Hi, I think I need some more help with my config. It is working ok for my machine cert based authentication, but only if I put the name of the machine in a file on the radius server. Here is my config snippet:
<AuthBy FILE> Identifier TLS Filename %D/tls_anon EAPType TLS EAPTLS_CAFile /app/radius/keys/ADRootCA.pem EAPTLS_CertificateFile /app/radius/keys/agate1.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem EAPTLS_MaxFragmentSize 1000 AutoMPPEKeys </AuthBy> <Handler Aruba-Essid-Name="eduroam-test", User-Name = /^host/i> AuthByPolicy ContinueAlways RewriteUsername s/^host\/// AuthBy TLS </Handler> and %D/tls_anon contains: CIT-JV11GTEST2.cit.cornell.edu I would like to avoid having to maintain all the machine names on the radius server. I would prefer to do some sort of NTLM auth that would read the machine cert and then check to see if the machine is in a certain group. I tried using <AuthBy NTLM> but that really broke everything... I do have NTLM working for username/pw based authn but I need to do that AND machine based… I'd appreciate a hint. Thanks- Joy On 11/10/11 5:21 PM, "Heikki Vatiainen" <h...@open.com.au<mailto:h...@open.com.au>> wrote: On 11/09/2011 09:46 PM, Joy Veronneau wrote: Is it possible for the radiator server to do machine-based authentication (via certificate) to an Active Directory domain? You may want to check if the really mean certificates, since machine based authentication can work with PEAP/EAP-MSCHAP-V2 too. When the machine joins to domain, a password and username is automatically created and these can be used for machine based authentication. This is also supported by Radiator by default too. I have MSCHAPv2 working to our AD domain with username/password, but now someone is asking about machine-based authentication. They are currently doing this with an MS radius server and would like to switch to our centrally managed radius server and central AD system. I know that we would have to issue a new cert to the machine from the central AD domain… but I'm not finding much about how to set up radiator in my on-line research so far. EAP-TLS, see goodies too, can be used here. Radiator can also do extra checks for certs besides just checking if the cert is valid or not.
_______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator