eap-tls on non-domain computers?!

Elias Pereira empbilly at gmail.com
Mon Oct 8 14:12:07 CEST 2018


>
>  What does that mean?  EAP-TLS is certificate-based authentication.  It
> has nothing whatsoever to do with AD domains.


In my infra, it works as follows.

1. The user downloads the p12 file containing the personal certificate, key
and CA;
2. I made an automatic installer for windows;
3. The installation of p12 is done via certutil and installs the
certificate and CA in the scope of the user;

Freeradius check the CN of the certificate, which is the stripped username
+ realm/domain of our AD. Once the verification is done, if it is in the
correct group, the redirection is made to the specific vlan.

 If the computer has a correct client certificate, then they will be
> authenticated via EAP-TLS.


In our infra, for computers that are in the domain, yes. Out of domain not.

  Why do you think EAP-TLS requires domain checks?  Or maybe more
> correctly, what have you done to your system that ties EAP-TLS to the AD
> domain?


Because the certificate is installed in the user scope, after
wpa2-enterprise configuration, the authentication in freeradius is based on
the certificate that was installed for the user in question and belongs to
the domain. If you install on a computer that is not in the domain, the
certificate will not hit the user.

Eg:

Starting from the same user "test" AD

Computer in the domain
User "test" of the domain login on the computer, downloads the
test at mydomain.tld certificate, installs and in authentication it is
verified that the certificate has the CN with the same user name of the
computer, ie, the AD user.

Computer outside the domain
Local user "pc-local" login into the computer, downloads the certificate
test at mydomain.tld, installs and in authentication it is verified that the
certificate does not have the CN with the same user name of the computer,
ie, it is not the same the AD user.


On Thu, Oct 4, 2018 at 5:39 PM Alan DeKok <aland at deployingradius.com> wrote:

> On Oct 4, 2018, at 4:10 PM, Elias Pereira <empbilly at gmail.com> wrote:
> > I have an environment with samba4 ADDC and freeradius for eap-tls
> > authentication. For computers that are in the domain, eap-tls
> > authentication with personal certificate is already working.
>
>   What does that mean?  EAP-TLS is certificate-based authentication.  It
> has nothing whatsoever to do with AD domains.
>
> > I would like to do EAP-TLS authentication for computers that are not in
> our
> > domain, ie private computers, but that the user is part of our domain.
> >
> > Is there any way to do this via eap-tls?
>
>   If the computer has a correct client certificate, then they will be
> authenticated via EAP-TLS.
>
>   Why do you think EAP-TLS requires domain checks?  Or maybe more
> correctly, what have you done to your system that ties EAP-TLS to the AD
> domain?
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



-- 
Elias Pereira


More information about the Freeradius-Users mailing list