Freeradius + EAP Certificates
-
Hi,
I am not using WiFi.
I would like to authenticate windows machines with certificates against radius. This is working.
If I do not install the client.p12 on the windows machine, I cannot authenticate.But in Windows I have always to enter a username and a password, if I connect the network cable.
The username/password is the same I have to enter in the freeRADIUS webGUI on pfsense.
Is this different to you ? Don't you have to enter a username/password in the freeRADIUS webGUI ?Thanks!
-
Hi Nachtfalke,
I'm using Radius+Certificates for the wifi EAP (WPA2) authentication. So this is to allow/disallow access to my wifi network using certificates.
Reading your last posts you it seems as if you want to use a certificate to log on to windows using a Radius server.
I'm sorry, but I cannot help you with that (if I understood your problem correctly)
Cheers
Alexander
-
Hi,
you didn't understand me correct or I didn't explain it correct.
Take a look at this thread:
http://www.administrator.de/index.php?content=154402#644826Scroll down to the chapter:
Clients für die 802.1x Zugangskontrolle einrichtenAfter I login into windows, with my username and password I can see the desktop, open word an so on.
If I connect my LAN cable to the switch, there appears a hint in the systray "There are additional information needed to access the network". There I have to enter the username/password I entered in the freeRADIUS users tab on pfsense.Windows XP allows you to use the same username and password for this authentication as you used for the windows logon. (This you can see in the third and fith picture in the chapter I told you above: (Clients für die 802.1x Zugangskontrolle einrichten) If you want to use a different username/password then the sixth picture appears.)
I want to save the information in the sixth picture for the entire computer and every user on this computer.
BUT I would be interested in, what your users file of freeradius contains.
I think there is a difference between using an AP or a switch to authenticate with freeradius.
-
Hi,
Ok, now I understand your problem. I've looked at the document you linked. I have one main difference:
in the authentication section it is posted that for the EAP type you need to select "Geschütztes EAP (PEAP)". I have "Smart Card or other Certificate" (this is the other setting).
If you look here -> http://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol
It is described that PEAP is similar to TTLS. It is basically a tunnel that is generated. TTLS or PEAP has an inner and an outer layer. One is the certificate the other is uid/pw. thats why you are being prompted for uid/pw.
for my config I only used EAP (so only the certificate authentication without a tunnel). therefore also the "smart card or other certificate" setting in the EAP type.
Since your computers are not connected to a domain you cannot pass the creditials (thats why you're being prompted).
Now the question is do you need PEAP, or is EAP sufficiant ?
Cheers
Alexander
-
Hi,
I think it would be enough with EAP. It will be better than only MAC address filtering I think.
I tried with "other certificate or smartcard" but I think I missed some checkboxes there.
Do you have a solution for me how to configure it the right way ? -
Nachtfalke,
here are my config screens … in the second screen the "intern-CA" is my CA that is used for the client and server certificate.
I cannot test it on my LAN, since my radius isn't configed for this, but it is identical to my WLAN config. After connecting to the LAN, and aquiring an IP address you should be prompted for the certificate needed for the authentication.
Additional on your Cisco switch can you explicitly config the authentication to EAP ? So that the switch explicitly uses this authentication method.
If this doesn't work, could you post the config of the cisco and also the "radiusd -X" log (this then has the config and also the challenge/response during the authentication.
Regards
Alexander
-
Hi,
thanks for you help and screens. I think I did something close to your pics but not every checkboy is the same.
I will try it on monday.Thanks.
-
Hi,
erm I understand you correctly, you use your own radius install and not the package from the pfsense gui?
Thanks
Chunk0r -
Hi,
erm I understand you correctly, you use your own radius install and not the package from the pfsense gui?
Thanks
Chunk0rseggerman is using his own RADIUS, I am using the pfsense package.
-
Thanks,
I'm also confused of wifi access, so I want connect my AP with the Radius server, so that my clients has to be auth with wpa2 against radius.
So my wpa2 key is the secret share key of radius? Cauz if I activate wpa2+eap on my openwrt AP, I don't have any other key field. -
Your ap is the authenticator for the radius ( so you add it like client at radius )
One place where you can have more info for that is (sorry guys) microsoft technet, there is quite well explained the roles of the devices -
There is a difference between ENCRYPTION and AUTHENTICATION.
The WPA2 key is the key to encrypt the wireless traffic. It is used between the W-AP and the W-Client.
The password for AUTHENTICATION is between RADIUS and AP.
-
Quite easy photo, but it's written in Finnish
-
ah ok, but where I save my wpa key if the secret share is for the client auth?