Periodik Labs

Elektron 1.2 (in both the standard and Enterprise edition) includes preliminary support for machine authentication via Active Directory. The article describes how to enable that support.

Active Directory contains logins for both users and machines. That is, when a computer is joined to an Active Directory, it is given an account in the directory, complete with a password. This allows the machine to be logged into the domain without user intervention.

The Windows XP Wi-Fi client supports machine authentiction. It can be configured to automatically log into the Wi-Fi network before a user has logged in. This is important in environments where computers are shared among disparate users: if a user has never logged into a given machine, the login must be verified against the Active Directory. In order to connect to the Active Directorry, the computer must of course be connected to the network. Machine authentication solves the chicken-and-egg problem of allowing the machine to connect to the network before a user had logged in.

As support for machine authentication is preliminary in this release, there is currently no UI for enabling it. You must use the elekconf command line tool. To do so, open a command prompt and issue the following command:

elekconf.exe set sam-machine-auth-enabled 1

By default, the elekconf executable is located in:

C:\Program Files\Periodik Labs\Elektron\

if you performed a clean install of Elektron 1.2, or:

C:\Program Files\Corriente Networks\Elektron\

if you upgraded from an earlier version of Elektron.

After upgrading to Elektron 1.2 (standard or Enterprise Edition) on Windows, you may get an error when attempting to authenticate users when using Windows authentication. If you are hitting this problem, you will see entries similar to the following in your Elektron RADIUS error log:

02:50:48 06/04/2006 Windows authentication provider: MS-CHAP-V2 authentication failed (authenticating user xxx) 02:50:48 06/04/2006 MS-CHAP-V2: bad login attempt for user xxx

And your Application event log (viewable using the Windows Event Viewer administrative tool) will have a corresponding entry for Elektron:

internal error: could not decode input parameters (bad length)

The solution is to restart Windows.

The problem is a result of a change made to support machine authentication. This change involved updating an Elektron DLL component that is loaded by Windows and not released until the system is restarted. The Elektron 1.2 installer replaces the DLL, but the new DLL is not recognized by the system until the next reboot. Elektron 1.2 requires the new DLL to perform Windows account authentication.

This question applies only to the client version of Mac OS X 10.4 Tiger, not Mac OS X Server.

On Mac OS X 10.4 Tiger with Elektron configured to authenticate users with Mac OS X accounts, Windows XP users may not be able to authenticate to the server. Mac OS X Server is not affected by this issue.

In Mac OS X 10.3 Panther Windows XP compatible passwords were generated for each user. In Mac OS X 10.4 Tiger, these passwords are only generated if Windows Sharing is enabled and a user accounts are configured to allow Windows Sharing logins.

When a Windows XP attempts to log in to Elektron in this situation, the Elektron error log will have the following entry, even though the user presented a correct password:

18:43:06 05/14/2005 open directory authentication provider (MS-CHAP-V2): user somebody presented incorrect password 18:43:06 05/14/2005 MS-CHAP-V2: bad login attempt for user somebody

To allow a Windows XP user to log in to an Elektron server installed on Mac OS X 10.4 Tiger, Windows sharing for the user in question must be enabled. This is due to the fact that Windows XP clients use PEAP/MS-CHAP-V2 to authenticate Wi-Fi users, and in its default configuration, the client version of Mac OS X 10.4 Tiger does not store MS-CHAP-V2 compatible passwords.

To create MS-CHAP-V2 compatible passwords for a user, and thus enable Windows XP logins for that user, first enable Windows Sharing:

1. Launch the System Preferences application
2. In the Sharing pane, Services tab, click the "On" checkbox next to Windows Sharing

With Windows Sharing enabled and selected in the Service list, the "Accounts..." button will allow you to choose which users will be allowed to use Windows Sharing, and thus have MS-CHAP-V2 compatible passwords. To enable a user account for Windows Sharing:

1. Click the "Accounts..." button
2. Check the box next to the account to be enabled
3. If prompted, enter the password for the user account
4. After each account has been configured, click the "Done" button

In our testing, it does not appear to be necessary for Windows Sharing to continue running in order for Windows XP logins to work. That is, enabling Windows Sharing, configuring each account, disabling Windows sharing while leaving each account configured for Windows Sharing appears to be sufficient.

The requirement to enable Windows sharing only applies to the WPA Enterprise client built into Windows XP. Third party clients that support TTLS in addition to PEAP will work, as TTLS clients do not use MS-CHAP-V2 compatible passwords. Two free WPA Enterprise clients that support TTLS are:

• SecureW2 (for Windows)
• wpa_supplicant (for Linux and Windows)

This article applies to Elektron users deploying the AirPort Extreme Base Station (AEBS) with AirPort firmware version 5.5.

