Technical Tips

Bonded Authentication
Updated August 22, 2005
MSS 4.x

Summary:
This document provides a description of all necessary steps needed for bonded
authentication to work properly. The most common configuration issues
encountered when setting up this feature are also mentioned with their respective
resolutions.
Details:
The configuration of bonded authentication is done on the Trapeze MX, on the
wireless client and on the Active Directory/IAS Windows Domain Controller (both
2000 and 2003 versions are supported).
In this document, we'll provide an example of how to configure Bonded
Authentication for a wireless user using 802.1x authentication with PEAP as the
EAP method and MSCHAP-v2 as the authentication method. We used a
Microsoft Windows XP wireless client and a Microsoft Windows 2000 Server
machine as the domain controller.
It is important to understand that in Bonded Authentication there will be two
authentications: one for the computer (which is a feature from Microsoft) and
then one for the user on the previous authenticated computer.

1. Adding a computer to a domain

Add the computer to the Active Directory domain running in your network.
For this you'll have to have a network connection between the computer and the
domain controller, either a wired or a wireless one.
Before adding the computer to the domain, you will also have to create a
Domain Administrator user in the Active Directory.
On the Windows XP client machine, go
SystemComputer Name tab and select Change.

to

Control

Panel

Enter the hostname, select Domain and then enter the name of your
domain. You will be prompted for a username and password that need to be the
ones of the Domain Administrator previously created.

After this process you will need to reboot your computer. On the Windows
2000 Server machine you will see your computer name in the Computers section
of the Active Directory Users and Computers.

2. Configuring the Trapeze MX

The following step is to make all the configurations on the Trapeze MX:
create a service-profile, an encrypted SSID (in this case we will use dynamic
WEP), a radio-profile and two authentication rules (one for the machine
authentication and one for the user authentication).
a) create a service-profile (i.e. bonded-sp) and define the name of your SSID (i.e.
bonded-SSID)
set service-profile bonded-sp ssid-name bonded-ssid
b) map the service-profile to a radio-profile (i.e. bonded-rp)
set radio-profile bonded-rp service-profile bonded-sp
c) configure the MP (in our example a directly connected MP-352 on port 10)
set port type ap 10 model mp-352 poe enable
d) map the radio-profile previously created to the radio of the MP just configured
set ap 10 radio 1 radio-profile bonded-rp mode enable
e) configure the communication between the MX and the Active Directory/IAS
Windows 2000 machine.
set radius key secret
set radius server Win2000 address 172.31.230.4
set server group tac members Win2000
f) configure the two authentication rules
set authentication dot1x ssid bonded-ssid host/*.*.* pass-through tac
set authentication dot1x ssid bonded-ssid ** bonded pass-through tac
g) set the Bonded Auth period to the recommended value of 60 seconds (more
information regarding this timer will follow in this document)
set dot1x bonded-period 60
The most important step is the one regarding the two authentication rules. The
authentication rules are processed by the MSS in the order they appear in the
configuration (the order in which they were initially entered). The general rule is
to place the more specific rules before the more general ones. This implies that
always when you setup bonded authentication, the rule regarding the host
authentication should be placed first.
The host authentication rule in our example has the user-glob host/*.*.*. The
host word will have to appear in any host authentication rule followed by a /
character. Then a glob will follow to select the machines for this respective rule.
In our example, *.*.* means that all machines that have a hostname + domain
name of three words will follow this rule. The machine that we used has the

hostname example and domain name supporttrapeze.local, so this machine

will follow the rule with glob host/*.*.*. This rule can also be more specific. Lets
say you want to authenticate the machines from the office.hq.com domain. The
glob used for this rule will be host/*.office.hq.com.
If you have in your network machines with hostname+domain of different lengths
(i.e. 3 and 4 words) and you want to authenticate all machines, you will have to
setup a host rule for each of these lengths, one with glob host/*.*.* (3 words) and
the other one with glob host/*.*.*.* (4 words).
The user authentication rule is created exactly like any other rule, except that
after the user glob the key work bonded has to be placed.

3. Configure policies in IAS on the

Windows 2000 Server
The user and computer information will be stored and used from the
Active Directory.
First lets setup the host authentication policy. We see that the hostname
of the machine already added to the domain appears in the UsersDomain
Computers Members tab in the Active Directory.

Another important thing before setting up the policy will be to check if the
Dial-in tab is enabled in the Computers<hostname> window.

