Authenticate with machine account and without ntlm_auth
Alexey D. Filimonov
alexey at filimonic.net
Tue Nov 19 11:55:09 UTC 2024
Addition: Set up AD Certification Services to issue certificates to
domain-joined computer. Configure AD CS to publish CRLs to HTTP instead
of LDAP. Create a certificate template with special EKUs:
1.3.6.1.5.5.7.3.14 (EAPoL) and 1.3.6.1.5.5.7.3.2 (Client auth). Use
EAPoL EKU in WLAN Group policy to configure certificate selection for
EAP-TLS. Configure automatic enroll of those certificates to "domain
computers" group.
Also it looks like easier to setup Microsoft NPS as RADIUS if most of
your clients are Windows. As you need EAP-TLS for computers and
PEAP-MSCHAPv2 for unmanaged devices. PEAP is quite difficult to setup
and manage with FreeRADIUS, IMO.
Recommended book to read about both PKI, CA, Enterprise Wireless is
"Windows Server 2008 PKI and Certificate Security" by Brian Komar. It's
quite old, but most of it is still relevant in 2024. This can be found
in online shops or torrents.
On 2024-11-19 14:32, Alexey D. Filimonov wrote:
> On 2024-11-18 17:48, Rodrigo Antunes via Freeradius-Users wrote:
>> Does someone know how to obtain the machine account password or
>> nt-password from a windows machine account
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list