Windows (7) Machine Certificates (Half Domain).

Christ Schlacta lists at
Wed Oct 19 18:48:13 CEST 2011

On 10/15/2011 2:46, Phil Mayers wrote:
> On 10/15/2011 03:17 AM, Christ Schlacta wrote:
>> I've got a handful of windows clients.  I'm most concerned about the
>> Windows 7 machines, but there are a few Vista, and even an XP client. I
>> want to deploy "Machine account certificates" for wifi authentication,
>> so machines will be able to connect to the network BEFORE the user logs
>> on (mainly for accessing remote shares), but only some of these machines
>> are connected to the local DOMAIN (Samba 3, not overly relevant I don't
> Pre-logon auth has proven troublesome for other people, if the clients 
> aren't full domain members. You may find this tricky to get working.
> As for the certs - I assume you have a working certificate for a 
> domain member? Extract it, and examine the cert CAREFULLY, including 
> all extension OIDs. Ensure the ones you're generating for the 
> non-domain members have exactly the same attributes (except CN of 
> course).
> You're right that it's off-topic, but what's really tragic is that 
> Microsoft don't a) document and b) provide troubleshooting tools for 
> their supplicant behaviour. It's a key bit of network AAA 
> infrastructure, and it's damn inscrutable. Most of the other forums 
> around the internet, including Microsofts own, contain ill-informed 
> nonsense. I'm wondering if we should have a "8021x-client-admins" 
> forum somewhere...
> -
> List info/subscribe/unsubscribe? See 

I can get it working for neither domain members nor non-domain members.  
as I'm using a Samba 3 domain, I've got no mechanism to deploy 
certificates in a way windows is expecting, nor can I identify any 
sufficient documentation to do so.
If anyone on list DOES have working certs for domain members, I'd much 
appreciate if you could post as much info as you can without 
compromising security.

More information about the Freeradius-Users mailing list