If this tab misses in this window, you will have to follow this procedure to
make it visible (this is only a Microsoft Windows 2000 Server problem, so this
does not apply for Microsoft Windows 2003 Server):
-

install Service Pack 3 or 4 for Microsoft Windows 2000 Server

verify that you have the file mac8021x.ldf in your system32 subfolder of
you Windows installation directory

type the following at the command prompt (in our example, the domain
name is supporttrapeze.local)
ldifde i f %systemroot%\system32\mac8021x.ldf c
DC=DN DC=SUPPORTTRAPEZE,DC=LOCAL

Quit Active Directory Users and Computers and then reopen to see the
changes. This procedure can be run only once for each Active Directory domain.
In the Dial-In tab change the setting of the Remote Access Permission
from Deny Access (default setting) to the Allow Access.

To create the Remote Policy for host authentication do the following :

-

go to Internet Authentication Server (IAS)

go to Remote Access Policies, right-click, NewRemote Access Policy

enter the name of the policy, click Next

click Add , select Windows Groups, click Add..

in the next window click Add, select Domain Computers, click Add,
then click OK

click OK, click OK, click Next

select Grant remote access permission, click Next

click Edit Profile, select Authentication tab

check Extensible Authentication Protocol, go to the Configure.. screen

and select the certificate you will want to use for authentication

click OK 3 times, click Finish

after setting up the PEAP authentication, in the Edit Dial-In Profile

window, go to the Advanced tab. This is where you will setup the
Radius attributes for your machine. In our example, during the
authorization process, the machine will receive the name of his VLAN.
o in the Advanced tab click Add
o select attribute Vendor Specific, click Add
o click Add
o set the Vendor Code 14525 (Trapeze) and check Yes. It
conforms

o click Configure Attribute

o set attribute number 1, set attribute format String, set attribute
value default (the name of the VLAN)
o click OK 3 times, click Close, click OK, click Finish
Now you have created the remote policy for the host authentication. This policy
will appear in the Remote Access Policies section of IAS.

For user authentication you will have to first create a user and then add it
to a User Group in the Active Directory.
For this do the following :
-

go to UsersNewUser screen

enter the user logon name, which will be the username used when
logging in the network; click Next

enter the password and check Password Never Expires

click Next, click Finish

select the user created, right-click, select Properties

in the Dial-In tab, select Allow Access

go to UsersNewGroup

enter the name of the User Group and click OK

select the User Group in the Users section of the Active Directory,
right-click, select Properties

select the Members tab, click Add.., select the user previously created,
click Add, click OK

After creating the user and the User Group, you will have to go to the
IASRemote Access Policies and create a new policy, this one for the user
authentication. The steps for creating this policy are exactly the same as the
ones for the host authentication policy with one main difference :

instead of selecting the Domain Computers group, you will have to

select the User Group that you have just created

Now you have created the two Remote Access Policies needed for
bonded authentication.

4. Configure the wireless client

On the Windows XP machine, enable the wireless card and then go to
Control PanelNetwork Connections, right-click your wireless connection and
click Properties. In the Wireless Networks tab make sure that the following option
is checked : Use Windows to configure my wireless network settings. Click Add

In the following screen enter the name of your SSID (i.e. bonded-SSID)
and leave the other options as they are (Network Authentication : Open, Data
Encryption : WEP)

Go to the Authentication tab :

-

check Enable 802.1x authentication for this network

check Authenticate as computer when computer information is

available (this is related to the host authentication)

select Protected EAP (PEAP) as the EAP type

Go to the Properties screen :

-

check Validate server certificate

from the list below select the Certification Authority that you used for
generating the certificate for your domain controller more information
regarding the certificate setup can be found in the next section

select Secured Password (EAP-MSCHAP-v2)

uncheck the option from the Configure screen (this is to allow the
user to enter his credentials instead of using the ones that he entered
during the login phase)

5. Important information
a) How computer authentication works
When a computer configured for computer authentication is first booted, it
will authenticate with its machine credentials as soon as a network link becomes
active. The MX will assign the computer to the appropriate VLAN and the
computer will DHCP for an IP address on that VLAN. All these things happen
before user login.
After the successful computer authentication, the Trapeze MX will retain
information regarding the hostname in the dot1x clients list (show dot1x clients).
This way it will keep track of users logging from this machine, and the computer
session on the MX will be replaced by the user session.
If a user logs into the computer after computer authentication, the user
authentication will supercede computer authentication. The MX will assign the
user to the appropriate VLAN (which may be a different VLAN from the one the
computer was previously assigned to) and the computer will DHCP for an IP

