[EXTERNAL] Re: [EXT] Re: Machine authentication with client certificate to Samba DC
Brian Julin
BJulin at clarku.edu
Thu Mar 30 16:09:09 UTC 2023
Tim ODriscoll <tim.odriscoll at lambrookschool.co.uk>:
> I setup my own CA on the FR server and now I will deploy that to the clients (Win11) via GPO. I wasn't doing the CA deployment before, so all devices would
> throw up an 'are you sure' message before connecting. The WiFi GPO has a drop down box from which I have chosen the "tell the user if the server's identity
> can't be verified" option, and an option for specifying which server name to expect. It would be nice to also make the screen go red or something!
I wish we could just do that here but over in .edu we were BYOD before the pointy headed industry armchair quarterbacks even coined the term.
It would probably behoove you to use the full hostname in the CN check. If it is the first non-AD CA on the network, these things have a tendency to eventually become the institutional CA for other purposes, and eventually you want to issue certificates to a subdepartment, and a bunch of certificates start flying around all of which bear your domain, so you're back to potential evil twins, this time from internal threat vectors.
More information about the Freeradius-Users
mailing list