Freeradius and deploying client certificates for Windows OS
Hi, I'm currently using FreeRADIUS and self-signed certificates with openssl on the same server to authenticate clients with EAP-TLS. Most of these clients run MS Windows. The problem I'm facing is how to easily manage deploying the client certificates. The custom Certificate Authority has already been deployed with Active Directory Group Policy. Each time I want a new client to authenticate I need to manually import the client certificate in the Windows host via "mmc". Is there a way to automatically deploy the client certificates (eg. when a Windows client joins an AD)? Should I stop using openssl on the FreeRADIUS server and use MS Certification Authority instead? Will I have compatibility issues if I do that? Can I keep using openssl certs but with a non-interactive way of deploying them? Thanks, Vieri
On May 3, 2021, at 6:30 AM, Vieri Di Paola <vieridipaola@gmail.com> wrote:
The problem I'm facing is how to easily manage deploying the client certificates.
"Magic". :(
The custom Certificate Authority has already been deployed with Active Directory Group Policy.
Each time I want a new client to authenticate I need to manually import the client certificate in the Windows host via "mmc".
Yes.
Is there a way to automatically deploy the client certificates (eg. when a Windows client joins an AD)?
Pay $$$ a month per user for device management software.
Should I stop using openssl on the FreeRADIUS server and use MS Certification Authority instead? Will I have compatibility issues if I do that?
That doesn't really matter. The issue isn't the certificates. The issue is getting them onto the client devices, and configuring them there.
Can I keep using openssl certs but with a non-interactive way of deploying them?
There are MDM solutions available. They're almost always $$$, as this is a non-trivial problem to solve. Alan DeKok.
If you use Microsoft's certificate services, you can configure an automatic certificate enrollment group policy. This can generate certs for both users and computers as needed. This works for Windows clients. If you have other clients, you will want an MDM or alternatively a certificate onboarding solution, though if you have Macs joined to Active Directory, you should be able to issue the certs without a for-pay MDM. On Mon, May 3, 2021 at 7:48 AM Alan DeKok <aland@deployingradius.com> wrote:
On May 3, 2021, at 6:30 AM, Vieri Di Paola <vieridipaola@gmail.com> wrote:
The problem I'm facing is how to easily manage deploying the client certificates.
"Magic". :(
The custom Certificate Authority has already been deployed with Active Directory Group Policy.
Each time I want a new client to authenticate I need to manually import the client certificate in the Windows host via "mmc".
Yes.
Is there a way to automatically deploy the client certificates (eg. when a Windows client joins an AD)?
Pay $$$ a month per user for device management software.
Should I stop using openssl on the FreeRADIUS server and use MS Certification Authority instead? Will I have compatibility issues if I do that?
That doesn't really matter. The issue isn't the certificates. The issue is getting them onto the client devices, and configuring them there.
Can I keep using openssl certs but with a non-interactive way of deploying them?
There are MDM solutions available. They're almost always $$$, as this is a non-trivial problem to solve.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- *Tony Skalski* System Administrator | IT *Office: *507-786-3227 <(507)786-3227> 1510 St. Olaf Avenue Northfield, MN 55057 stolaf.edu
On Mon, May 3, 2021 at 3:53 PM Tony Skalski via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
If you use Microsoft's certificate services, you can configure an automatic certificate enrollment group policy. This can generate certs for both users and computers as needed. This works for Windows clients. If you have other clients, you will want an MDM or alternatively a certificate onboarding solution, though if you have Macs joined to Active Directory, you should be able to issue the certs without a for-pay MDM.
