Machine authentication with client certificate to Samba DC

Matthew Newton mcn at freeradius.org
Thu Mar 30 12:06:49 UTC 2023 

On 30/03/2023 12:43, Tim ODriscoll wrote:
>> To do machine auth with passwords (PEAP/EAP-MSCHAPv2) you would need to
>> use Samba, not LDAP.
> 
> When you say 'use Samba', do you mean ntlm_auth back to my DC? I'm already using LDAP back to my Samba DC..

Yes, ntlm_auth back to the DC, which means installing Samba on the FR 
server and joining it to the domain. It doesn't matter whether the DC is 
Samba or AD.

But if you use certificates (EAP-TLS) for "machine" auth and 
EAP-TTLS/PAP for "user" auth, then LDAP back to the DC will be fine.


>>> Are you implying that the best (most secure) way for my setup is to deploy a client cert to every device that wants to connect to the WiFi and only use that for authentication (ie no username/password or computername/password)?
>> Yes
>> You can't use both in Windows anyway - it's one or the other.
> 
> Please could you clarify that statement - do you mean:
> A) I can't do user auth & machine auth
> B) I can't do user auth & client cert
> C) I can't do machine auth & client cert

What MS call "machine auth" is just the computer authenticating (with 
EAP-TLS or PEAP/EAP-MSCHAPv2) before any user has logged in.

You can't (at least, I don't think it's changed) do machine auth (cert 
or password) and then also send some kind of username/password at the 
same time (e.g. you can't do PEAP at login time, send the user login 
credentials, but also use a client certificate).

I think you can do "machine auth" at boot time, and then re-auth a 
second time ("user auth") when the user logs in.

Both "machine auth" and "user auth" can use certificates, and both can 
use usernames and passwords.

"Machine auth" will be (IIRC) EAP-TLS (certs) or PEAP/EAP-MSCHAPv2 
(computer account password).

"User auth" will be EAP-TLS (cert) or a variety of other EAP methods for 
username/password.

So you can easily configure FR to do both EAP-TLS (handle the machine 
auth certificate side) and also e.g. EAP-TTLS/PAP to handle BYOD logins 
with username/password.

To handle BYOD with e.g. PEAP/EAP-MSCHAPv2 you will need to join the 
RADIUS server to the domain with Samba and use ntlm_auth (in the same 
way as you would for machine auth with passwords) because LDAP won't 
give out any kind of password to compare against.

> I don't have any Windows servers, and only use Samba AD with a Windows VM for GPO, so (if I follow you correctly), I would be looking at user auth (LDAP & EAP-TTLS/PAP) and machine auth (ntlm_auth? & PEAP/EAP-MSCHAPv2) on the same FR?

Yes. But I'd use certs for the machine auth, not PEAP/EAP-MSCHAPv2, if 
possible. As I said above, Windows won't do client certs with PEAP, so 
it's certificates (EAP-TLS) OR computer account password.

> Thank you for your help with this - a few emails from you has been more productive that hours probing Google.

We try to help...

Getting your head around all the EAP methods (and Windows / client 
capabilities) can take a while, especially if you're new to it.

-- 
Matthew

More information about the Freeradius-Users mailing list