Authenticate with machine account and without ntlm_auth

Tue Nov 19 13:17:30 UTC 2024

On Nov 19, 2024, at 7:52 AM, Alexey D. Filimonov <alexey at filimonic.net> wrote:
> 
> > The scriptsand configuration files in raddb/certs will automatically add those EKUs.
> 
> But this requires manual certificate installation if use raddb/certs. From other side, there is AD-integrated CA from MS where computers can securely issue and update their certificates automatically.

  Yeah, that's what I thought.  The issue isn't FreeRADIUS, the issue is configuring the clients.

  While that's a hard problem, it's a problem caused by Microsoft.  Which means that it's misleading to say that *FreeRADIUS* is hard to configure.

> > Why?
> 
> Now switching half of the computer park from Windows to Linux, from AD to FreeIPA and from NPS to FreeRADIUS. So this is my personal mention based on my personal experience.
> Comparing NPS to FreeRADIUS - in NPS everything about inner tunnels is hidden, checks against AD is done transparently to admin, nice UI, good documentation. NPS is less customizable, limited to only things that are supported by MS and requires CALs for each client device or employee.
> FreeRADIUS 3.x is poorly documented (in comparsion to MS NPS) and requires different entry threshold.

  I've been saying this for 20+ years: IF YOU THINK THE DOCUMENTATION IS NOT GOOD ENOUGH, THEN SUBMIT PATCHES TO ADD MORE DOCUMENTATION.

  But that doesn't work.  My experience is that for every 999 people complaining about how bad the documentation is, perhaps one person will actually contribute anything.  In fact, the people who complain the most tend to have religious objections to contributing anything.  But they also have a sense of entitlement which demands that they complain about something they got for free.

  So forgive me if I'm not sympathetic to your argument.  Complaining and not contributing doesn't make me inclined to work hard to keep you happy.  Rather the reverse, I'm fact.

  On top of all of that, Microsoft has literally billions of dollars to spend on software development.  Which is a *little* bit more than we have.

  So this kind of comparison is, at best, facetious.  Perhaps more truthfully dishonest.  You're comparing free software which depends on community contributions to paid software written by dozens of people with full-time jobs.

  Even with all of that, the only thing that NPS does better than FreeRADIUS is the simple / trivial use-case.  If you can click a GUI, you can configure NPS.  And, because Microsoft owns the entire ecosystem, it can integrate NPS configuration with Active Directory, and with the clients.

> For 99%-Windows enterprise company, NPS+ADCS allows to use less and cheaper IT staff to run, so I'd prefer NPS+ADCS for Windows-Only computer park with my current experience.

  That's nice.  So why are you here?  Do you expect that people will be happy when you dump on FreeRADIUS, without contributing anything?

  Alan DeKok.