.g. both TLS or both PEAP+MS-CHAP). Also note that in order to authenticate a machine (as opposed to user) account, FreeRadius needs to be talking to an ntlm_auth which in turn talks to a patched samba (the messages you find with the above search should reference the location of the patch and/or the version from which it's integrated). Finally you need an AD domain (not NT4) to do that. Is that the way it works, is there some other way, or are people that have never logged on to these laptops before condemned to never logon at all given our new WPA infrastructure? No, you just have to work hard to fix microsoft's broken behaviour. As always. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows WPA
Phil, thanks for the information! Finally you need an AD domain (not NT4) to do that. Are you saying I actually need a Microsoft Server? A Samba domain control won't suffice? Being that I have no (ZERO) Microsoft servers, are my chances of doing machine authentication nil? Stefan Date: Thu, 22 Dec 2005 12:44:04 + From: Phil Mayers [EMAIL PROTECTED] Subject: Re: Windows WPA To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed Stefan Adams wrote: Does anyone know how it's possible to log into a windows domain (no local account) from a Windows XP computer using WPA when the user has never logged in before (making cached credentials impossible)? I work at a high school. We have several mobile carts with laptop computers that do NOT have local accounts for each student. Therefore, each student is required to logon to the windows domain using wireless. This works fine using WEP. However, using WPA, with the automatically supply windows username/password/domain checkbox selected, a user that has never logged into that machine before is not able to log on. The Windows computer complains that the domain controller is not available. This, of course, is true because there are no 'up' network interfaces. But wouldn't it be logical for Windows to first supply the entered credentials to the access point for authorization to the WPA WLAN and then supply those same credentials to the domain controller? It would be logical. It does not do that. See the archives for machine AND PEAP - basically, you need to make the machines authenticate themselves with their machine account first, then those creds are used for the network login during profile download, at which point windows will switch to the user creds. One point to note: apparently the inbuilt windows supplicant has to use the *same method* for both the machine and user creds (e.g. both TLS or both PEAP+MS-CHAP). Also note that in order to authenticate a machine (as opposed to user) account, FreeRadius needs to be talking to an ntlm_auth which in turn talks to a patched samba (the messages you find with the above search should reference the location of the patch and/or the version from which it's integrated). Finally you need an AD domain (not NT4) to do that. Is that the way it works, is there some other way, or are people that have never logged on to these laptops before condemned to never logon at all given our new WPA infrastructure? No, you just have to work hard to fix microsoft's broken behaviour. As always. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows WPA
Stefan Adams wrote: Phil, thanks for the information! Finally you need an AD domain (not NT4) to do that. Are you saying I actually need a Microsoft Server? A Samba domain control won't suffice? Being that I have no (ZERO) Microsoft servers, are my chances of doing machine authentication nil? Ah, that's a different kettle of fish entirely. In this specific case I *believe* the RPC call allowing you to MSCHAP a machine account is a newer RPC, so since Samba emulates NT4 you may still find that method doesn't work. But, if you have a samba domain controller, you can in a supported fashion extract the LM and NT hashes from your SAM, and give those to FreeRadius directly, which can then do the MSCHAP without a callout to the domain at *all*, which has obvious scalability and resilience value. How to do this depends on what SAM backend you're using, whether the FreeRadius server runs on the same machine as the Samba DC or a different one, and of course whether your site policy permits the risk of moving the LM/NT hashes around, though I personally don't buy the arguments about the risk involved there. If you're using an LDAP backend, see frequent posts about using LDAP and ways of mapping the ntPassword LDAP attribute to the NT-Password radius attribute. If you're using smbpasswd, then a passwd file module can be used in FreeRadius, with the config as described in the default radiusd.conf (I believe), subject to you obviously getting the file somewhere FreeRadius can see it, and HUPing the server if/when it changes. Other SAMs (TDB, etc.) can probably be done similarly but that's samba-specific. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows WPA
Guy Davies wrote: The other alternative is to use a third party 802.1x supplicant with a decent GINA module. This behaves *exactly* as you want. It accepts the users' credentials at the windows login, stops the windows login process, logs the user into the network, then returns control to windows to login the user to the AD. I've been doing this with EAP-TTLS/PAP to an AD backend with LDAP (no NTLM :-) for a while. Sure, though there's typically cost (sometimes money, sometimes just time) and of course the need for custom software there. Are you using a for-pay one, or are they any good free ones these days? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows WPA
In this case, if you happen to be using Samba as your PDC with an LDAP backend, you should actually be able to use rlm_ldap to lookup the NTLM hashes from the same LDAP tree that your Samba PDC uses. Once you have those hashes, you can do MSCHAPv2 without having to use ntlm_auth. --Mike Phil Mayers wrote: Stefan Adams wrote: Phil, thanks for the information! Finally you need an AD domain (not NT4) to do that. Are you saying I actually need a Microsoft Server? A Samba domain control won't suffice? Being that I have no (ZERO) Microsoft servers, are my chances of doing machine authentication nil? Ah, that's a different kettle of fish entirely. In this specific case I *believe* the RPC call allowing you to MSCHAP a machine account is a newer RPC, so since Samba emulates NT4 you may still find that method doesn't work. But, if you have a samba domain controller, you can in a supported fashion extract the LM and NT hashes from your SAM, and give those to FreeRadius directly, which can then do the MSCHAP without a callout to the domain at *all*, which has obvious scalability and resilience value. How to do this depends on what SAM backend you're using, whether the FreeRadius server runs on the same machine as the Samba DC or a different one, and of course whether your site policy permits the risk of moving the LM/NT hashes around, though I personally don't buy the arguments about the risk involved there. If you're using an LDAP backend, see frequent posts about using LDAP and ways of mapping the ntPassword LDAP attribute to the NT-Password radius attribute. If you're using smbpasswd, then a passwd file module can be used in FreeRadius, with the config as described in the default radiusd.conf (I believe), subject to you obviously getting the file somewhere FreeRadius can see it, and HUPing the server if/when it changes. Other SAMs (TDB, etc.) can probably be done similarly but that's samba-specific. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows WPA
Does anyone know how it's possible to log into a windows domain (no local account) from a Windows XP computer using WPA when the user has never logged in before (making cached credentials impossible)? I work at a high school. We have several mobile carts with laptop computers that do NOT have local accounts for each student. Therefore, each student is required to logon to the windows domain using wireless. This works fine using WEP. However, using WPA, with the automatically supply windows username/password/domain checkbox selected, a user that has never logged into that machine before is not able to log on. The Windows computer complains that the domain controller is not available. This, of course, is true because there are no 'up' network interfaces. But wouldn't it be logical for Windows to first supply the entered credentials to the access point for authorization to the WPA WLAN and then supply those same credentials to the domain controller? Is that the way it works, is there some other way, or are people that have never logged on to these laptops before condemned to never logon at all given our new WPA infrastructure? Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
