Monday, November 30, 2009

WLAN 802.1x Using Machine/Computer Authentication

Recently, I was faced with a challenge to have machine accounts to authenticate to FreeRadius. Having never configured this before I thought I would share my experiences with you.

So, what do you need to do when you have a certificate that is auto deployed through AD and is stored in the Local Compute Certificate Store and you need to have a computer always connected to WLAN or LAN using 802.1x? Authenticate as a machine instead of a user!


Tools
Windows Server 2003 Enterprise Edition R2 - Active Directory + Enterprise Certificate Authority
Auto-enrollment template with auto-enrollment GPO
Windows XP Tablet SP3 with EAP-TTLS configured
Certificate Signed by CA
CA Public Certificate in the Trusted Root Certificate Store
FreeRADIUS or other RADIUS service

We have tablet machines which are configured with Windows XP Tablet SP3 that are joined to Windows 2003 domain but no domain users would ever log in. The few reasons that these are joined to AD without user interaction is to track the machine inside AD, manage it via SCOM & SCCM, and have it use Active Directory integrated certificate services via auto enrollment. The problem was that we could not deploy a machine certificate to the device, it was more like having to use the Local Computer Certificate Store for authentication. We had little experience using FreeRadius since it was a open source tool that was managed by an outside group. Therefore, we had to totally relied on our vendor that they had everything configured correctly on their end. When we were testing we found that if the certificate was in the User Certificate Store then it would work. But, since the machine would never have any domain users logged in it would never auto enroll a certificate into the User store. Thus, we were able to then find an article from Microsoft which prove to us that Computer Authentication would work. The only thing you we had to do was to add 2 DWORD registry entries in the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global" directory.

1. Add SupplicantMode = 3 (http://support.microsoft.com/kb/931856)
2. Add AuthMode = 2 (http://support.microsoft.com/kb/309448)

Then configure the NIC as such:

NIC1NIC2NIC3






Note: Make sure that the "Authenicate as a computer when computer information is available" checkbox in the Authenitcation tab is check.



Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)