WLAN 802.1x Using Machine/Computer Authentication

Recently, I was faced with a challenge to have machine accounts to authenticate to FreeRadius. Having never configured this before I thought I would share my experiences with you.

So, what do you need to do when you have a certificate that is auto deployed through AD and is stored in the Local Compute Certificate Store and you need to have a computer always connected to WLAN or LAN using 802.1x? Authenticate as a machine instead of a user!


Tools
Windows Server 2003 Enterprise Edition R2 - Active Directory + Enterprise Certificate Authority
Auto-enrollment template with auto-enrollment GPO
Windows XP Tablet SP3 with EAP-TTLS configured
Certificate Signed by CA
CA Public Certificate in the Trusted Root Certificate Store
FreeRADIUS or other RADIUS service

We have tablet machines which are configured with Windows XP Tablet SP3 that are joined to Windows 2003 domain but no domain users would ever log in. The few reasons that these are joined to AD without user interaction is to track the machine inside AD, manage it via SCOM & SCCM, and have it use Active Directory integrated certificate services via auto enrollment. The problem was that we could not deploy a machine certificate to the device, it was more like having to use the Local Computer Certificate Store for authentication. We had little experience using FreeRadius since it was a open source tool that was managed by an outside group. Therefore, we had to totally relied on our vendor that they had everything configured correctly on their end. When we were testing we found that if the certificate was in the User Certificate Store then it would work. But, since the machine would never have any domain users logged in it would never auto enroll a certificate into the User store. Thus, we were able to then find an article from Microsoft which prove to us that Computer Authentication would work. The only thing you we had to do was to add 2 DWORD registry entries in the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global" directory.

1. Add SupplicantMode = 3 (http://support.microsoft.com/kb/931856)
2. Add AuthMode = 2 (http://support.microsoft.com/kb/309448)

Then configure the NIC as such:

Note: Make sure that the "Authenicate as a computer when computer information is available" checkbox in the Authenitcation tab is check.

Awesome iPhone App - Redlight Cameras

Yesterday I downloaded a new app for my iphone. It is called Trapster and has the potential to be the most useful, and the most money saving app of them all. Do you hate redlight cameras as much as I do?? Do you hate coughing up $100 for a right turn on red?? Then download this app now!

Trapster runs on top of google maps and users report where redlight cameras and speed traps are. As you drive the app gives you an audible and visual alert when you are coming close to a speed trap or camera. Another nice feature is that if gives you traffic updates as well, even for routes and highways other than major free/toll ways.

This app will be a huge help when traveling in unfamiliar territory. Especially for someone who recieved a redlight ticket before.

Biztalk Training

Last week, I attend a 3-day Biztalk training session in which I learned a few things. But before that, I want to disclaim that I, by no means, am Biztalk expert.

One, Biztalk databases must be backed-up using the included SQL backup job. This backups the database with the transaction logs and puts a stop point inside of the database so that restoration is easier. Two, a performance gain is not achived untill you reach 3 Biztalk servers due to overhead consumption. Three, there is a patch out there if you are running Biztalk server on a VMware virtual server, which we are. I guess you start seeing weird memory errors if you don't have this patch. We have experienced some of these errors and ar moving forward with deployment of this patch.

HP ze4900 Time and Date Problem

I somewhat started a little side business fixes PCs for people. I call it IT Pros PC Repair. I (we) are focused on professional repair service at an economical cost. But besides that, I recently was working on a customers HP ze4900 laptop. She was telling me that the windows time changes on her laptop and she think that her CMOS battery is going bad.
When I initially looked at it the system clock in the BIOS was set to 1/1/04 12:00am. So I figured it could be her CMOS battery but I still booted into XP and the time never changed again on me. Even when I unplugged all power sources to let the CMOS battery drain but, when I booted again it didn't change at all. I could not duplicate the issue anymore. She said that she would be in Windows and the time would change right infront of her eyes. So I went ahead and popped it open to check out the type of battery. It was a Maxwell M1220 Rechargable battery. I gave the laptop back to her and said that to wait untill it happens again and the check the time in the BIOS to see if has changed as well. That would isolate the issue between the BIOS and Windows. Sure enough it did change as well. You are now thinking BIOS battery, right? So she brought it back to me and wanted to move forwarded to order a new battery. After searching for the same battery for over an hour, I found a new one on Ebay. So, I ordered it.
As I was waiting for the new battery I was researching any issues with time and date on this model of laptops. One site suggested it was a MOBO change, and another suggested a Trojan virus that sets the time 2 years back. I booted the laptop and checked the BIOS. The clock was stopped at yesterday when I shut it down. Hmmm, seems like some funky BIOS. I then started researching for BIOS update from HP site. The version on the laptop was F10 and the current was F16. So I went ahead with the flash. All seems better as of now. The monitor even looks sharper (that was a fix in F14) and the time in the bios actually moves now and has held the date and time so far. I'll wait until the battery arrives before closing the issue.

