This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Network Management & Authentication
- ExtremeCloud IQ- Site Engine Management Center
- Machine Cert Auth (EAP-TLS) with and without /host
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Machine Cert Auth (EAP-TLS) with and without /host
Machine Cert Auth (EAP-TLS) with and without /host
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-12-2019 11:59 AM
Hi,
The problem is simple, but need a little help.
We have Windows and MAC clients doing machine based certificate authentication. They all have the correct certificates installed, and authentication works without issue.
The AAA configuration is configured for LDAP NTLM based authentication, with the 'Host Object Class' set to computer and the 'Host Search Attribute' set to servicePrincipleName.
Have a rule that that has a 'User' group configured to look if the machine name is the correct 'ObjectCategory'.
Now the issue I have is that when running authorisation the windows will send the machine name with host/ in front, like below which has an entry in AD under servicePrincipleName:
host/chc123.domain.co.uk
The MAC though will send the host name as below, this fails because AD has no entries under servicePrincipleName without the /host:
chc567.domain.co.uk
So although I can managed this difference in the configuration of NAC, what I don't know is where 'host/' comes from on the Windows machine and why its missing from the MAC?
I thought that the actual machine name comes from the cn name within the certificate, is that correct, or perhaps its taking it from the hostname or DNS lookup? I need it to come from the certificate so it can't get spoofed.
Maybe it doesn't matter as when authenticating the actual cn of the cert is used, but when hitting a rule and doing authorisation its using the hostname? Either way be good to know why?
Many thanks in advance.
The problem is simple, but need a little help.
We have Windows and MAC clients doing machine based certificate authentication. They all have the correct certificates installed, and authentication works without issue.
The AAA configuration is configured for LDAP NTLM based authentication, with the 'Host Object Class' set to computer and the 'Host Search Attribute' set to servicePrincipleName.
Have a rule that that has a 'User' group configured to look if the machine name is the correct 'ObjectCategory'.
Now the issue I have is that when running authorisation the windows will send the machine name with host/ in front, like below which has an entry in AD under servicePrincipleName:
host/chc123.domain.co.uk
The MAC though will send the host name as below, this fails because AD has no entries under servicePrincipleName without the /host:
chc567.domain.co.uk
So although I can managed this difference in the configuration of NAC, what I don't know is where 'host/' comes from on the Windows machine and why its missing from the MAC?
I thought that the actual machine name comes from the cn name within the certificate, is that correct, or perhaps its taking it from the hostname or DNS lookup? I need it to come from the certificate so it can't get spoofed.
Maybe it doesn't matter as when authenticating the actual cn of the cert is used, but when hitting a rule and doing authorisation its using the hostname? Either way be good to know why?
Many thanks in advance.
4 REPLIES 4
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
04-02-2019 10:12 PM
Hi Tomasz,
Thanks for posting.
Yeah, think that might end up being my only solution. I was hoping to keep it a little cleaner by working out why a Windows machine inserts host/ and a MAC doesn't?
My hope was to find a way to insert the host/ in a MAC.
The understanding why there is a difference, or anyone else that might have had a similar experience and found the answer would provide a more universal solution i.e. one configuration entry for both types.
Thanks for the info though, as its still helpful to know that maybe that is the only XMC configurable option or use M.Nees rewrite method.
Cheers,
Martin
Thanks for posting.
Yeah, think that might end up being my only solution. I was hoping to keep it a little cleaner by working out why a Windows machine inserts host/ and a MAC doesn't?
My hope was to find a way to insert the host/ in a MAC.
The understanding why there is a difference, or anyone else that might have had a similar experience and found the answer would provide a more universal solution i.e. one configuration entry for both types.
Thanks for the info though, as its still helpful to know that maybe that is the only XMC configurable option or use M.Nees rewrite method.
Cheers,
Martin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
04-02-2019 08:26 PM
Hi Martin,
If I understand well, you could try to switch NAC AAA configuration to Advanced and provide different LDAP lookups for usernames that begin with 'host/*' and different one for the rest. Would that answer your issue?
Kind regards,
Tomasz
If I understand well, you could try to switch NAC AAA configuration to Advanced and provide different LDAP lookups for usernames that begin with 'host/*' and different one for the rest. Would that answer your issue?
Kind regards,
Tomasz
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-28-2019 10:26 AM
Thanks for posting back.
Do you think that is something I can do in ExtremeControl, being based on FreeRADIUS. I know manual edit of some of files doesn't always go to plan as NAC can overwrite them?
I will perhaps give it a try and post back, is the best answer 🙂
Not sure why a MAC omits the host/ and a Windows device doesn't. That is probably more a OS question to answer rather than an Extreme, but interested if anyone else had come across the same issue and how they manage to handle it. Maybe there is simply something within the Apple MAC configuration that you enable to get it to function that way?
Do you think that is something I can do in ExtremeControl, being based on FreeRADIUS. I know manual edit of some of files doesn't always go to plan as NAC can overwrite them?
I will perhaps give it a try and post back, is the best answer 🙂
Not sure why a MAC omits the host/ and a Windows device doesn't. That is probably more a OS question to answer rather than an Extreme, but interested if anyone else had come across the same issue and how they manage to handle it. Maybe there is simply something within the Apple MAC configuration that you enable to get it to function that way?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-25-2019 07:44 AM
Hi Martin,
in the past i see this this to set MAC Addresses to lower within FreeRADIUS - maybe there ia s possibility to add "host/" to all requests which does not contain.
https://wiki.freeradius.org/guide/mac-auth
in the past i see this this to set MAC Addresses to lower within FreeRADIUS - maybe there ia s possibility to add "host/" to all requests which does not contain.
https://wiki.freeradius.org/guide/mac-auth
code:
#
# Rewrite called station id attribute into a standard format.
#
rewrite_calling_station_id {
if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) {
update request {
Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
}
}
else {
noop
}
}
