Windows (7) Machine Certificates (Half Domain).

Phil Mayers p.mayers at
Sat Oct 15 11:46:06 CEST 2011

On 10/15/2011 03:17 AM, Christ Schlacta wrote:
> I've got a handful of windows clients.  I'm most concerned about the
> Windows 7 machines, but there are a few Vista, and even an XP client. I
> want to deploy "Machine account certificates" for wifi authentication,
> so machines will be able to connect to the network BEFORE the user logs
> on (mainly for accessing remote shares), but only some of these machines
> are connected to the local DOMAIN (Samba 3, not overly relevant I don't

Pre-logon auth has proven troublesome for other people, if the clients 
aren't full domain members. You may find this tricky to get working.

As for the certs - I assume you have a working certificate for a domain 
member? Extract it, and examine the cert CAREFULLY, including all 
extension OIDs. Ensure the ones you're generating for the non-domain 
members have exactly the same attributes (except CN of course).

You're right that it's off-topic, but what's really tragic is that 
Microsoft don't a) document and b) provide troubleshooting tools for 
their supplicant behaviour. It's a key bit of network AAA 
infrastructure, and it's damn inscrutable. Most of the other forums 
around the internet, including Microsofts own, contain ill-informed 
nonsense. I'm wondering if we should have a "8021x-client-admins" forum 

More information about the Freeradius-Users mailing list