Last Few Weeks and Now

Last week my 2nd son, Haydn arrived. He weighed in at 7lbs 14oz. He was born on his due date which was 4/21/08. It just so happens that the week I take off of work to be with him is the week that the RDM environment was being installed. So, I kind of missed out on the brutal install but, the other good news is that we'll hopefully be finishing up today. Yesterday I was looking into extending our AD Schema to add an attribute to the User class that will represent the 2 digit country code. The software needs that to associate restaurants in different countries. So, hopefully I will have more details on that soon.
Today I'm troubleshooting our Juniper SSL VPN. It seems to timeout the sessions when users are RDP'n to the servers in our RSM Lab. I will also be finishing the Biztalk configuration for RDM today. Now next week I'll be in Biztalk training so I will have details on that soon.

Other than that, at home I've been watching "Carrier" on PBS. It's a great series that dives into the lives of the crew onboard the USS Nimitz.

Cash Crunch Lunch

The Bennigan's is having a cash crunch lunch for the next 2 months (4/14/08 to 6/16/08). For $4.99 you can have a whole lunch of your choice.

Choices are:
- Items include the Turkey O’Toole, American Burger, Monte Cristo, Grilled Chicken Club Sandwich, and Golden Chicken Tenders
- New Fresh Options include Kilkenny’s Grilled Chicken Salad, Turkey Deli Sandwich & Soup, Soup & Salad Lunch Combo, Irish Grilled Cheese & Tomato Basil Soup, and Chicken Platter Lunch
- Drink choices include fountain drinks, iced tea, coffee or Deja Blue bottled water

I had the American Burger with fries and Ice tea. I would say it wasn't bad for 5 bucks! But your options are limited.

Authorization Store

What is an Authorization Store?
This week I had to configure the Authorization Store for the RDM software. I must admit that this was a first for me. I didn't even know what a Authorization Store was before I did this. I soon found out that an authorization store is use to provide the authorization part of security. What I mean is that when you log into the software you have passed the authentication part. In other words, the system knows who you are and now comes the authorization part. The system now needs to know what kind of access is associated to your account. That is where Authorization Store comes in. In the software is some functions that do certain things like create distribution list, write log files, and request file transfers. Each function has an access list associated with it. It looks to see who has access to perform these functions from Authorization Store.

Configuring an Authorization Store -
To configure Authorization Store you must open Authorization Manager (AzMan) by added it as a snap-in in MMC or Start>Run>AzMan.msc. Once open, click on Action>New Authorization Store. You can use AD (must be in 2003 function mode) or and XML file. We chose to use AD. Add "CN=StoreName" to the left of the LDAP string. Next you will right-click on the store name and choose "New Application". Name the application. Next you would want to start by creating some Operation Definitions. Drill down to Definitions>Operation Definitions. Here you will start added definitions that that software uses based on the operation number. We got this list from our application developers. Once all the Operation Definitions are complete you would want to start adding Task Definitions. Task Definitions are linked to a series of Operations Definitions. Again, we got this list from our application developers. After that we now have Role Definitions. Create a new Role Definition and name it like Administrators. Then add Task and/or Operations definitions. For the case of Administrators we added all the tasks which is everything. For the sake of Power Users you must add Operations or Task that you seem fit. For common users just add Read and Execute Operations that you created and so on. Further on, we created Scopes to represent the Global and Country people. Global people will have access on every machine while country users will have access to their specific country based on a country code in AD user account. So after creating the Global scope we create 2 role definitions called Global Admins and Global Users. Then in the Global Admins definitions we add the Administrator role that we created in the last paragraph. For Global User you would add the Common User role and so on. Then do the same with Country scope but for Country Admins and Country Users as the role definitions.

Did I confuse you yet? Good. Let’s do a Recap. In the Auth Store we have applications, in applications we have Scopes, and inside scopes are definitions (Roles, Tasks, and Operations) and Role Assignments. In the root Scope lies the 3 Role Definitions we created (Admin, Power User, Common User), A few Task Definitions, and a whole bunch of Operation Definitions. Now we added 2 more scopes (Global and Country) each with their own 2 Role Definitions (Ex. Global Admins and Global Users) that are linked to Admins and Common Users in the Root Role Definitions.

Good?? Now let's finish up. Next we want to Assign Roles. So then, on the "Role Assignment" folder we would right-click and choose "Assign Roles". Then pick the Role Definition you just created (ex. Global Admins). After that we would want to assign windows users and groups. Right-click on the Role under Role Assignments and choose "Assign Windows Users and Groups", pick the AD group you are using for this (ex. US-RDM Global Admins) and then you are down. Recap Again. Each scope has 2 Role Assignments (ex. Global Admins and Global Users) that have Active Directory Groups assign to them call "US-RDM Global Admins" and "US-RDM Global Users". In these AD groups we assign user accounts to fit these roles.

To conclude, the hierarchical structure from the user to the software goes something like this:
AD Users>AD Groups>Scope Role Assignments>Scope Role Definitions>Root Role Definitions>Assigned Root Task Definitions>Assigned Root Operations Definitions>Then linked to the ACL on the function inside the software.