[RADIATOR] question about machine based authentication

Joy Veronneau jv11 at cornell.edu
Fri Nov 18 16:18:18 CST 2011 

Hi,
I think I need some more help with my config. It is working ok for my machine cert based authentication, but only if I put the name of the machine in a file on the radius server. Here is my config snippet:

<AuthBy FILE>
Identifier TLS
Filename %D/tls_anon
EAPType TLS
EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
EAPTLS_CertificateFile /app/radius/keys/agate1.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
</AuthBy>
<Handler Aruba-Essid-Name="eduroam-test", User-Name = /^host/i>
AuthByPolicy ContinueAlways
RewriteUsername s/^host\///
AuthBy TLS
</Handler>


and %D/tls_anon contains:
CIT-JV11GTEST2.cit.cornell.edu

I would like to avoid having to maintain all the machine names on the radius server. I would prefer to do some sort of NTLM auth that would read the machine cert and then check to see if the machine is in a certain group.

I tried using <AuthBy NTLM> but that really broke everything... I do have NTLM working for username/pw based authn but I need to do that AND machine based…

I'd appreciate a hint. Thanks-

Joy

On 11/10/11 5:21 PM, "Heikki Vatiainen" <hvn at open.com.au<mailto:hvn at open.com.au>> wrote:

On 11/09/2011 09:46 PM, Joy Veronneau wrote:

Is it possible for the radiator server to do machine-based
authentication (via certificate) to an Active Directory domain?

You may want to check if the really mean certificates, since machine
based authentication can work with PEAP/EAP-MSCHAP-V2 too. When the
machine joins to domain, a password and username is automatically
created and these can be used for machine based authentication. This is
also supported by Radiator by default too.

I have MSCHAPv2 working to our AD domain with username/password, but
now someone is asking about machine-based authentication. They are
currently doing this with an MS radius server and would like to
switch to our centrally managed radius server and central AD system.
I know that we would have to issue a new cert to the machine from the
central AD domain… but I'm not finding much about how to set up
radiator in my on-line research so far.

EAP-TLS, see goodies too, can be used here. Radiator can also do extra
checks for certs besides just checking if the cert is valid or not.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20111118/c380a58d/attachment.html

More information about the radiator mailing list