Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IEEE 802.1x & dynamic vlan assignment

from [Kim, Cameron] Network Security [Permanent Link]
Subject: RE: IEEE 802.1x & dynamic vlan assignment
Date: Wed, 17 Aug 2005 14:25:05 -0700 
You have to force re-authentication on logon. Here is an excerpt for
deploying dot1x on cisco switches.

You must configure the 802.1X client to send an EAP-logoff (Stop)
message to the switch when the user logs off. If you do not configure
the 802.1X client, an EAP-logoff message is not sent to the switch and
the accompanying accounting Stop message will not be sent to the
authentication server. Refer to the Microsoft Knowledge Base article at
the URL:  http://support.microsoft.com. Also refer to the Microsoft
article at the URL:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/colum
ns/cableguy/cg0703.asp, and set the SupplicantMode registry to 3 and the
AuthMode registry to 1.

Here is some more info on the specifics of those keys
---------

AuthMode Registry Entry

The setting of the AuthMode registry entry controls the computer and
user authentication behavior of Windows XP and Windows Server 2003.
Registry path

HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\Au
thMode
Version

Windows XP and Windows Server 2003

AuthMode has the following values:
*       

0 - Computer authentication mode. If computer authentication is
successful, no user authentication is attempted. If the user logon is
successful before computer authentication, user authentication is
performed. This is the default setting for Windows XP (prior to Service
Pack 1).
*       

1 - Computer authentication with re-authentication. If computer
authentication is successful, a subsequent user logon results in a
re-authentication with user credentials. The user logon has to complete
in 60 seconds or the existing network connectivity is terminated. The
user credentials are used for subsequent authentication or
re-authentication. Computer authentication is not attempted again until
the user logs off the computer. This is the default setting for Windows
XP Service Pack 1 (SP1) and Windows Server 2003.
*       

2 - Computer authentication only. When a user logs on, it has no effect
on the connection. Only computer authentication is performed. The
exception to this behavior is when a user successfully logs on, and then
roams between wireless APs. In that case, user authentication is
performed. For changes to this setting to take effect, restart the
Wireless Zero Configuration service for Windows XP or Windows Server
2003.
SupplicantMode Registry Entry

The setting of the SupplicantMode registry entry specifies the
transmission behavior of the EAPOL-Start message when authenticating.
Registry path

HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\Su
pplicantMode
Version

Windows XP and Windows Server 2003

SupplicantMode has the following values:
*       

1 - Do not transmit. Specifies that EAPOL-Start messages are not sent.
*       

2 - Transmit. Determines when to send EAPOL-Start messages and, if
needed, sends an EAPOL-Start message.
*       

3 - Transmit per 802.1x. Sends an EAPOL-Start message upon association
to initiate the 802.1X authentication process.

HTH

Cameron Kim
Mitsubishi Digital Electronics America

-----Original Message-----
From: Rodrigo Blanco [mailto:rodrigo.blanco.r@gmail.com] 
Sent: Wednesday, August 17, 2005 10:53 AM
To: Devanathan.Balaji@datacraft-asia.com
Cc: focus-ms@securityfocus.com
Subject: Re: IEEE 802.1x & dynamic vlan assignment

Yes. That happened to me too...

The solution I took was to force the 802.1x switch to re-authenticate
quite often. What kind of switches are you using?

Regards,
Rodrigo.

On 8/17/05, Devanathan.Balaji@datacraft-asia.com
<Devanathan.Balaji@datacraft-asia.com> wrote:

Hi,

 Has anyone tested dynamic vlan assignment through dot1x . I am trying



to implement this with PEAP authentication with Windows Active 
directory. When I reboot the windows pc the vlan assignment is 
happening properly. But when I logoff from the domain and login as a 
different user the vlan is not getting assigned immediately, but works

after the re authentication timeout.

I feel that Windows XP client is not sending EAPOL-logoff message. Can



anyone help in this

Regards
Devanathan.B

-----Original Message-----
From: Rodrigo Blanco [mailto:rodrigo.blanco.r@gmail.com]
Sent: Tuesday, August 09, 2005 12:00 PM
To: offtopic
Cc: focus-ms@securityfocus.com
Subject: Re: IEEE 802.1x & EAP-TLS design based on Windows 2000 Server

In fact, I was thinking of just using user certificates (no need for 
personal computers to be on-line while noone is logged on), and 
storing them on the profile of each user, on their computer.

And, unfortunately, PEAP is not an option either.

Surfing thorugh MS doc., I had read that through CAPICOM scripts or 
batches using certreq.exe against the MS Certificate Services 2003, it



is possible to "emulate" (by programming...) the Active Directory 2003
- Certificate Services 2003 integrated auto-enrollment and 
auto-installation of the users' certificates.

However, I have no idea if this is applicable to Certificate Services 
2000, if it is a pragmatic solution, and whether it is reasonably easy



to set up.

Any experience using this tools? Would it be crazy to focus the 
project in this direction?

Thanks again and best regards,
Rodrigo.

On 8/9/05, offtopic <offtopic@mail.ru> wrote:

- Although the MS Certificate Services are in standalone mode, can



I still configure some auto-enrollment based on the users' AD 
logon? If not, what is the best option in order to minimize 
administrative effort?


No. AFAIK, Only Enterprise CA can be used for auto-enrollment. You 
can

choose PEAP MSCHAPv2 for client authentication instead. In this case 
you don't need to manage client-side certificates and revocation.

If you need to use client certificates - create new Enterprise 
Subordinate

CA for issue client certificates.



- Since MS Certificate Services are in standalone mode, is it 
possible to have the IAS server map certificates to AD users


You can bind user-to-certificate manually in AD, but I think this is



not

best solution.



If you could point me to any paper or step-by-step guide that can




http://www.altavista.com/web/results?itag=ody&q=site%3Amicrosoft.com+8
02.1x+
step-by-step&kgs=0&kls=0 ????



PS. You want to use client certificates, where you will store it? In



local

profile, or on smartcard?

Will you authenticate computer or user or both?


(c)oded by offtopic@mail.ru




----------------------------------------------------------------------
-----
----------------------------------------------------------------------
-----


**********************************************************************
****** This email and all contents are subject to the following 
disclaimer:

http://www.datacraft-asia.com/disclaimer
**********************************************************************
******




------------------------------------------------------------------------
---
------------------------------------------------------------------------
---




---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: SharePoint securization, Tevfik Karagülle
Next by Date:  Re: SharePoint securization, tevfik
Previous by Thread:  Re: IEEE 802.1x & dynamic vlan assignment, Rodrigo Blanco
Next by Thread:  RE: IEEE 802.1x & dynamic vlan assignment, Devanathan . Balaji
Indexes:  [Date] [Thread] [Top] [All Lists]