Update: The bug also affects AirPort Extreme firmware version 5.5.1

We've become aware of an issue with this version of the AEBS firmware that can prevent clients from successfully connecting to the base station when WPA Enterprise security is enabled. The problem happens with the client's initial connection to the base station, as well as with subsequent connections unless corrective measures are taken. The symptoms of the problem are:

• Elektron successfully authenticates the user, as indicated by the Elektron access log
• On the user's machine, the connection completes, the 802.1X pane in Internet Connect indicates "Connected via PEAP, Connect Time: xx:xx:xx"
The AirPort menu shows no signal, and the Network System Preference pane shows the AirPort to be unconnected
• If syslog messaging is enabled on the AEBS, the message "Bad pairwise master key at station xx:xx:xx:xx:xx:xx" will be logged This is a very serious denial of service issue. The problem also affects the AEBS when authenticating users against RADIUS servers from other vendors as well.

Resolution We recommend that users downgrade the firmware on their AirPort Extreme Base Stations until Apple releases a fix for the problem. You can download AirPort Extreme Frimware Version 5.4 from:

http://www.apple.com/support/downloads/airportextremefwupdate.html

After downloading the firmware, you can upload it to an AEBS using the AirPort Admin Utility (in /Applications/Utilities). Launch the AirPort Admin Utility, connect to the base station you wish to downgrade, and the use the "Upload" button from the toolbar to select the older firmware. After the update, normal WPA Enterprise operations will be restored.

With the arrival of Mac OS X 10.3, Apple changed the method that Mac OS X uses to store Windows passwords. Under earlier versions of the operating system, Windows password hashes are only stored when Windows file sharing is enabled. Under Mac OS X 10.3 and later, these hashes are always created regardless of whether Windows file sharing is enabled.

This means that when Elektron is configured to use Mac OS X system accounts to authenticate users under Mac OS X 10.2.8, there are steps that must be taken before users logging in using a Windows password can be authenticated.

Note that a Mac OS X user logging in using the PEAP protocol is using a Windows password to authenticate. If you would rather not enable Windows password on the Elektron server, you may instead have Mac OS X users login using TTLS (with PAP as the inner authentication method). Mac OS X users can change their authentication method using the Internet Connect application.

To allow a user to login to Elektron using a Windows password under Mac OS X:

• Launch the System Preferences application
• Open the "Sharing" pane
• Start Windows Sharing
• Open the Accounts pane (you can see the Accounts pane by clicking "Show All" in the upper-left hand corner of the System Preferences window)
• Select the account you wish to enable for Windows passwords Make sure that the "Allow user to log in from Windows" box is checked
• If the user was not previouly allowed to log in from Windows, you will have to enter a new password for the account (you may re-enter the old account password)

If you are running Elektron on Mac OS X 10.3 or later, or you are using Elektron accounts for authentication, these steps are not necessary.

To remove Elektron from your Mac OS X system:

1. Launch the Terminal application from /Applications/Utilities
2. Enter the command sudo /Library/Application Support/Periodik/Elektron/uninstall
3. You may be asked for your password. If prompted, enter your password.

This process will remove all files, shortcuts, and registry entries that were installed along with Elektron. This will not remove any files that were created after the installation process, including the Elektron configuration file and log files.

To remove these additional files manually, delete the following files and folders:

/System/Library/Preferences/Periodik/Elektron/elektron.db /Library/Logs/Periodik/

To remove Elektron from your Windows system:

1. Open the Add/Remove Programs applet from Start->Control Panel
2. Find Elektron in your list of installed programs
3. Click the "Remove" button next to Elektron's entry

This process will remove all files, shortcuts, and registry entries that were installed along with Elektron. This will not remove any files that were created after the installation process, including the Elektron configuration file and log files.

To remove these additional files manually, delete the following files and folders:

• %SystemDirectory%\Periodik\elektron.db
• %SystemDirectory%\LogFiles\Periodik\

If your backup strategy is based on backing up specific files on your system rather than the entire system, you will need to know where Elektron stores its configuration files.

