Machine authentication

Bryan Kadzban bryan
Wed Mar 29 15:42:23 PST 2006 

Jacky wrote:
> 
>> Which EAP method are you using?
> 
> What EAP method should I use for machine authentication?

Doesn't matter, anything will work (assuming you can get at the
credentials).

> Actually the real question should be: What Windows XP is using during
> the machine authentication?

That depends.  It doesn't choose any one authentication type, and in
fact without a registry hack, it won't authenticate as a computer at
all, until you reboot it.

> I have:
> 1. enabled XP's 802.11x authentication in the network settings.
> 2. Used "Smart Card or other Certificate"

It's therefore using EAP-TLS, with a certificate stored in the machine's
MY store.  (Probably anyway.)  wpa_supplicant can also use this cert.

> 3. enabled "Authenticate as computer when computer information is
> available"

That doesn't make it do machine auth all the time, only at boot.  To get
it to do that all the time, you have to refer to this article:

http://technet2.microsoft.com/WindowsServer/en/Library/8e74974f-c951-48ce-8235-02f4ed8e74921033.mspx

and go to the "802.11 Wireless Registry Entries" section.  There you'll
find an AuthMode registry value that needs to be set under
HKLM\Software\Microsoft\EAPOL\Parameters\General\Global, to control what
kind of authentication the OS's supplicant will do.

(Note that this is not required for wpa_supplicant, only for the XP
supplicant.  My point is that without this change, XP will not use
machine credentials by default, unless it's currently booting.
Subsequent roams, reassociations, and reauthentications will use user
credentials without this change.  And just hitting OK in the "add a new
preferred network" dialog will also use user credentials, until you
reboot.)

At this point, you probably need to figure out whether your machine even
has a certificate issued to it.  There is no built-in certificates MMC
snap-in, but you can add the certificates console to an MMC session.
Start->Run->type in "mmc" (no quotes)->OK.  Then go to "add/remove a
snap-in", choose "add" (or something like that; I'm going from memory at
this point), select "certificates", hit OK, make sure you select "this
machine", then hit OK or close until you're back at the cert snap-in.

Then expand Personal.  You should have a Certificates entry under that,
containing your machine's cert.  If not, then go through the Add/Remove
thingy again, and select "my user account" instead of "this machine",
and you should see a cert in the newly-added Personal bucket.

In either case, you'll have to configure wpa_supplicant's network block
like this:

network={
	ssid="whatever"
	key_mgmt=WPA-EAP
	proto=WPA2   # or WPA, I'm not sure what version you need
	eap=TLS
	private_key=cert://xxxxxxx
}

You have to replace the xxxxxxx with some string that's part of the CN
of the cert that you want to use (either the machine one or the user
one).  wpa_supplicant will look for a cert with a CN having this string
as a substring, first in your personal store, then in the machine store
-- so make sure you have a valid substring in there, otherwise it might
use the wrong cert.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20060329/04b2b647/attachment.pgp

More information about the Hostap mailing list