Machine authentication with client certificate to Samba DC

Matthew Newton mcn at freeradius.org
Thu Mar 30 10:23:15 UTC 2023 

On 30/03/2023 10:56, Tim ODriscoll wrote:
> On 30/03/2023 Matthew Newton 10:44,  wrote:
>> No idea about GPO, but as well as setting "computer auth" you will need
>> to set the option to do I think "smart card or certificate" - at least
>> it was something like that a few years back.
> 
> I have tried using the 'smart card or certificate' option in the GPO, but I can't see how to specify the client cert I generated on the FR box. I've imported it just fine, but in the GPO options there is nothing (that I can see) to allow me to specify a client cert - only the CA (which I did). The laptop just complains about needing a certificate but won't let me point it to one.

You don't specify a cert, you just need to put it in the correct 
certificate store. I don't recall which one it is, but if in doubt just 
try each of them until one works...

You do set the CA of the RADIUS server certificate, so that bit sounds 
correct.


>> FR is complaining that it can't get a password from AD to compare
>> against (which you won't ever get from AD - certificates is definitely
>> the way to go here).
> 
> Given that I can do user authentication, I thought machine authentication would work the same way. Where a machine would pass it's credentials over and FR would use them to try and bind to the Samba LDAPS interface?

To do machine auth with passwords (PEAP/EAP-MSCHAPv2) you would need to 
use Samba, not LDAP.

User auth / BYOD may already be working for you if you've configured 
EAP-TTLS/PAP, but your mschap config has no ntlm_auth or winbind config.


> Are you implying that the best (most secure) way for my setup is to deploy a client cert to every device that wants to connect to the WiFi and only use that for authentication (ie no username/password or computername/password)?

Yes

You can't use both in Windows anyway - it's one or the other.


> Would I use only one client cert for all laptops, or will I have to mess about with Windows Server and try to use templates to get the clients to generate certificates when they apply the GPO?

Use one certificate per device. It's one of the things where Windows 
makes it easier, as AD will generate and maintain certs on all your 
Windows machines for you. (EAP-TLS is normally hard to use because of 
the cert management, even though arguably it's the best and fastest form 
of authentication.)

Sharing a key/certificate is just asking for trouble.

-- 
Matthew

More information about the Freeradius-Users mailing list