On 10/15/2011 2:46, Phil Mayers wrote:
On 10/15/2011 03:17 AM, Christ Schlacta wrote:
I've got a handful of windows clients. I'm most concerned about the
Windows 7 machines, but there are a few Vista, and even an XP client. I
want to deploy "Machine account certificates" for wifi authentication,
so machines will be able to connect to the network BEFORE the user logs
on (mainly for accessing remote shares), but only some of these machines
are connected to the local DOMAIN (Samba 3, not overly relevant I don't
Pre-logon auth has proven troublesome for other people, if the clients
aren't full domain members. You may find this tricky to get working.
As for the certs - I assume you have a working certificate for a
domain member? Extract it, and examine the cert CAREFULLY, including
all extension OIDs. Ensure the ones you're generating for the
non-domain members have exactly the same attributes (except CN of
course).
You're right that it's off-topic, but what's really tragic is that
Microsoft don't a) document and b) provide troubleshooting tools for
their supplicant behaviour. It's a key bit of network AAA
infrastructure, and it's damn inscrutable. Most of the other forums
around the internet, including Microsofts own, contain ill-informed
nonsense. I'm wondering if we should have a "8021x-client-admins"
forum somewhere...
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
I can get it working for neither domain members nor non-domain members.
as I'm using a Samba 3 domain, I've got no mechanism to deploy
certificates in a way windows is expecting, nor can I identify any
sufficient documentation to do so.
If anyone on list DOES have working certs for domain members, I'd much
appreciate if you could post as much info as you can without
compromising security.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
