Novell Home

802.1x Authentication and the Novell Client for Windows

Novell Cool Solutions: Feature

Digg This - Slashdot This

Posted: 23 Mar 2006
 

Table of Contents:


Overview

Novell customers often ask if the Novell Client for Windows interoperates with 802.1x authentication protocols. As of the Novell Client 4.91 SP2 for Windows 2000/XP/2003, the Novell Client does not include an 802.1x authentication supplicant or direct support for invoking a third-party supplicant. The Novell Client does allow third-parties to extend the Novell login experience, however, and some third-party 802.1x authentication products have taken advantage of that support to integrate the authentication experience between their product and the Novell Client for Windows.

In addition, even without third-party products, the Novell Client for Windows can be used successfully in an 802.1x authentication environment, within certain limitations. Some EAP protocols and RADIUS configurations work as expected, while others do not.

This document presents authentication scenarios that function correctly. It does not provide an exhaustive examination of all possible authentication scenarios or a comprehensive list of third-party 802.1x authentication solutions.

Problem

Users want the ability to enter their username and password once to establish a secure connection to an enterprise wireless or wired 802.1X network, VPN Client, and to Novell services.

Currently, they must log in twice. When the Novell Client is installed, a user must log in using the Workstation Only check box on the initial login dialog to allow 802.1x user authentication when the desktop is initialized, and then they must log in to the Novell network using the "red N" login utility. This is referred to as a two-stage login.

Why the Problem Occurs

Local and network login behavior with the Novell Client installed is different than when it is not installed. One reason for this is that the Microsoft authentication module (MSGINA) performs authentication in a different sequence than Novell's authentication module (NWGINA). The Microsoft authentication process allows local credentials to be cached, allowing the desktop to be initialized without actually having to issue any network traffic. Because the Novell authentication process requires network access, these operations cannot succeed until 802.1x authentication has taken place and network protocol frames can be successfully forwarded through wireless access points.

This crucial difference in authentication requests ordering is seen when you initialize a desktop through a Microsoft login when the Novell Client is not installed. If no workstation authentication is performed via 802.1x protocols, you might not be authenticated, but you would not see a problem because no network protocols are required for authentication to the local machine. When you need network access, however, you must authenticate to the network.

Workarounds

An alternative to the "workstation only login" is configuring the Novell Client to use "Initial Novell Login=Off" in the Advanced Login settings (the default is "Initial Novell Login=On").

Third-party 802.1x supplicants may not require a "two-stage login" with the Novell Client installed. These products can be found at:

Solutions

The following solutions have been tested on workstations running Microsoft Windows XP Professional with its native 802.1x supplicant. While third-party 802.1x solutions are almost certainly likely to provide more functionality, flexibility, and more supported protocols, using the native supplicant provided by Microsoft is a least a fair starting point.

Prerequisites

The following hardware and software requirements must be met to successfully use the solutions offered in this document.

Hardware Requirements

  • Wi-Fi Certified Access Point (AP), wired or wireless


  • Workstation capable of running Windows XP with Wi-Fi Certified NIC Card
    A list of certified Wi-Fi hardware can be found at: http://certifications.wi-fi.org/wbcs_certified_products.php


  • Server capable of running either:
    1. SUSE Linux Server with SAMBA and FreeRADIUS with eDirectory
    2. Windows 2003 Server acting as a RADIUS Server with Active Directory

Software Requirements

  • Windows XP SP2 with WPA2/Wireless Provisioning Services patch applied Microsoft Windows XP SP2 with the WPA2 patch provides PEAP-MSCHAPv2 and EAP-TLS support. If other EAP or challenge protocols are needed, they, along with their supporting supplicant, should be purchased from third-party 802.1x vendors.


  • Driver software for Wi-Fi Certified NIC (see wi-fi.org for certification details)


  • Choice of either:
    1. SUSE Linux Server with Samba, FreeRADIUS, and eDirectory
    2. Windows Server 2003 with Active Directory or Domain, Certificate Server, IIS (Internet Information Services) and IAS (Internet Authentication Services)

How to Configure

This section explains how to configure each of the following servers:

  • OES Linux server with Samba and FreeRADIUS installed
  • Windows 2003 server
  • Windows XP workstation

Configuring Samba Server

  1. Install OES with Samba. While installing OES, install Samba and set it up as a primary domain controller. For additional information, refer to the following links:


  2. In order to automatically create machine objects in eDirectory when a machine joins the domain, the SMB.CONF file must be modified to match your environment. Edit the SMB.CONF file to include the "add machine script" directive:


  3. add machine script = /usr/bin/namuseradd -a cn=admin,o=novell -w mypassword -x o=novell
    -gcn=grp- smb-machines,ou=group,ou=samba,o=novell '%u'

    Note: Additional information is available from the NDSEngineers support forum: http://www.ndsengineers.com/showthread.php?t=119696&page=1&pp=10

    Note: A sample smp.conf file is available from http://www.novell.com/support in TID 10100693

Configuring FreeRADIUS Server

  1. Read the Novell "Cool Solutions" article at http://www.novell.com/coolsolutions/tip/15922.html for information describing how to configure FreeRADIUS with eDirectory.


