EAP-TLS Machine-Auth Windows: difference between LAN and WiFi

David Mitton david at mitton.com
Thu Oct 11 15:45:19 CEST 2012

I'm sorry, I don't have time right now to help you, but you are on the  
right track.  Windows has a feature "Machine Authentication" where the  
station authenticates (using the $hostname and a secret credential  
created at domain join) with a Domain controller before the user login.
On an hardwired ethernet connection that happens in the background at boot.
On a dynamic connection like Wi-Fi that is an option, if the EAP  
supplicant module supports it. (Most did not in the past)  The control  
for this has mutated between XP and later.

In Vista and Win7 this got more complicated, as you see there are XML  
files called "profiles" that control these behaviors.  They are a bit  
difficult to figure out at first (the documentation sucks and is  
probably wrong at points)
but if you burrow in and experiment a bit, you might get it figured out.
There are command line tools for dumping the profiles and tweaking on  
the settings that the GUIs don't get to.

Once you get what you want settled, you can also create domain  
policies and push them to all stations that way.

Sorry, I don't have enough time to look up my old notes.

Quoting Alexandros Gougousoudis <gougousoudis-list at servicecenter-khs.de>:

> Hi Alan,
> thanks for your reply!
> Alan DeKok schrieb:
>>> "host/" as a realm for our Radsecproxy, I'd like to change the
>>> behauviour for the authentication via LAN and add a string to the
>>> <hostname>
>>  Don't.  You will break EAP.
> That's not clear. Why would that break EAP if the workstations are
> sending a different Login? It already does, depending on LAN or WLAN
> Logins. I don't mean some kind of rewrite or redirect inside of
> Freeradius. Using Linux I can send whatever I want as the loginname.
>>  Find a better solution.  Change your rules so that you're keying off
>> of the correct data, and doing that only when you want.
> I have now a more or less complicated regex rule in the radsecproxy,
> but I thought it's more elegant to unify both logins.  I thought doing
> it in the profile-xml-file of the LAN connection in Win, but
> unfortunately it's not the right place for it. At least all official
> ressources I can find from MS, are not pointing out how to do that.
> bye
> Alex
> -
> List info/subscribe/unsubscribe? See   
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list