computer authentication

Matthew Newton mcn4 at
Fri Dec 7 21:23:13 CET 2012

On Fri, Dec 07, 2012 at 12:39:13PM -0600, Dan Letkeman wrote:
> Sorry, I was not clean with my setup information.  We do not have a domain,
> these are stand alone windows 7 devices.  We also have some tablets and
> some linux boxes.  Concern right now is the Windows 7 devices.  I didn't
> know that you cannot do machine authentication without a domain....

You can, but you'll need to handle the certificates on the hosts
manually. That's usually such a pain that the only real solution
is to use AD. If you've got a small number of devices, or can
write some other automated method of deploying certs, then it can
be possible to handle.

What you /can't/ do is both User auth (mschap - username +
password) *and* Computer auth (certificates - EAP-TLS) in the same
connection, as the default Windows supplicant, like most, doesn't
support client certificates with PEAP (and user auth - mschap -
needs to be inside PEAP).

> User authentication in my environment is just not an option because all of
> the devices need to have a connection to the network at all times even if
> nobody is logged in.  Should I be using PEAP/EAP-TLS instead?

There are no good reasons for doing PEAP/EAP-TLS unless you want
to use SoH. PEAP adds overhead to the auth, with no added benefit.

> If so do you know of any good setup documentation for that?

I wrote up how to do PEAP/EAP-TLS a while back - you can find it

That said - your connection is trying to do PEAP, so you've
configured your client for either 'certifiates' or mschap inside
PEAP. I forget the exact options in the interface, but you need to
choose 'certificates' rather than 'PEAP', then select the client
certificate that you want to auth with - which will be one that is
signed by the same CA that the CA_file option in your FreeRADIUS
eap.conf file points to. Make sure it's set to 'Computer' auth,
not 'User' or 'User + Computer'.

In theory, you'll then find that it Just Works. But the Windows
config interface takes a bit of head scratching to get around
until you understand what it's doing under the hood.



Matthew Newton, Ph.D. <mcn4 at>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list