Authenticate with machine account and without ntlm_auth

Alexey D. Filimonov alexey at filimonic.net
Tue Nov 19 12:52:54 UTC 2024 

 > The scriptsand configuration files in raddb/certs will automatically 
add those EKUs.

But this requires manual certificate installation if use raddb/certs. 
 From other side, there is AD-integrated CA from MS where computers can 
securely issue and update their certificates automatically.

 > Why?

Now switching half of the computer park from Windows to Linux, from AD 
to FreeIPA and from NPS to FreeRADIUS. So this is my personal mention 
based on my personal experience.
Comparing NPS to FreeRADIUS - in NPS everything about inner tunnels is 
hidden, checks against AD is done transparently to admin, nice UI, good 
documentation. NPS is less customizable, limited to only things that are 
supported by MS and requires CALs for each client device or employee.
FreeRADIUS 3.x is poorly documented (in comparsion to MS NPS) and 
requires different entry threshold.
For 99%-Windows enterprise company, NPS+ADCS allows to use less and 
cheaper IT staff to run, so I'd prefer NPS+ADCS for Windows-Only 
computer park with my current experience.

On 2024-11-19 15:34, Alan DeKok wrote:
> On Nov 19, 2024, at 6:55 AM, Alexey D. Filimonov<alexey at filimonic.net> wrote:
>> Addition: Set up AD Certification Services to issue certificates to domain-joined computer. Configure AD CS to publish CRLs to HTTP instead of LDAP. Create a certificate template with special EKUs: 1.3.6.1.5.5.7.3.14 (EAPoL) and 1.3.6.1.5.5.7.3.2 (Client auth). Use EAPoL EKU in WLAN Group policy to configure certificate selection for EAP-TLS. Configure automatic enroll of those certificates to "domain computers" group.
>    The scriptsand configuration files in raddb/certs will automatically add those EKUs.
>
>> Also it looks like easier to setup Microsoft NPS as RADIUS if most of your clients are Windows. As you need EAP-TLS for computers and PEAP-MSCHAPv2 for unmanaged devices. PEAP is quite difficult to setup and manage with FreeRADIUS, IMO.
>    Why?
>
> a) check that username / password authentication works as per docs in sites-enabled/inner-tunnel
>
> b) add certs to EAP
>
> c) PEAP works.
>
>    The hardest part about it is reading the documentation.
>
>    Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list