Skip Navigation Links
Home
Product
Industry Solutions
Resources
About Us
Contact Us
Skip Navigation LinksHome > Customers & Support > Tech Notes

Configuring Mobility for Multiple User Authentication Types

Technical Note 2243

Last Reviewed 31-Mar-2009 
Applies to: 
Mobility XE server version 8.50 and up
 Printer-friendly version 

Summary

As of Mobility XE v8.50, EAP-TLS is supported as an authentication method. EAP-TLS provides two-factor authentication in the form of smart cards and personal user certificates, while PEAP performs authentication via username and password. For flexibility and redundancy, PEAP and EAP-TLS may be employed simultaneously within the same v8.50 Mobility server pool. This tech note explains how to configure a v8.50 Mobility server pool, along with Microsoft's IAS or Juniper's Steel-Belted Radius servers, to perform both PEAP and EAP-TLS authentication. (For information on configuring other types of RADIUS servers to perform PEAP and EAP-TLS authentication, refer to the vendor documentation.)

Note: Currently, Mobility's other supported authentication methods cannot be configured simultaneously. For example, you cannot use NTLM and LEAP, or SecurID and PEAP at the same time in one Mobility server pool.


Configuring PEAP and EAP-TLS Authentication

Prerequisites:

  • In all instances, it is assumed that the PKI (Private Key Infrastructure) is already in place and functioning correctly, and all certificates have been provisioned and distributed accordingly.

  • All Mobility servers in the pool must be at least v8.50 or higher.

  • In the Mobility console, the global server setting Authentication - Protocol must be set to RADIUS-EAP (PEAP and EAP-TLS).

The v8.50 System Administrator Guide contains additional information on configuring Mobility servers to use PEAP/EAP-TLS, and RADIUS servers to use certificates.

There are two common scenarios in which a Mobility server pool may need to support both PEAP and EAP-TLS authentication. The first is a deployment in which some users have smart cards and/or user certificates, but others do not. The second situation is when a user has lost a smart card or the card has ceased to function, so the user must fall back on PEAP (username+password) for authentication. Follow the instructions below to configure the Mobility client and the RADIUS server for both EAP-TLS and PEAP authentication.


Mobility client configuration

If the authentication method on the Mobility server pool has been set to RADIUS-EAP (PEAP and EAP-TLS), then by default the Mobility client is configured to use smart cards. However, the Mobility client allows for the use of client certificates in the form of either personal user certificates or smart card certificates. Ultimately the authentication method that the client uses is dependent on what is configured on the Mobility server and the RADIUS backend.

Mobility client configuration - Enabling smart card or personal user certificate support

If you are currently using a different authentication method and need to configure your Mobility clients to use smart cards, you will not have to do anything as the client is preconfigured to allow for the use of smart cards. However, below are two options for enabling smart card or user certificate support if you see that they are disabled.

  • Configure each client to enable the setting allowing the use of client certificates:

    1. Open the Mobility Client Properties dialog through the Start menu or by double-clicking on the tray icon.

    2. Click the Configuration button.

    3. Open the Client Certificates tab.

    4. Check the "Allow client certificates" box (checked by default).

    5. Select the radio button next to the type of authentication you want this client to use, either Smart Card or Personal User Certificate.

    6. Click OK.

  • Alternatively, edit the registry to enable the ability to use client certificates: (Always make a backup copy of the registry before editing it.)

    1. Open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetMotion\Mobility Client.

    2. To enable the use of client certificates, set the "AllowCertAuth" key to 00000001.

    3. Next, to enable smart card authentication, set the "SmartCardMode" key to 00000001.

    4. Or, to enable personal user certificate authentication, set the "SmartCardMode" key to 00000000.


Mobility client configuration - Disabling smart card or personal user certificate support

There are instances where an administrator does not want a user to be able to use certificates, either smart cards or personal user certificates, on a client device. To disable that functionality use one of the methods below.

