Machine authentication with client certificate to Samba DC

Tim ODriscoll tim.odriscoll at lambrookschool.co.uk
Thu Mar 30 09:56:53 UTC 2023


On 30/03/2023 Matthew Newton 10:44,  wrote:
> No idea about GPO, but as well as setting "computer auth" you will need
> to set the option to do I think "smart card or certificate" - at least
> it was something like that a few years back.

I have tried using the 'smart card or certificate' option in the GPO, but I can't see how to specify the client cert I generated on the FR box. I've imported it just fine, but in the GPO options there is nothing (that I can see) to allow me to specify a client cert - only the CA (which I did). The laptop just complains about needing a certificate but won't let me point it to one.

> FR is complaining that it can't get a password from AD to compare
> against (which you won't ever get from AD - certificates is definitely
> the way to go here).

Given that I can do user authentication, I thought machine authentication would work the same way. Where a machine would pass it's credentials over and FR would use them to try and bind to the Samba LDAPS interface?

Are you implying that the best (most secure) way for my setup is to deploy a client cert to every device that wants to connect to the WiFi and only use that for authentication (ie no username/password or computername/password)? Would I use only one client cert for all laptops, or will I have to mess about with Windows Server and try to use templates to get the clients to generate certificates when they apply the GPO?

Many thanks for your input,

Tim


More information about the Freeradius-Users mailing list