Machine authentication with client certificate to Samba DC

[Tim ODriscoll]

On 30/03/2023 Matthew Newton 11:23,  wrote:
> You don't specify a cert, you just need to put it in the correct
> certificate store. I don't recall which one it is, but if in doubt just
> try each of them until one works...

I manually installed the FR client.crt file into my test laptop and 'let windows automatically place the certificate into the correct store', and it put it in 'Other People'. That store isn't available on my GPO machine, so I chose the 'Trusted People' store instead for the GPO. It turns out neither of them work anyway, so I'll have to keep trying with that.

> To do machine auth with passwords (PEAP/EAP-MSCHAPv2) you would need to
> use Samba, not LDAP.

When you say 'use Samba', do you mean ntlm_auth back to my DC? I'm already using LDAP back to my Samba DC..


> > Are you implying that the best (most secure) way for my setup is to deploy a client cert to every device that wants to connect to the WiFi and only use that for authentication (ie no username/password or computername/password)?
> Yes
> You can't use both in Windows anyway - it's one or the other.

Please could you clarify that statement - do you mean:
A) I can't do user auth & machine auth
B) I can't do user auth & client cert
C) I can't do machine auth & client cert


> Use one certificate per device. It's one of the things where Windows
> makes it easier, as AD will generate and maintain certs on all your
> Windows machines for you. (EAP-TLS is normally hard to use because of
> the cert management, even though arguably it's the best and fastest form
> of authentication.)

I don't have any Windows servers, and only use Samba AD with a Windows VM for GPO, so (if I follow you correctly), I would be looking at user auth (LDAP & EAP-TTLS/PAP) and machine auth (ntlm_auth? & PEAP/EAP-MSCHAPv2) on the same FR?

Thank you for your help with this - a few emails from you has been more productive that hours probing Google.

Tim