FreeRadius and WPA2-Enterprise machine authentication - With ActiveDirectory interconnection..

Caines, Max Max.Caines at wlv.ac.uk
Fri Dec 12 14:42:40 CET 2014


As I understand it, when you configure 802.1x authentication on Windows, provided you tick the relevant box, Windows will authenticate twice, using the computer account and then the user account. Only after that does domain authentication direct to a DC kick in. It is possible to omit either stage, but I think only group policy can force use of the computer account only

Regards

Max

-----Original Message-----
From: freeradius-users-bounces+max.caines=wlv.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+max.caines=wlv.ac.uk at lists.freeradius.org] On Behalf Of Franks Andy (RLZ) IT Systems Engineer
Sent: 12 December 2014 11:43
To: FreeRadius users mailing list
Subject: RE: FreeRadius and WPA2-Enterprise machine authentication - With ActiveDirectory interconnection..

I wouldn't contradict anything others have said about this one, they
know their stuff more than me, but we *sort of* do this - user auth
using 802.1x plus mac address auth with macs stored in AD. Most wireless
controllers I've seen will support 802.1x + MAC , and do it as 2
separate authentication transactions. Some will also let you decide the
order the transactions appear in. 
Mac auth isn't great on its own, but in addition to 802.1x you are
authing the user/whole computer with certs and the computer with mac
addresses.
Just my 2p, possibly off track or wrong practice though!
Andy

-----Original Message-----
From:
freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradiu
s.org] On Behalf Of Tim Reimers
Sent: 11 December 2014 20:17
To: freeradius-users at lists.freeradius.org
Subject: FreeRadius and WPA2-Enterprise machine authentication - With
ActiveDirectory interconnection..


Hi everyone - 

I'm trying to design something here that I'm sure has been done before,
but AFAIK, it crosses through a few different howto documents, and 
being new to this, I'm just not certain that I have pieced together all
the relevant HOWTo docs and not missed a 
point at which the design won't communicate the needed information.

The plan is to authenticate wireless users AND their computers. (so that
a user cannot BYOD to the secure network; only laptops joined to the
domain will work)

I know that WPA2-Enterprise is what I need, to be able to have rotating
keys, use Radius for authentication, etc.
I know that WPA2-Enterprise requires certificates to validate the
machines

I already have a Microsoft CA server running in my AD environment, with
the GPO needed to push out workstation certificate enrollment
and so on, for other applications.

My question is - 
Can FreeRadius (3.0.1) on centos 7 
be configured to do the machine authentication using certs from the
Microsoft CA server?
Meraki is the wireless infrastructure, if that helps.

Thanks, Tim

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- 
Scanned by iCritical.


More information about the Freeradius-Users mailing list