Discussion:
IAS : Only validate certificate, not AD account !
(too old to reply)
g***@supinfo.com
2007-11-29 16:45:20 UTC
Permalink
Hello,

I would like to use IAS & EAP/TLS to authenticate COMPUTERS (not
users !) connecting to my wireless network. These computers are not in
my AD domain. They got computers certificates generated with my
standalone CA.
These computers do NOT have AD accounts, they are like "hotspot"
computers.

IAS will only be use to validate the revocation state of the computer
certificate trying to connect to the network.
If the certificate is revoked, the client cannot connect to the
network. If the certificate is valid, access is granted.

But IAS is not so friendly with me ...I have just set an EAP / "Wireless
connection type" access policy rule in IAS, nothing relating domain
user/group.

The problem is that IAS is still trying to authenticate the
certificate name as a user through Active Directory (IAS is on a
domain controller).
And the username is quite strange : host/CertificateName (the "host/"
is part of the username, it is not a domain prefix. It seems to be
telling that it is a computer authentication)... And as I don't have a
user like this (and in any ways, I cannot create a user with a "/" in
the username), IAS denied the connection request.

Do you know how to get rid of this windows authentication and only
validate the certificate revocation state ?

Thanks for all,

Guillaume
S. Pidgorny <MVP>
2007-11-30 22:34:33 UTC
Permalink
IAS uses AD for authorisation, therefore accounts are required. Join the
computers to the domain. If you have reasons not to - just create accounts
with matching attributes (IAS does LDAP lookup but computer account password
is not used and true membership is not required)
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by g***@supinfo.com
Hello,
I would like to use IAS & EAP/TLS to authenticate COMPUTERS (not
users !) connecting to my wireless network. These computers are not in
my AD domain. They got computers certificates generated with my
standalone CA.
These computers do NOT have AD accounts, they are like "hotspot"
computers.
IAS will only be use to validate the revocation state of the computer
certificate trying to connect to the network.
If the certificate is revoked, the client cannot connect to the
network. If the certificate is valid, access is granted.
But IAS is not so friendly with me ...I have just set an EAP / "Wireless
connection type" access policy rule in IAS, nothing relating domain
user/group.
The problem is that IAS is still trying to authenticate the
certificate name as a user through Active Directory (IAS is on a
domain controller).
And the username is quite strange : host/CertificateName (the "host/"
is part of the username, it is not a domain prefix. It seems to be
telling that it is a computer authentication)... And as I don't have a
user like this (and in any ways, I cannot create a user with a "/" in
the username), IAS denied the connection request.
Do you know how to get rid of this windows authentication and only
validate the certificate revocation state ?
Thanks for all,
Guillaume
g***@supinfo.com
2007-11-30 23:07:36 UTC
Permalink
Thanks for your answer.
Here is the message I posted on Expert-Exchange ... Maybe it will help
you to better understand my problematic :

---

Hello,

This is my first post on Expert-Exchange, I hope somebody will be able
to help me !

My objective :
Authenticating a non-domain computer for 802.1x EAP/TLS access to a
wireless network using computer certificate, IAS, and stand-alone CA.
If the certificate is revoked, the client cannot connect to the
network. If the certificate is valid, access is granted.


My constraints :
- Clients computers are non-domain Windows XP SP2 laptop computers.
- I have no AD computer object in my Active Directory for these
computers, as they are not integrated in my domain.
- My radius server is IAS. It is installed on a Windows server 2003
domain controller.
- My CA is a Stand-Alone Certification Authority also installed on the
domain controller.


My IAS configuration :
- Just a single Access policy rule : Authentification-Type=EAP and NAS-
Port-Type="Wireless IEEE802.11".
- It seems that IAS has automaticaly integrated with my Active
Directory as they are on the same computer.


Resolved problems :
- Using the AuthMode=2 registry key on my client laptops, I am able to
force 802.1x to use only computer authentification (only use the
computer certificate, even if a user log on).
- Not using Enterprise CA because Enterprise generated certificates
use a "Template" attribute, not suitable for non-domain computers.
- I generate certificates for the client computer (and integrate root
CA) using CertSvr on a unsecured wired connection.


The problems I am not able to resolve :
- When a client authenticates, IAS try to authenticate a user called
"host/CertificateName" throught my Active Directory. This user do not
exists so the connection is refused. The certificate is never
validated.

My PKI/IAS infrastructure seems to work as when I do a user
authentication (disabling AuthMode registry key and creating a user
called "CertificateName" in my AD), It works.
Certficate is validated by my CA, and acces is granted.
A also try creating a "host/CertificateName" AD account when doing
computer authentication. The Windows Athentication passed, but I got
error during the EAP negociation.


My questions are :
- How to tell IAS not to make this Windows Authentication before
validating certificate, and only have acces policy based on the
certificate revocation state ?
- If not possible, can a IAS Extension do the job (code sample ?)
- As I generate manualy the client computer certificate without a
template, what are the needed attributes to perform computer
authentication throught IAS (I already know client and server Auth OID
are needed, but threre may be other needs ...) ?