  2. The FreeRADIUS configuration file must contain attribute rewrite rules in order to modify the incoming username into a format which matches the names in eDirectory. Windows XP sends the username in the form DOMAIN-NAME\USERNAME and the machine name in the form HOST/MACHINE-NAME. In order to work correctly, the domain and host need to be removed. Additionally, the MACHINE-NAME needs a $ appended to it in order to match the name created when the machine joined the domain. For machine-based authentication or user based authentication, modify the RADIUSD.CONF file by adding the following lines:
    attr_rewrite copy.user-name {
    attribute = Stripped-User-Name
    new_attribute = yes
    searchfor = ""
    searchin = packet
    replacewith = "%{User-Name}"
    }
    attr_rewrite add-dollar-sign {
    attribute = Stripped-User-Name
    searchfor = "^(host/.*)"
    searchin = packet
    new_attribute = no
    replacewith = "%{1}$"
    }
    attr_rewrite strip-realm-name {
    attribute = Stripped-User-Name
    new_attribute = no
    searchin = packet
    searchfor = "^(.*[\\/]+)"
    replacewith = ""
    max_matches = 1
    }
    Note: A sample raduisd.conf file is available from http://www.novell.com/support in TID 10100693


  3. Complete the configuration steps listed in "Configuration Steps for Windows XP Workstations" below.

Configuring Windows 2003 Server

  1. Install Windows 2003 Server with IAS (Internet Authentication Services) and IIS (Internet Information Services) on a server.


  2. Set up the Windows 2003 Server to act as a RADIUS server with wireless access (with Active Directory and Domain Name Services (DNS) configured). For a checklist of steps, use the Help and Support Center on the Windows 2003 Server to find the "Wireless access" topic and the "Configuring IAS Server and wireless access points for wireless access" subtopic.


  3. Set up a certificate service on Windows 2003 Server
    Note: This step is required regardless of whether EAP-TLS certificate-based authentication is desired. A certificate is required to set up the IAS policies. This is covered in the instructions for configuring IAS for wireless access in the Windows 2003 Help and Support Center.


  4. If certificate-based user authentication is desired, certificates must be deployed to the workstations. For instructions on how to configure certificate-based authentication, find the "Certificate-based authentication" topic in the Windows 2003 Server Help and Support Center then select "Network access authentication and certificates" from the pop-up list.


  5. Configure IAS for wireless access. Instructions can be found at: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/serverhelp/7f26a61e-8dfa-455f-b596-53aa6349f051.mspx

Configuring Windows XP Workstations

Note: Do not install the Novell Client before performing these steps.

  1. Refer to the documentation provided with your wireless access point. Follow the instructions listed for setting up the access point for RADIUS-based authentication.


  2. Configure a workstation with Windows XP SP2.


  3. Install driver software for the Wi-Fi NIC.


  4. Apply the WPA2 Patch to the Windows XP SP2 workstation. The download location for the wireless provisioning patch can be found at http://support.microsoft.com/?id=893357
  5. Configure the workstation to use Windows to configure your wireless settings. Instructions can be found in the Windows 2003 Server Help and Support Center topic "Wireless Network Clients" and subtopic "Managing."


  6. Checkpoint: Verify that authentication works as expected.
    Note: Do not proceed if you cannot authenticate as a local user to the directory or domain (for example, eDirectory, Active Directory, or the Windows Domain) through RADIUS.


  7. Install the Novell Client for Windows.
    Note: User-only authentication requires a two-stage login or use of a third-party product.


  8. Verify that both 802.1x and network authentication works as expected.

Troubleshooting

  1. Ensure that you have a working 802.1x configuration before installing the Novell Client for Windows. With so many configuration steps, problems can occur at any point along the way. Ensuring that you are successfully authenticating as a user before installing the Novell Client will help to isolate any problem to an 802.1x hardware/software configuration issue or a Novell Client issue.


  2. If you experience a successful workstation (machine) authentication followed by a failed user authentication, refer to the server event viewer's system event log for details on the error.


  3. If you fail to authenticate as a workstation but later can successfully authenticate as a user, it is possible that your authentication authority (RADIUS) is not correctly configured to authenticate workstation objects. Local workstation policy can be configured for Microsoft Windows so that "user object-only" authentication, "workstation object-only" authentication, or both can be set as policy for a particular workstation. This policy management is done via existing tools and processes on Microsoft Windows.


  4. With Windows servers, if you receive an error code 97 in the IAS system event log, you might need to remove all the NIC card add-on software except for the NIC driver itself.
    Note: Remove everything except the NIC driver. Often, services are installed by the vendor that might interfere with the operation of both the Microsoft and Novell GINA components. This should be done manually by an experienced administrator because most vendors do not have a driver-only installation option.


  5. If you experience an existing 802.1x session that drops randomly, try halting the Wireless Zero Config service shortly after the authentication process has completed successfully. This is probably a defect in the Microsoft Wireless Zero Config service, though this has yet to be independently confirmed.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell