[EXTERNAL] Re: [EXT] Re: Machine authentication with client certificate to Samba DC

Tim ODriscoll tim.odriscoll at lambrookschool.co.uk
Thu Mar 30 14:41:08 UTC 2023


Brian Julin wrote:
> The RADIUS server sends a certificate that is signed by a CA.
> The OS checks that it trusts certificates signed by the CA before sending a password.

Thank you - I had forgotten that part over the last few days of reading!

> Be sure to check the CN/DN "domain"... if the client has an option to see if the CN/DN "contains" a string, that is not good enough as an attacker could do yourdomain.hisdomain.tld.  We rely on the CA not to issue fishy sounding certificates and only issue certificates to authorized domain owners here, unless we run our own CA, and put the root for that CA in the trust store on all our client devices.

I setup my own CA on the FR server and now I will deploy that to the clients (Win11) via GPO. I wasn't doing the CA deployment before, so all devices would throw up an 'are you sure' message before connecting. The WiFi GPO has a drop down box from which I have chosen the "tell the user if the server's identity can't be verified" option, and an option for specifying which server name to expect. It would be nice to also make the screen go red or something!

Thank you,
Tim


More information about the Freeradius-Users mailing list