Any different solutions to achieve my goal are welcome, if you think
mine is not good :)

Guillaume
g***@supinfo.com
2007-11-30 23:23:40 UTC
Permalink
PS : With your solution, by creating a user in AD matched on the
username IAS tries to authenticate, I got EAP trasaction error after
AD account validation.
The error appears on client side (seen with eapol trace) :
NTE_BAD_KEYSET ... Maybe a certificate problem, but as I am not using
a computer cert template (not entreprise CA), I generated a basic cert
using CertSvr with server and client authentification OID's.
Maybe also the fact that the certificate is absolutely not "linked" to
the computer (no fqdn or others ...). Ther certificate subject or alt
absolutely not match computer name ... It may pose problem on client
side ...
S. Pidgorny <MVP>
2007-12-01 06:09:01 UTC
Permalink
Yes, the certificate CN must be the FQDN of the computer.

Additional diagnostic steps: capture LDAP traffic from IAS to DCs while the
computer attempts authenticating (you should see the request and response);
look at the system event log on the IAS server for detailed information.

One other thing: client authentication attribute should be sufficient.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by g***@supinfo.com
PS : With your solution, by creating a user in AD matched on the
username IAS tries to authenticate, I got EAP trasaction error after
AD account validation.
NTE_BAD_KEYSET ... Maybe a certificate problem, but as I am not using
a computer cert template (not entreprise CA), I generated a basic cert
using CertSvr with server and client authentification OID's.
Maybe also the fact that the certificate is absolutely not "linked" to
the computer (no fqdn or others ...). Ther certificate subject or alt
absolutely not match computer name ... It may pose problem on client
side ...
g***@supinfo.com
2007-12-01 12:04:06 UTC
Permalink
Post by S. Pidgorny <MVP>
Yes, the certificate CN must be the FQDN of the computer.
But what is the FQDN of a non-domain computer ?! I triend setting a
FDQN from a user I created ... But IAS still add "/host" beforne, and
AD do not understand the request, as it tries to authenticate que FQDN
as a username :)
Post by S. Pidgorny <MVP>
One other thing: client authentication attribute should be sufficient.
No, I tried, and the EAP negocistation stoped very early ... The
serveir validate the username to AD and send a radius-challenge, but
client never respond to this challenge if the certificate do no have
server auth oid.
Additionnaly to the client NTE_BAD_KEYSET, I also have this on client
eapol trace : SEC_E_LOGON_DENIED :)
S. Pidgorny <MVP>
2007-12-02 04:35:45 UTC
Permalink
Post by g***@supinfo.com
Post by S. Pidgorny <MVP>
Yes, the certificate CN must be the FQDN of the computer.
But what is the FQDN of a non-domain computer ?! I triend setting a
FDQN from a user I created ... But IAS still add "/host" beforne, and
AD do not understand the request, as it tries to authenticate que FQDN
as a username :)
That is comprised of the computer name and primary DNS suffix. On XP,
right-click My Computer, Properties, Computer Name tab, Change..., More... -
that will open DNS Suffix and NetBIOS Computer Name window. make the DNS
suffix matching that of the domain.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *
g***@supinfo.com
2007-12-06 18:54:34 UTC
Permalink
Problem resolved :
- Applying a Realm rule in IAS access policy to delete the "host/"
from the username to be authenticated
- Applying the radius attribute "Ignore-User-Dialin-Properties"
- Applying the KB915832 on clients (http://support.microsoft.com/kb/
915832)
- Creating a AD account whose name is the certificate subject
- Placing root certificate in the computer store on clients
- Checking server certificate validation in eap/tls wireless
configuration on clients using the root certificate bellow

I was not able to totaly avoid AD authentication ...
Sjaak Banaan
2007-12-15 22:03:13 UTC
Permalink
Hmm, I don't know, but...
You can send a mail to one of these addresses...
***@whoahdude.com
***@whoahdude.com
***@whoahdude.com

No need to search all over again.

Regards,
Sjaak
Post by g***@supinfo.com
Post by S. Pidgorny <MVP>
Yes, the certificate CN must be the FQDN of the computer.
But what is the FQDN of a non-domain computer ?! I triend setting a
FDQN from a user I created ... But IAS still add "/host" beforne, and
AD do not understand the request, as it tries to authenticate que FQDN
as a username :)
Post by S. Pidgorny <MVP>
One other thing: client authentication attribute should be sufficient.
No, I tried, and the EAP negocistation stoped very early ... The
serveir validate the username to AD and send a radius-challenge, but
client never respond to this challenge if the certificate do no have
server auth oid.
Additionnaly to the client NTE_BAD_KEYSET, I also have this on client
eapol trace : SEC_E_LOGON_DENIED :)
Loading...