Emulate AD-based machine authentication
Jorge Pereira
jpereira at freeradius.org
Tue Feb 18 23:58:58 CET 2020
Hi Munroe,
The Microsoft NPE is a blackbox like any other proprietary. Therefore, have you tried to capture/sniffer the packets between your NAS <-> NPS? Maybe It could be a good way to figure out which attributes/avps they are talking.
Otherwise, it would be good if you could share with us the “radius -Xx” output of the communication between them.
---
Jorge Pereira
jpereira at freeradius.org
> On 18 Feb 2020, at 12:28, Munroe Sollog <mus3 at lehigh.edu> wrote:
>
> Our current wireless environment uses Microsoft Active Directory with
> Microsoft Network Policy Server to authenticate our 802.1x wireless
> network. As it is configured, it supports user authentication via PEAP and
> mschapv2, and it also supports what NPS calls "machine authentication".
> Which, based on its behavior allows any computer joined to the domain to
> access the network with user credentials. As an example, this is useful
> for loaner laptops where the computer needs access to the network in order
> to authenticate the user against AD.
>
> I am trying to replace our current Microsoft NPS server with freeradius. I
> was able to follow the docs and use winbind to get PEAP-mschap user
> authentication working flawlessly. The last piece of this puzzle is, NPS
> has a "magic checkbox" that enables machine-based authentication. I have
> been trying to figure out what that checkbox does, without much luck.
>
> My best guess is that it's using the Active Directory certificates to do
> EAP-TLS auth, but that is just my guess. Has anyone ever tried to
> replicate this feature? or have any insight? I realize this isn't strictly
> a freeradius question, but thought I would ask.
>
>
>
> --
> Munroe Sollog
> Senior Network Engineer
> munroe at lehigh.edu
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list