FreeRadius and WPA2-Enterprise machine authentication - With ActiveDirectory interconnection..
Max.Caines at wlv.ac.uk
Fri Dec 12 14:42:40 CET 2014
As I understand it, when you configure 802.1x authentication on Windows, provided you tick the relevant box, Windows will authenticate twice, using the computer account and then the user account. Only after that does domain authentication direct to a DC kick in. It is possible to omit either stage, but I think only group policy can force use of the computer account only
From: freeradius-users-bounces+max.caines=wlv.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+max.caines=wlv.ac.uk at lists.freeradius.org] On Behalf Of Franks Andy (RLZ) IT Systems Engineer
Sent: 12 December 2014 11:43
To: FreeRadius users mailing list
Subject: RE: FreeRadius and WPA2-Enterprise machine authentication - With ActiveDirectory interconnection..
I wouldn't contradict anything others have said about this one, they
know their stuff more than me, but we *sort of* do this - user auth
using 802.1x plus mac address auth with macs stored in AD. Most wireless
controllers I've seen will support 802.1x + MAC , and do it as 2
separate authentication transactions. Some will also let you decide the
order the transactions appear in.
Mac auth isn't great on its own, but in addition to 802.1x you are
authing the user/whole computer with certs and the computer with mac
Just my 2p, possibly off track or wrong practice though!
freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradiu
s.org] On Behalf Of Tim Reimers
Sent: 11 December 2014 20:17
To: freeradius-users at lists.freeradius.org
Subject: FreeRadius and WPA2-Enterprise machine authentication - With
Hi everyone -
I'm trying to design something here that I'm sure has been done before,
but AFAIK, it crosses through a few different howto documents, and
being new to this, I'm just not certain that I have pieced together all
the relevant HOWTo docs and not missed a
point at which the design won't communicate the needed information.
The plan is to authenticate wireless users AND their computers. (so that
a user cannot BYOD to the secure network; only laptops joined to the
domain will work)
I know that WPA2-Enterprise is what I need, to be able to have rotating
keys, use Radius for authentication, etc.
I know that WPA2-Enterprise requires certificates to validate the
I already have a Microsoft CA server running in my AD environment, with
the GPO needed to push out workstation certificate enrollment
and so on, for other applications.
My question is -
Can FreeRadius (3.0.1) on centos 7
be configured to do the machine authentication using certs from the
Microsoft CA server?
Meraki is the wireless infrastructure, if that helps.
List info/subscribe/unsubscribe? See
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Scanned by iCritical.
More information about the Freeradius-Users