Documente Academic
Documente Profesional
Documente Cultură
Bonded Authentication
Updated August 22, 2005
MSS 4.x
Summary:
This document provides a description of all necessary steps needed for bonded
authentication to work properly. The most common configuration issues
encountered when setting up this feature are also mentioned with their respective
resolutions.
Details:
The configuration of bonded authentication is done on the Trapeze MX, on the
wireless client and on the Active Directory/IAS Windows Domain Controller (both
2000 and 2003 versions are supported).
In this document, we'll provide an example of how to configure Bonded
Authentication for a wireless user using 802.1x authentication with PEAP as the
EAP method and MSCHAP-v2 as the authentication method. We used a
Microsoft Windows XP wireless client and a Microsoft Windows 2000 Server
machine as the domain controller.
It is important to understand that in Bonded Authentication there will be two
authentications: one for the computer (which is a feature from Microsoft) and
then one for the user on the previous authenticated computer.
to
Control
Panel
Enter the hostname, select Domain and then enter the name of your
domain. You will be prompted for a username and password that need to be the
ones of the Domain Administrator previously created.
After this process you will need to reboot your computer. On the Windows
2000 Server machine you will see your computer name in the Computers section
of the Active Directory Users and Computers.
Another important thing before setting up the policy will be to check if the
Dial-in tab is enabled in the Computers<hostname> window.
If this tab misses in this window, you will have to follow this procedure to
make it visible (this is only a Microsoft Windows 2000 Server problem, so this
does not apply for Microsoft Windows 2003 Server):
-
verify that you have the file mac8021x.ldf in your system32 subfolder of
you Windows installation directory
type the following at the command prompt (in our example, the domain
name is supporttrapeze.local)
ldifde i f %systemroot%\system32\mac8021x.ldf c
DC=DN DC=SUPPORTTRAPEZE,DC=LOCAL
Quit Active Directory Users and Computers and then reopen to see the
changes. This procedure can be run only once for each Active Directory domain.
In the Dial-In tab change the setting of the Remote Access Permission
from Deny Access (default setting) to the Allow Access.
in the next window click Add, select Domain Computers, click Add,
then click OK
For user authentication you will have to first create a user and then add it
to a User Group in the Active Directory.
For this do the following :
-
go to UsersNewUser screen
enter the user logon name, which will be the username used when
logging in the network; click Next
go to UsersNewGroup
select the User Group in the Users section of the Active Directory,
right-click, select Properties
select the Members tab, click Add.., select the user previously created,
click Add, click OK
After creating the user and the User Group, you will have to go to the
IASRemote Access Policies and create a new policy, this one for the user
authentication. The steps for creating this policy are exactly the same as the
ones for the host authentication policy with one main difference :
Now you have created the two Remote Access Policies needed for
bonded authentication.
In the following screen enter the name of your SSID (i.e. bonded-SSID)
and leave the other options as they are (Network Authentication : Open, Data
Encryption : WEP)
from the list below select the Certification Authority that you used for
generating the certificate for your domain controller more information
regarding the certificate setup can be found in the next section
uncheck the option from the Configure screen (this is to allow the
user to enter his credentials instead of using the ones that he entered
during the login phase)
5. Important information
a) How computer authentication works
When a computer configured for computer authentication is first booted, it
will authenticate with its machine credentials as soon as a network link becomes
active. The MX will assign the computer to the appropriate VLAN and the
computer will DHCP for an IP address on that VLAN. All these things happen
before user login.
After the successful computer authentication, the Trapeze MX will retain
information regarding the hostname in the dot1x clients list (show dot1x clients).
This way it will keep track of users logging from this machine, and the computer
session on the MX will be replaced by the user session.
If a user logs into the computer after computer authentication, the user
authentication will supercede computer authentication. The MX will assign the
user to the appropriate VLAN (which may be a different VLAN from the one the
computer was previously assigned to) and the computer will DHCP for an IP
address on this VLAN. Dynamic DNS/DHCP integration allows the DNS address
record to be updated with the proper IP address when there is a change in the
authentication and link state between computer authentication and user
authentication.