On Mac OS X, the configuration file is stored at:

/System/Library/Preferences/Periodik/Elektron/elektron.db

Log files are stored in:

/Library/Logs/Periodik/

To restore a clean system using a backed-up configuration file on Mac OS X:

1. Install Elektron
2. Stop the Elektron daemon using this command in the Terminal: sudo /Library/StartupItems/Elektron/Elektron stop You may be asked for your password
3. Replace the newly installed configuration with your backed-up copy
4. Start the Elektron daemon using this command in the Terminal: sudo /Library/StartupItems/Elektron/Elektron start
5. Launch the Elektron Settings application (in the system-wide Applications directory) and confirm that the restored settings are active.

If your backup strategy is based on backing up specific files on your system rather than the entire system, you will need to know where Elektron stores its configuration files.

On Windows, the configuration file is stored at:

%SystemDirectory%\Periodik\elektron.db

Log files are stored in:

%SystemDirectory%\LogFiles\Periodik\

To restore a clean system using a backed-up configuration file on Windows:

1. Install Elektron
2. From the Services applet (in the Start menu under the Administrative Tools program group; its location varies based on the version of Windows used), stop Elektron
3. Delete the current configuration and replace it with your backed up copy
4. Again from the Services applet, start Elektron
5. Launch the Elektron Settings application (Start->Programs->Periodik Labs->Elektron Settings) and confirm that the restored settings are active.

It is normal for the first entry in the error log to be:

connections will be refused, server is unlicensed

The entry appears because Elektron is installed and started before you enter your serial number in the Elektron Setup Assistant during the installation process. After you have entered the serial number, the server is live and ready to be used, but the original log entry remains.

The Cisco Aironet card includes the Cisco software for connecting to WPA-secured networks. While it is possible to use this configuration in conjunction with Elektron, the Cisco configuration procedure is somewhat arcane.

The easier configuration method is to use the Windows XP WPA client. To do so:

1. Install the latest version of the Cisco Aironet Card software from www.cisco.com
2. Launch the Aironet Client Utility (this should be somewhere in your Start menu)
3. Click the "Select Profile" button
4. Select "Use Another Application to Configure My Wireless Settings"
5. Click OK
6. Quit the Aironet Client Utility
7. Use the Windows XP client instructions from the Periodik Labs support site to configure your Wi-Fi settings

The Windows XP WPA client includes the ability to log its interaction with access points and RADIUS/802.1X servers (including Elektron). This logging facility can be helpful in diagnosing connection problems.

To enable trace logging, perform the following steps:

1. From the Start menu, choose "Run..."
2. Type cmd and click OK
3. At the command prompt, type: netsh ras set tracing eapol enabled
4. Hit the return key
5. Type: netsh ras set tracing rastls enabled
6. Hit the return key
7. Close the command window

Subsequent WPA connection attempts will result in loggin information being placed in files in %SystemRoot%\Tracing

To disable logging (which you should do after your connection problems are resolved in order to save disk space), repeat the steps above, but substitute the word disabled in place of enabled

Beginning with version 2.0, Elektron Enterprise Edition has been renamed Elektron, and the basic edition of the software has been deprecated. All of the features previously available in Elektron Enterprise Edition have been rolled into Elektron 2.0, and many new features have been added.

When upgrading to Elektron 2.x, your options are:

• If you have a current maintenence agreement (for either the standard edition of Elektron 1.x or Elektron Enterprise Edition 1.x), you are entitled to a free upgrade to Elektron 2.x
• If you have a copy of Elektron Enterprise Edition, but no current maintenence agreement, you may purchase an upgrade or a new maintenance agreement to upgrade to Elektron 2.x
• If you have a copy of the standard edition of Elektron, but no current maintenence agreement, you may upgrade as if you had been a previous owner of Elektron Enterprise Edition. That is, for upgrade purposes, your previous purchase is treated as if it had been a purchase of Elektron Enterprise Edition. This is an inexpensive way to move up to the extra power and features offered by Elektron 2.x

When Elektron 2.0 was released, we sent out email notices to all Elektron 1.x users with valid maintenance agreements. However, due to the vagaries of the email system (spam filters, changed email addresses, etc.) not all of these notices may have reached their intended recipients. If you didn't receive your email, contact us at sales@periodiklabs.com and we will get you taken care of right away.

Problem:

After installing a purchased copy of Elektron, you see something like:

22:39:47 04/13/2007 Evaluation period ends 05/14/07
22:39:47 04/13/2007 Visit http://www.periodiklabs.com to purchase Elektron

Resolution:

This is normal. When installing Elektron, the server is launched before the installation procedure completes. If the Elektron server is launched without a serial number, it automatically begins a 30 day evaluation. Once the installation completes, the serial number is set, and the evaluation period is no longer in effect.

Subsequent server launches will not have this message.