Machine authentication with client certificate to Samba DC

Matthew Newton mcn at
Thu Mar 30 09:43:59 UTC 2023

On 30/03/2023 10:20, Tim ODriscoll wrote:
> I've got the radiusd self-generated CA deployed via GPO and I've got the WiFi GPO deployed and sending out the machine name. I see the machine trying to authenticate and fail. I try with a username/password and I get my VLAN accept packet.
> How can I get the machine to authenticate, and how do I enforce the client certificate and install it through a GPO? I've done the CA, but the client certificate doesn't have an obvious place?

Looks like you have not set the machine to do certificate auth, so it is 
trying to do EAP-MSCHAPv2 with the computer account password.

No idea about GPO, but as well as setting "computer auth" you will need 
to set the option to do I think "smart card or certificate" - at least 
it was something like that a few years back.

FR is complaining that it can't get a password from AD to compare 
against (which you won't ever get from AD - certificates is definitely 
the way to go here).


More information about the Freeradius-Users mailing list