Windows (7) Machine Certificates (Half Domain).
I've got a handful of windows clients. I'm most concerned about the Windows 7 machines, but there are a few Vista, and even an XP client. I want to deploy "Machine account certificates" for wifi authentication, so machines will be able to connect to the network BEFORE the user logs on (mainly for accessing remote shares), but only some of these machines are connected to the local DOMAIN (Samba 3, not overly relevant I don't think). What I would like to know is what should, or must, or what have you, the CN or DN attribute on the certificates for these systems look like to be used for machine authentication. I've tried just placing certificates with cn=hostname,... to the certificate store for the machine account, but they're never used, and the machine complains about not having a certificate when I try t connect to wifi. Also, most of these machines are wifi, though I plan to deploy radius on the switch soon (once the machine auth with wifi is working). I know this is a little off topic, but as it all relates to radius, I hope someone here will know the proper answer(s) or where to find clear concise documentation explaining this.
On 10/15/2011 03:17 AM, Christ Schlacta wrote:
I've got a handful of windows clients. I'm most concerned about the Windows 7 machines, but there are a few Vista, and even an XP client. I want to deploy "Machine account certificates" for wifi authentication, so machines will be able to connect to the network BEFORE the user logs on (mainly for accessing remote shares), but only some of these machines are connected to the local DOMAIN (Samba 3, not overly relevant I don't
Pre-logon auth has proven troublesome for other people, if the clients aren't full domain members. You may find this tricky to get working. As for the certs - I assume you have a working certificate for a domain member? Extract it, and examine the cert CAREFULLY, including all extension OIDs. Ensure the ones you're generating for the non-domain members have exactly the same attributes (except CN of course). You're right that it's off-topic, but what's really tragic is that Microsoft don't a) document and b) provide troubleshooting tools for their supplicant behaviour. It's a key bit of network AAA infrastructure, and it's damn inscrutable. Most of the other forums around the internet, including Microsofts own, contain ill-informed nonsense. I'm wondering if we should have a "8021x-client-admins" forum somewhere...
On 10/15/2011 2:46, Phil Mayers wrote:
On 10/15/2011 03:17 AM, Christ Schlacta wrote:
I've got a handful of windows clients. I'm most concerned about the Windows 7 machines, but there are a few Vista, and even an XP client. I want to deploy "Machine account certificates" for wifi authentication, so machines will be able to connect to the network BEFORE the user logs on (mainly for accessing remote shares), but only some of these machines are connected to the local DOMAIN (Samba 3, not overly relevant I don't
Pre-logon auth has proven troublesome for other people, if the clients aren't full domain members. You may find this tricky to get working.
As for the certs - I assume you have a working certificate for a domain member? Extract it, and examine the cert CAREFULLY, including all extension OIDs. Ensure the ones you're generating for the non-domain members have exactly the same attributes (except CN of course).
You're right that it's off-topic, but what's really tragic is that Microsoft don't a) document and b) provide troubleshooting tools for their supplicant behaviour. It's a key bit of network AAA infrastructure, and it's damn inscrutable. Most of the other forums around the internet, including Microsofts own, contain ill-informed nonsense. I'm wondering if we should have a "8021x-client-admins" forum somewhere... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I can get it working for neither domain members nor non-domain members. as I'm using a Samba 3 domain, I've got no mechanism to deploy certificates in a way windows is expecting, nor can I identify any sufficient documentation to do so. If anyone on list DOES have working certs for domain members, I'd much appreciate if you could post as much info as you can without compromising security.
participants (2)
-
Christ Schlacta -
Phil Mayers