Machine authentication with client certificate to Samba DC

Tim ODriscoll tim.odriscoll at
Thu Mar 30 13:56:23 UTC 2023

On 30/03/2023 13:07, Matthew Newton wrote:
> Yes. But I'd use certs for the machine auth, not PEAP/EAP-MSCHAPv2, if
> possible. As I said above, Windows won't do client certs with PEAP, so
> it's certificates (EAP-TLS) OR computer account password.

Wow - thank you for the detailed explanation of it all; I think I have a better idea of how to proceed now:
I really don't want to setup a Windows server for the individual client certificate generation via GPO, so I think I'll stick with machine auth via the computer account password (using my FR server as a Samba domain member and then ntlm_auth). Same for the BYOD part - username/password authentication.

I have one other (at the moment!) area of confusion:
A recent security audit told me that I need to use 'username/password authentication with digital certificates' for my WiFi authentication. The concern was that a rogue access point could trick an end-user device into attempting authentication and revealing a password hash. The theory is that the client device has a certificate to prove it is a trusted device. How would that work with FR?

If I deploy my FR CA to the client devices along with the WiFi profile pointing to that CA, surely the client devices will only connect to legitimate APs as the certificate will match the pre-installed FR CA?

Thank you,

More information about the Freeradius-Users mailing list