Authenticate with machine account and without ntlm_auth
Alan DeKok
aland at deployingradius.com
Tue Nov 19 12:34:45 UTC 2024
On Nov 19, 2024, at 6:55 AM, Alexey D. Filimonov <alexey at filimonic.net> wrote:
> Addition: Set up AD Certification Services to issue certificates to domain-joined computer. Configure AD CS to publish CRLs to HTTP instead of LDAP. Create a certificate template with special EKUs: 1.3.6.1.5.5.7.3.14 (EAPoL) and 1.3.6.1.5.5.7.3.2 (Client auth). Use EAPoL EKU in WLAN Group policy to configure certificate selection for EAP-TLS. Configure automatic enroll of those certificates to "domain computers" group.
The scriptsand configuration files in raddb/certs will automatically add those EKUs.
> Also it looks like easier to setup Microsoft NPS as RADIUS if most of your clients are Windows. As you need EAP-TLS for computers and PEAP-MSCHAPv2 for unmanaged devices. PEAP is quite difficult to setup and manage with FreeRADIUS, IMO.
Why?
a) check that username / password authentication works as per docs in sites-enabled/inner-tunnel
b) add certs to EAP
c) PEAP works.
The hardest part about it is reading the documentation.
Alan DeKok.
More information about the Freeradius-Users
mailing list