Re: PEAP - login scripts

loobitize · ‎04-18-2006

I am running a wireless LAN controller and clients are using WPA and PEAP MSCHAP 2 for authentication to a Cisco ACS server version 3.3. When a user logs on, the login script does not run. I was able to get the login script to run by using computer authentication, but that optionpresents a security risk if the laptop is stolen (thief could reset windows admin account and logon locally with access to our network). Is there any way to make the login script run without using computer authentication? We used to run LEAP, which worked well because the Cisco suplicant modified the Gina and run before logon. Are there any suplicants that would do the same thing for PEAP?

b.kokken · ‎04-19-2006

This is due to a timing issue.

The ADU software that comes with a cardbus 21 ABG card has a solution for it by specificing the group policy delay.

I am not sure if group policy delays can be changed with other network cards.

Thanks,

Bas Kokken

loobitize · ‎04-19-2006

The delay is set to 60 seconds and I still have the issue. I think what I need is a supplicant with a Windows Gina. The Funk supplicant has a Gina that I tested and it works well. With the Funk supplicant, authentication is performed after the user enters their Windows username and password, but before Windows starts the logon process. This provides more security than machine authentication in the case of a stolen laptop, while still allowing the logon script to run. The Funk supplicant will set you back about $2000 for 50 licenses. If anyone knows of any alternatives, please let me know.

Thanks

j.kreglewski · ‎04-20-2006

I have similar problem with wired 802.1X authentication. Following your post I downloaded Funk supplicant, configured it for connect prior to windows login, with Odyssey Gina, but still have errors with missing domain logon script. I am using dynamic VLANs depending of user group assignement and all port authentications are followed by IP address exchange from DHCP. Machine authentication is also used and drops machine to different VLAN with different IP subnet. I am using PEAP/MS-CHAP V2.

Could you give details on configuration of Funk supplicant which solve problem with login scripts?

Thanks

loobitize · ‎04-26-2006

The configuration of the Funk client was a little tricky, but makes sense after you get through it once. I called Funk tech support and they were helpful it getting it to work correctly.

I configued it by going to Settings | Odyssey client administrator. Under connection settings:

- Select 'prior to Windows logon, using the folling settings' (your adapter, your network).

-Prompt to connect never

Under machine acount tab, everything should be unchecked.

Under initial settings:

-configure your network. Under trusted servers, I had to add the certificate used by our Cisco ACS AAA server.

That's about it. I would recommend calling them if you have trouble. The tech I spoke to seemed to know the product and what I wanted to do pretty well.

Sergei Doroshenko · ‎04-23-2006

I have faced a similar problem. Having looked I have found possible variants of the decision, that it is necessary to make changes to the register.

With the default configuration settings you will not see EAP-Logoff being sent when the current entity logs off on the peer device and behavior shall be as I have described in the earlier emails and phone conversation.

One may change the registry configuration setting to allow for EAPOL-Logoff to be sent when the IEEE 802.1X Supplicant enters the LOGOFF state. This is controlled by the registry settings described below. Hive HKEY_LOCAL_MACHINE

Software\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode — REG_DWORD 0: Disable IEEE 802.1X operation.

1: Inhibit transmission of EAPOL-Start and EAPOL-Logoff packets under all scenarios. 2: Include learning to determine when to initiate the transmission of EAPOL packets. 3: Compliant with IEEE 802.1X Specification.

If this parameter is set in the registry, the service should be re-started for the parameters to take effect.

Default:

• This registry value is not created by default.

• The default value for this parameter is set in the service as:

o Wireless Interfaces: SupplicantMode = 3 o Wired Interfaces: SupplicantMode = 2

Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode — REG_DWORD

0: Machine authentication mode in Windows XP Client RTM. When a user logs in, if the

connection has already been authenticated with Machine credentials, the user's

credentials are not used for authentication. 1: Machine authentication with re-authentication functionality. Whenever a user logs in,

802.1X authentication is performed using the user's-credentials. 2: Machine authentication only - Whenever a user logs in, it has no effect on the

connection. 802.1X authentication is performed using machine credentials only.

If these parameters are set in the registry, the service should be re-started for the parameters to take effect.

Default:

• This registry value is not created by default.

• The default value for this parameter is set in the service as:

o AuthMode = 1

In the wired-Ethernet case one should set (SupplicantMode = 3) AND (AuthMode = 0) AND (disable Machine-Authentication OR ensure that there are no machine credentials on the client). This will ensure that when a user logs off, an EAPOL-Logoff will be sent out. The connection will be terminated right away. Since machine authentication is disabled and/or machine credentials are unavailable, machine authentication will not complete successfully. When an interactive user logs on, a EAPOL-Logoff will be sent again, followed by a EAPOL-Start and authentication will carry on using the user's credentials.

Note that this effectively is the behavior one observes in the case of Windows XP RTM Build 2600 without the relevant QFE patches. Also as I indicated earlier lack of network connectivity on user logon since machine authentication is disabled or severing the network connectivity immediately on user logoff may impact policy download/uploads.

Michael Whaley · ‎05-05-2006

We had the same issue running 802.1X EAP-PEAP MS-CHAP v2 with the Funk Odyssey Server and Microsoft supplicant. We did enable host authentication which you don't want to do. I've posted what we did below if anyone else is interested.

The trick is the to launch the login scripts windows need to have the computer account authenticated (which takes place before the user is authenticated) -- sometimes referred to as Host Authentication. After working with Funk we were told that their Odyssey Server software does not support host based authenication. (Funk SBR does support host auth).

We migrated over to Microsoft's IAS which supports host based authentication and things worked great. We created an AD group which contains all the PC accounts from AD and referenced that group in the Remote Authenication Policy. Once the setup is completed, you need to make sure that under the wireless network settings you have "Authenicate as computer when computer information is available" is checked. (We use AD to deploy our wireless security policy settings which makes this change easy).

What will happen next is the you will see usernames like host/computername. authenticate. Once the user logs in, XP will flip to the userid until they logout from the machine – at which time XP will return to the computer account.

This helped us keep an IP address on a wireless only connected computer consistently which helped us a lot with SMS pushes.