Radius Server - 802.1x howto ias computer only authentication

This is Interesting: Free IT Magazines  
Home > Archive > Radius Server > February 2007 > 802.1x howto ias computer only authentication





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author 802.1x howto ias computer only authentication
msnews.microsoft.com

2006-11-06, 1:17 pm

Hi,

I've been searching thourgh this newsgroup and internet but i'm not able to
find a how to about configureing ias for a computer only authentication for
VLAN's.

I've also read the Wired_depl.doc and ias_vlans.doc but still no good.

User authentication based on certificates works ok but thats not what we
want because then no Login scripts an Group Policies are comming with the
login.
So we would like to do it based on machine authentication (yes the box is
checked of: authenticate as computer.....) so ik authenticates before loggin
in.

Any ideas on how to get this done?
Autoenrolment works fine and all machine's in the domain get a correct
Certificate including the Subject Alternative Name (DNS
Name=ENH-PC-075.WPS.Corp )
All machine's in the domain are 2003 and domain level is raised.
I tried to use a group "wiredusers" even tried making my pc a member of the
group but that doesn't seen to work.

here is a bit out of my ias log: there you can see that machine is not
working because of the host/.... and that he regocnizes the user.:

Mon Nov 06 12:15:16 2006

User-Name = "host/ENH-PC-075.WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162811716

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 12:15:16 2006

User-Name = "host/ENH-PC-075.WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162811716

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 12:15:31 2006

User-Name = "host/ENH-PC-075.WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162811731

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 12:15:31 2006

User-Name = "host/ENH-PC-075.WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162811731

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 12:15:46 2006

User-Name = "host/ENH-PC-075.WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162811746

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 12:15:46 2006

User-Name = "host/ENH-PC-075.WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162811746

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 12:25:46 2006

User-Name = "host/ENH-PC-075.WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162812346

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 12:25:46 2006

User-Name = "host/ENH-PC-075.WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162812346

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 12:26:01 2006

User-Name = "host/ENH-PC-075.WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162812361

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 12:26:01 2006

User-Name = "host/ENH-PC-075.WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162812361

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 12:26:16 2006

User-Name = "host/ENH-PC-075.WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162812376

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 12:26:16 2006

User-Name = "host/ENH-PC-075.WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162812376

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 13:43:57 2006

User-Name = "host/ENH-PC-075.WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162817037

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 13:43:57 2006

User-Name = "host/ENH-PC-075.WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162817037

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 13:44:12 2006

User-Name = "host/ENH-PC-075.WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162817052

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 13:44:12 2006

User-Name = "host/ENH-PC-075.WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162817052

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 13:44:27 2006

User-Name = "host/ENH-PC-075.WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162817067

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 13:44:27 2006

User-Name = "host/ENH-PC-075.WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162817067

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 13:45:30 2006

User-Name = "host/ENH-PC-075.WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162817130

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 13:45:30 2006

User-Name = "host/ENH-PC-075.WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162817130

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 13:45:45 2006

User-Name = "host/ENH-PC-075.WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162817145

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 13:45:45 2006

User-Name = "host/ENH-PC-075.WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162817145

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 13:46:00 2006

User-Name = "host/ENH-PC-075.WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162817160

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 13:46:00 2006

User-Name = "host/ENH-PC-075.WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162817160

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 13:47:12 2006

User-Name = "host/ENH-PC-075.WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162817232

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 13:47:12 2006

User-Name = "host/ENH-PC-075.WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162817232

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 13:53:01 2006

User-Name = "adm.marmar@WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162817581

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 13:53:01 2006

User-Name = "adm.marmar@WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162817581

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 13:54:10 2006

User-Name = "adm.marmar@WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162817650

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Mon Nov 06 13:54:10 2006

User-Name = "adm.marmar@WPS.Corp"

Called-Station-ID = 00-17-59-38-3C-01

Calling-Station-ID = 00-13-72-29-EC-30

NAS-IP-Address = 10.180.164.28

NAS-Port = 50001

Timestamp = 1162817650

NAS-Port-Type = 15

Service-Type = 2

Acct-Status-Type =

Acct-Session-ID =

Thanks in advance,



Marcel



James McIllece [MS]

2006-11-06, 7:26 pm

"msnews.microsoft.com" <mmartens@wps-nl.com> wrote in
news:OKKBKGbAHHA.4256@TK2MSFTNGP04.phx.gbl:

>
> User authentication based on certificates works ok but thats not what
> we want because then no Login scripts an Group Policies are comming
> with the login.

I don't understand what you mean with this statement. You can use logon
scripts with user authentication.

All you need to do is make sure that the computer is also granted access
permission by your remote access policy.

The default client behavior is that when the machine boots up, machine
authentication, including refresh of Group Policy, occurs. Then when the
user logs on, user authentication occurs.

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
news.microsoft.com

2006-11-07, 1:18 pm

Hi James,

Thans for your quick reply.

The statement i'm trying to make is that it doesn't work the machine with
802.1x enabled on the switch and on the client is trying to connect to my
IAS server wich occours to be succesul. but then the IAS cannot validate the
machine so it is receiving an APIPA adress from Windows XP because no dhcp
can be found.
I think that my IAS needs some aditional configuration for machine
autentication but i don't know and am unable to find how the configuration
should be.
I've tried to add the computer to a Global Security group but that wasn't
succesfull. any ideas how it should be?

Thanks in advance,

Marcel

"James McIllece [MS]" <jamesmci@online.microsoft.com> wrote in message
news:Xns987371F206DA7jamesmcionlinemicro
s@207.46.248.16...
> "msnews.microsoft.com" <mmartens@wps-nl.com> wrote in
> news:OKKBKGbAHHA.4256@TK2MSFTNGP04.phx.gbl:
>
>
> I don't understand what you mean with this statement. You can use logon
> scripts with user authentication.
>
> All you need to do is make sure that the computer is also granted access
> permission by your remote access policy.
>
> The default client behavior is that when the machine boots up, machine
> authentication, including refresh of Group Policy, occurs. Then when the
> user logs on, user authentication occurs.
>
> --
> James McIllece, Microsoft
>
> Please do not send email directly to this alias. This is my online
> account
> name for newsgroup participation only.
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.


James McIllece [MS]

2006-11-14, 7:24 pm

"news.microsoft.com" <mmartens@donotreply.wps-nl.com> wrote in
news:#qsAd3pAHHA.4060@TK2MSFTNGP03.phx.gbl:

> Hi James,
>
> Thans for your quick reply.
>
> The statement i'm trying to make is that it doesn't work the machine
> with 802.1x enabled on the switch and on the client is trying to
> connect to my IAS server wich occours to be succesul. but then the IAS
> cannot validate the machine so it is receiving an APIPA adress from
> Windows XP because no dhcp can be found.
> I think that my IAS needs some aditional configuration for machine
> autentication but i don't know and am unable to find how the
> configuration should be.
> I've tried to add the computer to a Global Security group but that
> wasn't succesfull. any ideas how it should be?
>
> Thanks in advance,
>
> Marcel
>
> "James McIllece [MS]" <jamesmci@online.microsoft.com> wrote in message
> news:Xns987371F206DA7jamesmcionlinemicro
s@207.46.248.16...
>
>
>

So the first step is to get the machine authenticating successfully. That
is separate from the DHCP issue. You can create a remote access policy that
grants access to a group in AD -- so either grant access to the Domain
Computers group or create a new group and add the computers to it that you
want; and then create a remote access policy that grants access to the
group. (Or if I remember correctly you can add the computers group to the
same policy you have for users.)

If you create a new policy, remember the default remote access policy
behavior is to deny access, so you must change this setting. Also make sure
the policy is enabled. And put the computer policy before the user policy
in the IAS list of policies.

This whitepaper shows the correct setup for 802.1X wireless, which is very
similar to what you are doing:

"Step-by-Step Guide for Secure Wireless Deployment for Small Office/Home
Office or Small Organization Networks" at
http://www.microsoft.com/downloads/...=269902e8-fc41-
4eb1-9374-44612e64f0fb&displaylang=en

Look at the Small Office section, not the Home section.

