RADIUS wifi not working on Windows with domain users
Forster Arnaud
arnaud.forster at mwprog.ch
Tue Apr 10 11:48:37 CEST 2018
Oooh I see now,
thanks for the informations, I'll have a deeper look into this ;)
My Samba AD is NT-domain style .. :(
Thanks very much for your help :)
Arnaud
Le 10.04.2018 à 11:27, Stefan Winter a écrit :
> Hello,
>
>> with no problem, means that a box in coming and I've to enter a
>> username/password from my domain users. Once this is made, my
>> username/password are stored and they are not requested anymore. In this
>> case I didn't install any certificate of my computer.
> That's what I meant with "gaping security hole". An attacker can simply
> set up a Wi-Fi network with the same SSID and arbitrary RADIUS server,
> and your computer will happily send your username and password to that
> rogue attacker when in the vicinity.
>
> In order to achieve security, a client device MUST verify the
> server-side certificate. And that means installing the CA, mark it as
> the CA to trust for this particular Wi-Fi network, and pinning the
> expected server name.
>
> I.e. your perception of you not having a problem is wrong.
>
> There are tools that allow you to specify your deployment details and
> get an installer that does the right settings out of it. One example is
> https://802.1x-config.org
>
>> For computers registered into the domain, they are several cases :
>>
>> With windows 10 , I can connect if I do that before entering my
>> username/password to start my session. Once my session started, I can't
>> connect anymore.
>>
>> For Windows 7, as I can't connect before entering in a session, I tested
>> 2 different situations : 1 with a local account and 1 with a domain
>> account. In both cases I can't connect to my wifi and the certificate
>> error is coming.
>>
>> My domain is a samba domain so I don't think (but not sure) I can use
>> GPOs for this ..
> If it's a Samba 4 AD server, you should be able to. If it's a Samba 3
> "NT-Domain" style server, then no.
>
> Greetings,
>
> Stefan Winter
>
More information about the Freeradius-Users
mailing list