Machine authentication with client certificate to Samba DC
Matthew Newton
mcn at freeradius.org
Thu Mar 30 09:43:59 UTC 2023
On 30/03/2023 10:20, Tim ODriscoll wrote:
> I've got the radiusd self-generated CA deployed via GPO and I've got the WiFi GPO deployed and sending out the machine name. I see the machine trying to authenticate and fail. I try with a username/password and I get my VLAN accept packet.
>
> How can I get the machine to authenticate, and how do I enforce the client certificate and install it through a GPO? I've done the CA, but the client certificate doesn't have an obvious place?
Looks like you have not set the machine to do certificate auth, so it is
trying to do EAP-MSCHAPv2 with the computer account password.
No idea about GPO, but as well as setting "computer auth" you will need
to set the option to do I think "smart card or certificate" - at least
it was something like that a few years back.
FR is complaining that it can't get a password from AD to compare
against (which you won't ever get from AD - certificates is definitely
the way to go here).
--
Matthew
More information about the Freeradius-Users
mailing list