Windows (7) Machine Certificates (Half Domain).
Phil Mayers
p.mayers at imperial.ac.uk
Sat Oct 15 11:46:06 CEST 2011
On 10/15/2011 03:17 AM, Christ Schlacta wrote:
> I've got a handful of windows clients. I'm most concerned about the
> Windows 7 machines, but there are a few Vista, and even an XP client. I
> want to deploy "Machine account certificates" for wifi authentication,
> so machines will be able to connect to the network BEFORE the user logs
> on (mainly for accessing remote shares), but only some of these machines
> are connected to the local DOMAIN (Samba 3, not overly relevant I don't
Pre-logon auth has proven troublesome for other people, if the clients
aren't full domain members. You may find this tricky to get working.
As for the certs - I assume you have a working certificate for a domain
member? Extract it, and examine the cert CAREFULLY, including all
extension OIDs. Ensure the ones you're generating for the non-domain
members have exactly the same attributes (except CN of course).
You're right that it's off-topic, but what's really tragic is that
Microsoft don't a) document and b) provide troubleshooting tools for
their supplicant behaviour. It's a key bit of network AAA
infrastructure, and it's damn inscrutable. Most of the other forums
around the internet, including Microsofts own, contain ill-informed
nonsense. I'm wondering if we should have a "8021x-client-admins" forum
somewhere...
More information about the Freeradius-Users
mailing list