802.1x Network Authentication – FreeRADIUS with the Novell Client Resources

One of my educational clients is going to be implementing a fairly significantly sized wireless network this summer. The are an all Cisco shop – all Cisco data electronics, VoIP system, firewall, etc. The wireless access points will be Cisco, probably 1252s, which are wireless-G and support the draft specifications for wireless-N.

Their dilemma is this – Should they spend the money (~$9K per box) on the Cisco Secure Access Control Server Solution, or should they try to integrate FreeRadius into their Novell Netware 6.5 network and use the Novell client with Windows XP’s built-in 802.1x supplicant. They are balking at the cost of the Cisco Secure Access Control Server Solution because they don’t have the need (or desire) to implement any of it’s advanced functionality at this time – they just want the 802.1x authentication for the wireless clients.

I’m in the information gathering phase of this project right now, determining if the FreeRadius/Novell Client is a feasible option for their environment. I’m going to collect some information, and will post what I find out here in the upcoming weeks.

Links and Technical Reference Documents

Novell TID 3003857: Integrating FreeRADIUS and eDirectory

Novell TID 3009668: Setting up FreeRADIUS and eDirectory for 802.1X Authentication

Novell TID 3557425: Integrating FreeRADIUS authentication and eDirectory

Novell TID 10100693: 802.1x Authentication and the Novell Client for Windows

Novell TID 3218399: 802.1x Authentication and the Novell Client for Windows

Novell TID 3356920: Does the Novell Client support 802.1x?

Novell TID 3038019: Errors when logging in with 802.1x protocol

Novell TID 3777876: Registry settings related 802.1x support in the Novell Client 4.91 SP4

Novell TID 3950357: Unable to login using Cisco 802.1x implementation

Novell TID 3714126: FreeRADIUS, NMAS, and wireless (802.1x) Networks

Novell TID 10100993: Debugging FreeRADIUS with radtest

Novell TID 5008620: Novell Client 4.91 Post-SP4 802.1x Fixes (FTF)

Configuring FreeRADIUS on Open Enterprise Server for Linux by Eric Champagne

Enabling 802.1x in Client 4.91 SP4

Integrating Novell eDirectory with FreeRADIUS Quick Start Guide

Integrating Novell eDirectory with FreeRADIUS Administration Guide

Addendum to the FreeRADIUS Administration Guide

Configuring Novell eDirectory for 802.11 Wireless Authentication – Novell BrainShare 2005. Discusses using OES or SLES, FreeRADIUS or Cisco ACS with verification against eDirectory.

EDirectory integration with FreeRADIUS wiki on developer.novell.com

NTRadPing – free RADIUS testing utility

FreeRADIUS wiki

Client Updates

Microsoft KB 885453: XP SP2 PEAP authentication is not successful when you connect to a third-party RADIUS server (hotfix)

Microsoft KB 893357: The Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) update for Windows XP with Service Pack 2 is available

Microsoft KB 918997: Developers cannot create wireless client programs that manage wireless profiles and connections over the Wireless Zero Configuration service in Microsoft Windows XP Service Pack 2 (SP2)

Microsoft KB 931856: A Windows XP-based wired client computer will not obtain a valid IP address from a guest VLAN or from an “Authentication failed-VLAN”

Microsoft KB 917021: Description of the Wireless Client Update for Windows XP with Service Pack 2

Microsoft KB 923154: FIX: EAP reauthentication may not occur and the Wireless Zero Configuration service may not work correctly when you try to use a third-party application in Windows XP

Implementation Hints and Gotchas

  • Verified that the Universal Password setup is correct on my test user with the Universal Password utility.
  • An interesting discussion on 802.1x, EAP and LDAP configurations
  • eDirectory and FreeRadius HowTo version 0
  • If 802.1X authentication succeeds after the desktop is up and you are log in from the Red N but fails on the initial boot login, check to see if the Authenticate as computer when computer information is available check box on the Authentication tab of your Local Area Connection Properties dialog box is selected. This option must be selected for the initial login to succeed.

  • Try toggling the “Use 802.1x authentication during subsequent eDir-only logins” setting
  • Try changing supplicant mode to 3
  • Configure a DA and scope in the client properties
  • The Novell Client 4.91 SP4 for Windows XP/2003 includes an Extensible Authentication Protocol (EAP) plug-in to the Microsoft Windows XP supplicant, which lets users authenticate through RADIUS to wireless access points and wired switches for added network security. Using FreeRADIUS as the RADIUS server, users can authenticate to their local machines, to eDirectory, and to 802.1X with the same set of credentials for a single sign-on experience.

    When 802.1X authentication is enabled, the username and password entered in the Novell Login dialog box are first passed to the EAP plug-in module. An exchange of messages (PEAP/MSCHAPv2) between the Windows supplicant, the wireless access point/wired switch, and the RADIUS server allows network access if the correct credentials were entered. After the 802.1X authentication has succeeded, both the eDirectory and local logins take place just as they have in previous versions of the Novell Clients. If the 802.1X authentication fails, no access to the network is given, and the user will not be able to access the network.

    The 802.1x authentication feature supports both wired and wireless connections. Only password-based authentication is supported (the Novell Client 4.91 SP4 for Windows XP/2003 supports only PEAP with MSCHAPv2). Biometrics (non-password-based) authentication types are not supported with this release. If you want certificate support, the Microsoft EAP plug-ins are sufficient and no Novell-specific EAP support is required.

    The ability to browse for trees and servers in the Novell Login dialog box is not supported because the 802.1X port blocks all network access.

  • If the authentication times out, check to see if the radius server is getting queried for the authentication. Also check to make sure the Validate server certificate check box on the Protected EAP Properties tab on the Local Area Connection Properties dialog box is not selected.
  • If you think debug or trace logs will help, start Regedit and go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing and enable tracing for Noveap. This causes Windows to create a Noveap.log file in the windows\tracing directory.
  • Utilities installed with many NIC cards can cause odd behavior. Make sure the user has only installed the drivers for the NIC card and none of the other utilities.
  • If you still cannot get 802.1X to work, remove the Novell Client and try to get the Microsoft authentication working first. Pre-desktop authentication will not likely work in this case, but after the desktop is up, Microsoft uses the Windows username and password for 802.1X authentication.

    For this to work, the username and password for Windows must match the username and password in eDirectory.

    [updated 2008-11-17]
    Check out Jeremy’s cheat sheet, a good general reference for 802.1x.