address on this VLAN. Dynamic DNS/DHCP integration allows the DNS address
record to be updated with the proper IP address when there is a change in the
authentication and link state between computer authentication and user
authentication.
This behavior is to perform computer authentication when users are not
logged on. This way Windows features that require network access (like Shared
Folder, Remote Desktop Connection, etc.) will work properly without user
intervention.
b) Certificate setup
Machine authentication is supported for EAP-TLS and PEAP methods.
These methods require certificates to be installed in the network.
In our example, with PEAP-MSCHAP-v2, it was necessary to have a webserver certificate on the Windows 2000 Server machine, and also to have
installed the Certificate Authority (CA) certificate on both the client and the
server. This way the client will be able to validate the servers certificate.
With EAP-TLS, it is necessary to also have a user certificate installed on
the wireless client, and the authentication part will be done through certificates,
not through the credentials entered by the user.
A very important issue is to install on the wireless client the CA certificate
on the Local Computer also, not only on the Current User. This is related to the
fact that machine authentication will take place before the user logon, so the
Local Computer should also trust the certificates issued by the CA.
To install the certificate for Local Computer on your wireless client, do the
following :
1. Start Run and type MMC.
2. Then go to File Add/Remove Snap-in, then Add, then Certificates, then
My user account, hit Finish.
3. Then while in Add Standalone Snap-in, again select Certificates, but
now select Computer account, Next, then Local computer, hit Finish.

4. Hit Close and OK until you are back in the MMC.

5. Open Trusted Root Certification Authorities, Certificates, both for

Current user and for Local Computer. Find the CA cert you need, both for
the Current user and the Local Computer.
If the CA cert is indeed not there, then
1. Open a browser to the CA (http://<ip-address/certsrv). Select Download
a CA cert. DO NOT select the Install CA cert chain link, but go to the
bottom of the screen and select Download CA cert chain.

2. If you need to start certsrv use net start certsvc

3. Save the cert on your computer (desktop?) and browse to the file.
4. Right click the file and select Install cert. Hit Next.
5. DO NOT use the default Automatically select the certificate store, but
choose the radio button Place all certs in the following store
6. Hit Browse, check the box Show physical stores, Open Trusted root
certification Authorities, select Local computer. Hit OK (you are back in

the Cert Import Wizard). Hit Next. Hit Finish.

7. Now go back to the MMC window, hit F5 (or Refresh) and your CA cert
should show up under Certificates (Local Computer), Trusted Root
Certification Authorities, Certificates.
You are now ready to check the Validate Server cert under the Protected
EAP Properties of the WNIC.
c) Bonded-Auth timer explained
The Bonded-Auth timer is the Number of seconds MSS retains session
information for an authenticated machine while waiting for a client to
(re)authenticate on the same machine. You can change the bonded
authentication period to a value from 1 to 300 seconds.
By default, this timer is set to 0 seconds, which means that the bondedauthentication feature is disabled.

Bonded-auth period needs to be set only if the network has clients that
use dynamic WEP, or use WEP-40 or WEP-104 encryption with WPA or RSN.
This is related to the re-keying process that is taking place dynamic WEP
encryption. Only these clients can be affected by the 802.1X re-authentication
parameter or the RADIUS Session-Timeout parameter.

Support: For further assistance, contact the Trapeze Networks Technical

Assistance Center (TAC) at 1-866-TRPZ-TAC (1-866-866-9822) in the US and
Canada. From other countries, call +1 925-474-2400.

Copyright
Copyright 2005 Trapeze Networks. 5753 W. Las Positas Blvd., Pleasanton, California 94588 U.S.A. All rights reserved.
All contents herein, including text, graphics, logos, icons, and images, is the property of Trapeze Networks and is
protected by U.S. and international copyright laws. The compilation (meaning the collection, arrangement, and assembly)
of all information within this document is the exclusive property of Trapeze Networks and is protected by U.S. and
international copyright laws. This document may only be used as a product and technical information source. Any other
use, including the reproduction, modification, distribution, transmission, republication, display, or performance, of the
content within this document is strictly prohibited without prior written permission from Trapeze Networks. Anyone
acquiring this document is not permitted to modify, distribute, publish, transmit or create derivative works of any material
found within this document for any public or commercial purposes.
Disclaimer
This document is provided by Trapeze Networks on an "as is" basis. Outside of specific and individual service
agreements, the Company makes no representations or warranties of any kind, express or implied, as to the operation of
any hardware or software, or the information, content, materials, or diagrams included within this document. Trapeze
Networks will not be liable for any damages of any kind arising from the use of this information, including but not limited to
direct, indirect, incidental punitive, and consequential damages.
Confidentiality
The information contained within this document is confidential and proprietary information. The user of this information
agrees that they will use this information consistent with the applicable product warranty and documentation, and shall not
disclose to any third party any Confidential Information without the prior written consent of Trapeze. This information may
only be disclosed to Trapeze Networks employees, Authorized Resellers, and End-User Customers of Trapeze, as is
reasonably necessary to allow licensees to perform under all applicable warranty and support agreements, and to obtain
the benefits thereof; provided that any user of this information assumes an obligation of nondisclosure which protects the
Confidential Information under terms substantially similar to those herein.