  • Configure each client to disable the setting allowing the use of client certificates:

    1. Open the Mobility Client Properties dialog through the Start menu or by double-clicking on the tray icon.

    2. Click the Configuration button.

    3. Open the Client Certificates tab.

    4. Uncheck the "Allow client certificates" box.

    5. Click OK.

  • Alternatively, edit the registry to disable the ability to use client certificates: (Always make a backup copy of the registry before editing it.)

    1. Open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetMotion\Mobility Client.

    2. To disable the use of client certificates, set the "AllowCertAuth" key to 00000000.


RADIUS Server Configuration

Depending on the RADIUS server you are using, the procedure for PEAP and EAP-TLS configuration varies slightly. Below are detailed instructions for configuring the Microsoft IAS and Juniper Steel Belted Radius. For information on configuring other RADIUS servers, refer to the vendor's documentation. Note: It is important to pay careful attention to the ordering of PEAP or EAP-TLS policies once they have been configured.


Microsoft IAS on Windows Server 2003

The instructions below walk through creating two policies - a PEAP policy and an EAP-TLS policy. One group of users is subscribed to the PEAP policy and another group of users is subscribed to the EAP-TLS policy. Although you can choose from many types of attributes when you are creating the policies, for simplicity these examples make use of the attribute "Windows-Groups". "PEAP Users" is a Windows user group created especially to hold the names of users who authenticate with username+password. "TLS Users" is a Windows user group created especially to hold the names of users who authenticate with smart cards or user certificates. If you choose to use Windows groups as in these examples, you will probably want to create user groups very similar to these.


Follow these steps to create a PEAP policy.

  1. You must be logged in as an administrator with domain administration privileges.

  2. Open the IAS console.

  3. Right-click on Remote Access Policies.

  4. Select "New Remote Access Policy" to start the New Remote Access Policy Wizard.

  5. Click "Next".

  6. In the Policy Configuration Method dialog, select "Set up a custom policy".

  7. Create a policy name that will clearly identify its purpose (example: PEAP Authentication).

  8. Click "Next".

  9. In the Policy Conditions dialog, click Add... to open a list of attribute types.

  10. From the list, select one that will be unique for this protocol. (Note: The simplest option is to select "Windows-Groups".)

  11. Click the Add... button to open the Groups dialog.

  12. In the Groups dialog, click the Add... button to open the Select Groups dialog.

  13. Enter the name of the Windows user group that will have rights to authenticate to the Mobility server and use PEAP authentication (example: <domain>\PEAP Users where <domain> is your domain name). Click OK.

  14. Click "OK" to close the Groups dialog.

  15. In the Policy Conditions dialog, you should see something like "Windows-Groups matches <domain>\PEAP Users," where <domain>\PEAP Users is the name of the group that will be able to authenticate to the Mobility server using PEAP.

  16. Click "Next" to get to the Permissions dialog.

  17. Select "Grant remote access permission" and click Next.

  18. Click the "Edit Profile..." button.

  19. Select the Authentication tab.

  20. Uncheck all the checkboxes. Click the "EAP Methods" button.

  21. In the Select EAP Providers dialog, click the "Add" button.

  22. In the Add EAP dialog, select (highlight) "Protected EAP (PEAP)". Click OK.

  23. Click OK twice more. A Dial-In Settings message will display asking if you want to view the Help topic (it is not necessary).

  24. Click "Next", and click "Finish" to exit.

Follow these steps to create an EAP-TLS policy.

  1. You must be logged in as an administrator with domain administration privileges.

  2. Open the IAS console.

  3. Right-click on Remote Access Policies.

  4. Select "New Remote Access Policy" to start the New Remote Access Policy Wizard.

  5. Click "Next".

  6. In the Policy Configuration Method dialog, select "Set up a custom policy".

  7. Create a policy name that will clearly identify its purpose (example: EAP-TLS Authentication).

  8. Click "Next".

  9. In the Policy Conditions dialog, click Add... to open a list of attribute types.

  10. From the list, select one that will be unique for this protocol. (Note: The simplest option is to select "Windows-Groups".)

