Emulate AD-based machine authentication

Munroe Sollog mus3 at lehigh.edu
Tue Feb 18 16:28:16 CET 2020

Our current wireless environment uses Microsoft Active Directory with
Microsoft Network Policy Server to authenticate our 802.1x wireless
network.  As it is configured, it supports user authentication via PEAP and
mschapv2, and it also supports what NPS calls "machine authentication".
Which, based on its behavior allows any computer joined to the domain to
access the network with user credentials.  As an example, this is useful
for loaner laptops where the computer needs access to the network in order
to authenticate the user against AD.

I am trying to replace our current Microsoft NPS server with freeradius.  I
was able to follow the docs and use winbind to get PEAP-mschap user
authentication working flawlessly.  The last piece of this puzzle is, NPS
has a "magic checkbox" that enables machine-based authentication.  I have
been trying to figure out what that checkbox does, without much luck.

My best guess is that it's using the Active Directory certificates to do
EAP-TLS auth, but that is just my guess.  Has anyone ever tried to
replicate this feature? or have any insight?  I realize this isn't strictly
a freeradius question, but thought I would ask.

Munroe Sollog
Senior Network Engineer
munroe at lehigh.edu

More information about the Freeradius-Users mailing list