Hi, if winbind works for you, the "machine auth" should too. When windows supplicant is set to do machine auth, it uses username in form of 'host/hostname.your.domain'. Internaly in AD, it's an object similar to user account, with additional class(es). It has it's own samaccountname. userprincipalname. Also it has password, which is changed by default every 30 days ( https://docs.microsoft.com/cs-cz/archive/blogs/askds/machine-account-passwor... ). Here is example machine auth request from debug log. (0) Received Access-Request Id 114 from 172.24.254.250:32774 to 172.24.1.6:1812 length 344 (0) User-Name = "host/PROBOOK.ABC.cz" (0) Chargeable-User-Identity = 0x00 (0) Location-Capable = Civic-Location (0) Calling-Station-Id = "20-10-7a-01-77-fe" (0) Called-Station-Id = "3c-ce-73-6d-3a-50:ABC" (0) NAS-Port = 1 (0) Cisco-AVPair = "audit-session-id=ac19646400016f415c666ce9" (0) Acct-Session-Id = "5c666ce9/20:10:7a:01:77:fe/96853" (0) Cisco-AVPair = "mDNS=true" (0) NAS-IP-Address = 172.25.100.100 (0) NAS-Identifier = "CT2504_100.100" (0) Airespace-Wlan-Id = 1 (0) Service-Type = Framed-User (0) Framed-MTU = 1300 (0) NAS-Port-Type = Wireless-802.11 (0) Tunnel-Type:0 = VLAN (0) Tunnel-Medium-Type:0 = IEEE-802 (0) Tunnel-Private-Group-Id:0 = "666" (0) EAP-Message = 0x... (0) Message-Authenticator = 0x... Run your radiusd in radiusd -X and set windows to do machine auth, and you will see something similar as above. The in post-auth you can for example do some checking like if ( &User-Name =~ /^host\/.*$/) { update reply { ... } ... Hope that helps, P. On Tue, Feb 18, 2020 at 4:28 PM Munroe Sollog <mus3@lehigh.edu> wrote:
I am trying to replace our current Microsoft NPS server with freeradius. I was able to follow the docs and use winbind to get PEAP-mschap user authentication working flawlessly. The last piece of this puzzle is, NPS has a "magic checkbox" that enables machine-based authentication. I have been trying to figure out what that checkbox does, without much luck.
My best guess is that it's using the Active Directory certificates to do EAP-TLS auth, but that is just my guess. Has anyone ever tried to replicate this feature? or have any insight? I realize this isn't strictly a freeradius question, but thought I would ask.
-- Munroe Sollog Senior Network Engineer munroe@lehigh.edu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html