Freeradius and deploying client certificates for Windows OS

Tony Skalski ajs at stolaf.edu
Mon May 3 15:52:10 CEST 2021


If you use Microsoft's certificate services, you can configure an automatic
certificate enrollment group policy. This can generate certs for both users
and computers as needed. This works for Windows clients. If you have other
clients, you will want an MDM or alternatively a certificate onboarding
solution, though if you have Macs joined to Active Directory, you should be
able to issue the certs without a for-pay MDM.

On Mon, May 3, 2021 at 7:48 AM Alan DeKok <aland at deployingradius.com> wrote:

> On May 3, 2021, at 6:30 AM, Vieri Di Paola <vieridipaola at gmail.com> wrote:
> > The problem I'm facing is how to easily manage deploying the client
> > certificates.
>
>   "Magic".  :(
>
> > The custom Certificate Authority has already been deployed with Active
> > Directory Group Policy.
> >
> > Each time I want a new client to authenticate I need to manually
> > import the client certificate in the Windows host via "mmc".
>
>   Yes.
>
> > Is there a way to automatically deploy the client certificates (eg.
> > when a Windows client joins an AD)?
>
>   Pay $$$ a month per user for device management software.
>
> > Should I stop using openssl on the FreeRADIUS server and use MS
> > Certification Authority instead? Will I have compatibility issues if I
> > do that?
>
>   That doesn't really matter.  The issue isn't the certificates.  The
> issue is getting them onto the client devices, and configuring them there.
>
> > Can I keep using openssl certs but with a non-interactive way of
> deploying them?
>
>   There are MDM solutions available.  They're almost always $$$, as this
> is a non-trivial problem to solve.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



-- 
*Tony Skalski*
System Administrator | IT

*Office: *507-786-3227 <(507)786-3227>
1510 St. Olaf Avenue Northfield, MN 55057
stolaf.edu


More information about the Freeradius-Users mailing list