  11. Click the Add... button to open the Groups dialog.

  12. In the Groups dialog, click the Add... button to open the Select Groups dialog.

  13. Enter the name of the Windows user group that will have rights to authenticate to the Mobility server and use EAP-TLS authentication (example: <domain>\TLS Users where <domain> is your domain name). Click OK.

  14. Click "OK" to close the Groups dialog.

  15. In the Policy Conditions dialog, you should see something like "Windows-Groups matches <domain>\TLS Users," where <domain>\TLS Users is the name of the group that will be able to authenticate to the Mobility server using EAP-TLS.

  16. Click "Next" to get to the Permissions dialog.

  17. Select "Grant remote access permission" and click Next.

  18. Click the "Edit Profile..." button.

  19. Select the Authentication tab.

  20. Uncheck all the checkboxes. Click the "EAP Methods" button.

  21. In the Select EAP Providers dialog, click the "Add" button.

  22. In the Add EAP dialog, select (highlight) "Smart Card or other certificate". Click OK.

  23. Click OK twice more. A Dial-In Settings message will display asking if you want to view the Help topic (it is not necessary).

  24. Click "Next", and click "Finish" to exit.

Note: With Remote Access Policies highlighted on the IAS console, you should see both of your new policies listed. Set the order so that the EAP-TLS policy is listed first followed by the PEAP policy.


Juniper Steel-Belted Radius (6.1 Enterprise) Configuration

Prerequisites:

  1. This configuration of Steel-Belted Radius (SBR) assumes that an administrator has already successfully configured the SBR server to communicate with a Windows domain.

  2. SBR will not accept usernames if they are in the user@domain.com format. You must enter the username, password, and domain into respective individual fields.


Follow these steps to configure SBR (Enterprise 6.1) for PEAP and EAP-TLS authentication.

  1. Open the SBR Administrator.

  2. In the left-hand column, select "Authentication Policies" and expand the node.

  3. Select "EAP Methods".

  4. On the right, check "EAP-PEAP", "EAP-TLS", and "EAP-TLS Helper". (Leave EAP-FAST and EAP-TTLS unchecked.)

  5. Click "Apply".

  6. In the left-hand column, select "Order of Methods".

  7. On the right, move "PEAP" and "EAP-TLS" to the "Active Authentication Methods" column. (Do not move "EAP-TLS Helper".)

  8. Also on the right, move "Windows Domain Group" and/or "Windows Domain User" to the "Active Authentication Methods" column. PEAP authentication requires at least one of these or it will not work. (Do not be concerned if you see the methods listed as LEAP; that is correct.)

    Note: The authentication methods must be listed in the correct order:

    1. EAP-TLS

    2. PEAP

    3. Windows Domain Group and/or Windows Domain User

When configured this way the SBR server will initially attempt to use EAP-TLS to authenticate the Mobility client. If the process times out, the SBR server will move to the next method in the list - PEAP - and the Mobility client will be able to authenticate.


Moving A User From EAP-TLS to PEAP

If a user loses his or her smart card, or the card ceases to function, that user can be moved from using EAP-TLS authentication to using PEAP, which requires only a username and password to authenticate.


If you are using Microsoft IAS:

  • If you followed exactly the IAS configuration described above, use Active Directory to move the user from the "TLS Users" Windows group to the "PEAP Users" Windows group. (Refer to step 13 in the PEAP policy section above.)

  • Smart card/user certificate support must be disabled on the Mobility client. Open the Client Properties dialog, move to the Client Certificates tab, and uncheck the "Allow client certificates" checkbox. (Refer to the Mobility client configuration - Disabling smart card or personal user certificate support section above.)

Once the smart card has been found or replaced, simply reverse the above steps - move the user back into the "TLS Users" group in Active Directory, and check the "Allow client certificates" checkbox in Client Properties on the client device.


If you are using Juniper SBR or another RADIUS server:

For non-Microsoft RADIUS servers this only requires reconfiguring the Mobility client. On the client device, open the Client Properties dialog, move to the Client Certificates tab, and uncheck the "Allow client certificates" checkbox.


Related Information

9979

NetMotion Mobility Technical Notes

Please comment on this technical note.

Copyright ©2010 NetMotion Wireless.