After you have the computers authenticating properly you can troubleshoot
the DHCP issue. As you probably know, the way the 802.1X switch works is to
perform authentication first -- then if that is successful, the switch
opens the port, which in turn allows the client's DHCP broadcast message
onto the LAN. If the DHCP broadcast message reaches your DHCP server, the
server will respond with a unicast message to the client, which then
provides the client with the IP address of the DHCP server, allowing the
additional messages from client to server to be sent as unicast messages.

The client is self-configuring with the APIPA address because its broadcast
messages are not reaching the DHCP server. This is for one of two reasons:

1. Authentication is failing so the switch is not opening the port.
2. The port is open but the broadcast message is not reaching the DHCP
server for some other reason.

I don't know how your switch is configured or what is required of it, but
perhaps it requires that you enabled DHCP forwarding...? Just a
possibility.

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
Lertsa

2007-02-05, 7:19 am

I have a cisco 2960 switch and MS IAS Radius configured and the
authentication works quite ok (with some delays) but if the user
authenticates to a local account, he doesn't get an IP but after some 5
minutes or so? I used a sniffer on the switch and discovered that the second
you push enter after entering username and password, the workstation stops
polling for DHCP. It does this again after some 5 minutes but it's way too
long time to wait. I tried to put the user straight to the guest-vlan and let
the authentication happen there - now the switch isn't changing the vlan it
gets from the Radius server and the workstation still remains on the
guest-vlan. (Trying to solve this one atm)

My other problem is that if a user has already authenticated to a local
account and then plugs in the network cable, the authentication window only
flashes quickly and then disappears. It will reappear after the quiet period
and work correctly after this but I would like to know why it does this?
Can't really tell the user to plug in and get some coffee =)

Thanks in advance for any help!

"James McIllece [MS]" wrote:

> "news.microsoft.com" <mmartens@donotreply.wps-nl.com> wrote in
> news:#qsAd3pAHHA.4060@TK2MSFTNGP03.phx.gbl:
>
>
> So the first step is to get the machine authenticating successfully. That
> is separate from the DHCP issue. You can create a remote access policy that
> grants access to a group in AD -- so either grant access to the Domain
> Computers group or create a new group and add the computers to it that you
> want; and then create a remote access policy that grants access to the
> group. (Or if I remember correctly you can add the computers group to the
> same policy you have for users.)
>
> If you create a new policy, remember the default remote access policy
> behavior is to deny access, so you must change this setting. Also make sure
> the policy is enabled. And put the computer policy before the user policy
> in the IAS list of policies.
>
> This whitepaper shows the correct setup for 802.1X wireless, which is very
> similar to what you are doing:
>
> "Step-by-Step Guide for Secure Wireless Deployment for Small Office/Home
> Office or Small Organization Networks" at
> http://www.microsoft.com/downloads/...=269902e8-fc41-
> 4eb1-9374-44612e64f0fb&displaylang=en
>
> Look at the Small Office section, not the Home section.
>
> After you have the computers authenticating properly you can troubleshoot
> the DHCP issue. As you probably know, the way the 802.1X switch works is to
> perform authentication first -- then if that is successful, the switch
> opens the port, which in turn allows the client's DHCP broadcast message
> onto the LAN. If the DHCP broadcast message reaches your DHCP server, the
> server will respond with a unicast message to the client, which then
> provides the client with the IP address of the DHCP server, allowing the
> additional messages from client to server to be sent as unicast messages.
>
> The client is self-configuring with the APIPA address because its broadcast
> messages are not reaching the DHCP server. This is for one of two reasons:
>
> 1. Authentication is failing so the switch is not opening the port.
> 2. The port is open but the broadcast message is not reaching the DHCP
> server for some other reason.
>
> I don't know how your switch is configured or what is required of it, but
> perhaps it requires that you enabled DHCP forwarding...? Just a
> possibility.
>
> --
> James McIllece, Microsoft
>
> Please do not send email directly to this alias. This is my online account
> name for newsgroup participation only.
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com