Machine authentication against AD CS
Hi everyone, I've been searching for documentation about FR to manage hosts Access-Requests of this type : ———— (0) Received Access-Request Id 139 from 10.14.240.106:32773 to 10.14.129.201:1812 length 324 (0) User-Name = "host/C304Z-HP2560.campus.unicaen.fr" (0) Chargeable-User-Identity = 0x00 (0) Location-Capable = Civix-Location (0) Calling-Station-Id = "08-11-96-6e-09-5c" (0) Called-Station-Id = "00-3a-99-91-f1-10:flexi" (0) NAS-Port = 13 (0) Cisco-AVPair = "audit-session-id=0a0ef06a0008a5df5b4c8983" (0) Acct-Session-Id = "5b4c8983/08:11:96:6e:09:5c/611634" (0) NAS-IP-Address = 10.14.240.106 (0) NAS-Identifier = "C1-AC5-A1" (0) Airespace-Wlan-Id = 10 (0) Service-Type = Framed-User (0) Framed-MTU = 1300 (0) NAS-Port-Type = Wireless-802.11 (0) Tunnel-Type:0 = VLAN (0) Tunnel-Medium-Type:0 = IEEE-802 (0) Tunnel-Private-Group-Id:0 = "120" (0) EAP-Message = 0x0202002801686f73742f433330345a2d4850323536302e63616d7075732e756e696361656e2e6672 (0) Message-Authenticator = 0x6965b96bd6574a69e7b1e88560e90146 What I — normally — need to do is to verify the host certificate against the AD CS. Did anyone here managed to do that? It would be nice to share or at least show me the breadcrumbs I need to follow… Thank you in advance! -- ૐ — Olivier Le Monnier — ☎ 023156.6209 Pôle Infrastructures — SysAdmin Linux Direction du Système d'Information Université de Caen Normandie
On Wed, 2018-07-18 at 11:30 +0200, Olivier Le Monnier wrote:
What I — normally — need to do is to verify the host certificate against the AD CS.
Put a copy of the AD root CA certificate on the FreeRADIUS server. Configure the "ca_file" setting in raddb/mods-enabled/eap (in the "tls- config tls-common" section) to point at the root CA file. If you want to do further checks on the certificate, use the "check- eap-tls" virtual server (see comments in the eap module config). -- Matthew
participants (2)
-
Matthew Newton -
Olivier Le Monnier