Machine authentication with client certificate to Samba DC
Tim ODriscoll
tim.odriscoll at lambrookschool.co.uk
Thu Mar 30 09:20:03 UTC 2023
Dear All,
I'm trying to set up my radiusd server to authenticate Windows 11 machines using their computer name and a client certificate (deployed through GPO), and then put them in a specific VLAN based on either machine name or group membership.
I'm running Rocky OS and Samba as an AD (separate machines). ldapsearch is working well using the DC's certificate from the radiusd box.
The plan is to have one WiFi SSID with every domain-joined laptop automatically joining it using a deployed CA and client cert and the machine credentials. If possible, it would be good to allow BYOD on the same SSID using a users AD credentials as long as they have both the CA and client cert installed.
I've got the radiusd self-generated CA deployed via GPO and I've got the WiFi GPO deployed and sending out the machine name. I see the machine trying to authenticate and fail. I try with a username/password and I get my VLAN accept packet.
How can I get the machine to authenticate, and how do I enforce the client certificate and install it through a GPO? I've done the CA, but the client certificate doesn't have an obvious place?
Attached is the debug output from a failed machine auth session, which tells me that there is no machine password in the access request...?
It all goes wrong around packet 7, lines 1962 - 1986.
Thank you,
Tim
More information about the Freeradius-Users
mailing list