Emulate AD-based machine authentication

Jorge Pereira jpereira at freeradius.org
Tue Feb 18 23:58:58 CET 2020

Hi Munroe,

	The Microsoft NPE is a blackbox like any other proprietary. Therefore, have you tried to capture/sniffer the packets between your NAS <-> NPS? Maybe It could be a good way to figure out which attributes/avps they are talking.

Otherwise, it would be good if you could share with us the “radius -Xx” output of the communication between them.
Jorge Pereira
jpereira at freeradius.org

> On 18 Feb 2020, at 12:28, Munroe Sollog <mus3 at lehigh.edu> wrote:
> Our current wireless environment uses Microsoft Active Directory with
> Microsoft Network Policy Server to authenticate our 802.1x wireless
> network.  As it is configured, it supports user authentication via PEAP and
> mschapv2, and it also supports what NPS calls "machine authentication".
> Which, based on its behavior allows any computer joined to the domain to
> access the network with user credentials.  As an example, this is useful
> for loaner laptops where the computer needs access to the network in order
> to authenticate the user against AD.
> I am trying to replace our current Microsoft NPS server with freeradius.  I
> was able to follow the docs and use winbind to get PEAP-mschap user
> authentication working flawlessly.  The last piece of this puzzle is, NPS
> has a "magic checkbox" that enables machine-based authentication.  I have
> been trying to figure out what that checkbox does, without much luck.
> My best guess is that it's using the Active Directory certificates to do
> EAP-TLS auth, but that is just my guess.  Has anyone ever tried to
> replicate this feature? or have any insight?  I realize this isn't strictly
> a freeradius question, but thought I would ask.
> -- 
> Munroe Sollog
> Senior Network Engineer
> munroe at lehigh.edu
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list