[Samba] samba AD trusted certificate for RADIUS server (MS PKI, for example AD CS)

mj lists at merit.unu.edu
Tue Nov 10 10:51:42 UTC 2020


We are running a 3 DC samba AD domain, and use 802.1x authentication for 
the win10 workstations to access the wired network.

We are facing the issue where, following windows updates, our windows 
clients keep changing back the 802.1x settings to the windows default, 
namely: to verify the server identity and do computer authentication only.

The latter is no problem, but the first one (verify server identity) 
breaks the config, as our radius server does not run with a certificate 
that is trusted by our domain joined win10 clients.

It was suggested to us to issue a trusted certificate to our 802.1x 
radius server, for example from a MS PKI for example AD CS.

This is new territory for us. Therefore I'm asking here: did anyone 
happen to keep notes for a configuration like that?

Perhaps we are not the only ones, who want to secure a radius server 
with a AD trusted certificate?

Searching the samba archives does not help much.



More information about the samba mailing list