FW: FreeRadius and WPA2-Enterprise machine authentication - With Active Directory interconnection..

Tim Reimers treimers at ashevillenc.gov
Thu Dec 11 22:56:49 CET 2014

Allow me to correct the misplaced > marks.
Apparently, my email client didn't add the needed >> marks to delineate Alan's kind reply from my confusion ;-)

Corrected below....

-----Original Message-----

On Dec 11, 2014, at 3:16 PM, Tim Reimers <treimers at ashevillenc.gov> wrote:
>> The plan is to authenticate wireless users AND their computers. (so 
>> that a user cannot BYOD to the secure network; only laptops joined to 
>> the domain will work)

> Alan said:
>  You can't do 2 authentications for one system.  If the computers have machine accounts, they can do 802.1X to get on the network.  
> The users will do domain authentication to AD, but that's *after* the systems are on the network.

Thanks Alan.

So what you're basically saying is that the SSID/access point would use WPA2-Enterprise, and computers would authenticate themselves and that would prevent people from bringing in a personal laptop from home and using their AD credentials to connect personal equipment to the corporate network.

But if they used a laptop that the organization owned and which was joined to the domain, certificate enrolled, it would then be automatically associated, and the user would just log into the workstation after it connected to the wireless, and go on with work just as if they were plugged into the LAN. 

If I'm assuming correctly, can you point me to the current HOWTO document for Freeradius 3.01 and AD Server 2008 for configuring the WPA2-Enterprise and certificate authentication?
I see lots of docs out there, but I don't want to accidentally start working with a document that's incorrect for the current release of Freeradius or older AD versions.

>> I already have a Microsoft CA server running in my AD environment, 
>> with the GPO needed to push out workstation certificate enrollment and so on, for other applications.

> and Alan further said:
>  Just configure it in AD.  AD should push the machine credentials to the machines.

It has - we're good on that part, I think, with the exception of GPO pushing the correct SSID and wireless config.
I can work that part out.

Thanks, Tim
> My question is -
> Can FreeRadius (3.0.1) on centos 7
> be configured to do the machine authentication using certs from the Microsoft CA server?

  Yes.  Lots of people are doing this.

  Alan DeKo.

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list