This behavior is to perform computer authentication when users are not
logged on. This way Windows features that require network access (like Shared
Folder, Remote Desktop Connection, etc.) will work properly without user
intervention.
b) Certificate setup
Machine authentication is supported for EAP-TLS and PEAP methods.
These methods require certificates to be installed in the network.
In our example, with PEAP-MSCHAP-v2, it was necessary to have a webserver certificate on the Windows 2000 Server machine, and also to have
installed the Certificate Authority (CA) certificate on both the client and the
server. This way the client will be able to validate the servers certificate.
With EAP-TLS, it is necessary to also have a user certificate installed on
the wireless client, and the authentication part will be done through certificates,
not through the credentials entered by the user.
A very important issue is to install on the wireless client the CA certificate
on the Local Computer also, not only on the Current User. This is related to the
fact that machine authentication will take place before the user logon, so the
Local Computer should also trust the certificates issued by the CA.
To install the certificate for Local Computer on your wireless client, do the
following :
1. Start Run and type MMC.
2. Then go to File Add/Remove Snap-in, then Add, then Certificates, then
My user account, hit Finish.
3. Then while in Add Standalone Snap-in, again select Certificates, but
now select Computer account, Next, then Local computer, hit Finish.
7. Now go back to the MMC window, hit F5 (or Refresh) and your CA cert
should show up under Certificates (Local Computer), Trusted Root
Certification Authorities, Certificates.
You are now ready to check the Validate Server cert under the Protected
EAP Properties of the WNIC.
c) Bonded-Auth timer explained
The Bonded-Auth timer is the Number of seconds MSS retains session
information for an authenticated machine while waiting for a client to
(re)authenticate on the same machine. You can change the bonded
authentication period to a value from 1 to 300 seconds.
By default, this timer is set to 0 seconds, which means that the bondedauthentication feature is disabled.
Bonded-auth period needs to be set only if the network has clients that
use dynamic WEP, or use WEP-40 or WEP-104 encryption with WPA or RSN.
This is related to the re-keying process that is taking place dynamic WEP
encryption. Only these clients can be affected by the 802.1X re-authentication
parameter or the RADIUS Session-Timeout parameter.
Copyright
Copyright 2005 Trapeze Networks. 5753 W. Las Positas Blvd., Pleasanton, California 94588 U.S.A. All rights reserved.
All contents herein, including text, graphics, logos, icons, and images, is the property of Trapeze Networks and is
protected by U.S. and international copyright laws. The compilation (meaning the collection, arrangement, and assembly)
of all information within this document is the exclusive property of Trapeze Networks and is protected by U.S. and
international copyright laws. This document may only be used as a product and technical information source. Any other
use, including the reproduction, modification, distribution, transmission, republication, display, or performance, of the
content within this document is strictly prohibited without prior written permission from Trapeze Networks. Anyone
acquiring this document is not permitted to modify, distribute, publish, transmit or create derivative works of any material
found within this document for any public or commercial purposes.
Disclaimer
This document is provided by Trapeze Networks on an "as is" basis. Outside of specific and individual service
agreements, the Company makes no representations or warranties of any kind, express or implied, as to the operation of
any hardware or software, or the information, content, materials, or diagrams included within this document. Trapeze
Networks will not be liable for any damages of any kind arising from the use of this information, including but not limited to
direct, indirect, incidental punitive, and consequential damages.
Confidentiality
The information contained within this document is confidential and proprietary information. The user of this information
agrees that they will use this information consistent with the applicable product warranty and documentation, and shall not
disclose to any third party any Confidential Information without the prior written consent of Trapeze. This information may
only be disclosed to Trapeze Networks employees, Authorized Resellers, and End-User Customers of Trapeze, as is
reasonably necessary to allow licensees to perform under all applicable warranty and support agreements, and to obtain
the benefits thereof; provided that any user of this information assumes an obligation of nondisclosure which protects the
Confidential Information under terms substantially similar to those herein.