Yes, most of the clients are Windows. I was in fact thinking of following a guide such as this one: https://docs.druva.com/Knowledge_Base/inSync/How_To/How_to_set_up_automatic_... However, as I have 0 experience with M$ solutions I was wondering if anyone knew beforehand if the certs deployed by the Microsoft Certification Authority via AD group policy will be compatible with FreeRADIUS without extra fiddling. I'm asking because I wouldn't want to work my way out of Microsoft madness to finally find out that the certs are incompatible unless mangled as noted in this post (which might be outdated): http://lists.freeradius.org/pipermail/freeradius-users/2006-October/013613.h... Thanks, Vieri
That guide looks reasonable (after a quick glance). They are standard SSL/TLS certs - you might want to pay attention to key length and hash algorithm, but I don't know of any reason why they would be incompatible with FreeRADIUS. You will need to configure FR to accept the certs, but that probably doesn't count as "fiddling". Disclaimer: I am a FreeRADIUS newb, but have operated AD Certificate Services for 12+ years. On Mon, May 3, 2021 at 11:07 AM Vieri Di Paola <vieridipaola@gmail.com> wrote:
On Mon, May 3, 2021 at 3:53 PM Tony Skalski via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
If you use Microsoft's certificate services, you can configure an
automatic
certificate enrollment group policy. This can generate certs for both users and computers as needed. This works for Windows clients. If you have other clients, you will want an MDM or alternatively a certificate onboarding solution, though if you have Macs joined to Active Directory, you should be able to issue the certs without a for-pay MDM.
Yes, most of the clients are Windows. I was in fact thinking of following a guide such as this one:
https://docs.druva.com/Knowledge_Base/inSync/How_To/How_to_set_up_automatic_... However, as I have 0 experience with M$ solutions I was wondering if anyone knew beforehand if the certs deployed by the Microsoft Certification Authority via AD group policy will be compatible with FreeRADIUS without extra fiddling. I'm asking because I wouldn't want to work my way out of Microsoft madness to finally find out that the certs are incompatible unless mangled as noted in this post (which might be outdated):
http://lists.freeradius.org/pipermail/freeradius-users/2006-October/013613.h...
Thanks,
Vieri
-- *Tony Skalski* System Administrator | IT *Office: *507-786-3227 <(507)786-3227> 1510 St. Olaf Avenue Northfield, MN 55057 stolaf.edu
On May 3, 2021, at 12:07 PM, Vieri Di Paola <vieridipaola@gmail.com> wrote:
However, as I have 0 experience with M$ solutions I was wondering if anyone knew beforehand if the certs deployed by the Microsoft Certification Authority via AD group policy will be compatible with FreeRADIUS without extra fiddling.
Certificates are just certificates. They're fine.
I'm asking because I wouldn't want to work my way out of Microsoft madness to finally find out that the certs are incompatible unless mangled as noted in this post (which might be outdated): http://lists.freeradius.org/pipermail/freeradius-users/2006-October/013613.h...
That message is 15 years out of date. Ignore it. FreeRADIUS comes with scripts that create certificates. Those certs work everywhere. Alan DeKok.
On Mon, May 3, 2021 at 8:13 PM Alan DeKok <aland@deployingradius.com> wrote:
On May 3, 2021, at 12:07 PM, Vieri Di Paola <vieridipaola@gmail.com> wrote:
However, as I have 0 experience with M$ solutions I was wondering if anyone knew beforehand if the certs deployed by the Microsoft Certification Authority via AD group policy will be compatible with FreeRADIUS without extra fiddling.
Certificates are just certificates. They're fine.
I was thinking about the xpserver_ext extension. Anyway, I'm about to have MS sign my FR server CSR so I'll find out pretty soon. Thanks, Vieri
On May 4, 2021, at 6:44 PM, Vieri Di Paola <vieridipaola@gmail.com> wrote:
I was thinking about the xpserver_ext extension.
The certificates created by the raddb/certs scripts work. They include the extensions.
Anyway, I'm about to have MS sign my FR server CSR so I'll find out pretty soon.
Certificates are just certificates. It doesn't matter who / how / why they were created. Alan DeKok.
participants (3)
-
Alan DeKok -
Tony Skalski -
Vieri Di Paola