[Samba] samba AD trusted certificate for RADIUS server (MS PKI, for example AD CS)

Kacper Wirski kacper.wirski at gmail.com
Tue Nov 10 11:45:10 UTC 2020

Setting up PKI from scratch is a pretty big task on it's own. Since 
You're asking about microsoft tools I'm pretty certain there is a ton of 
documentation on official micrososft sites.

The simplest (depending on Your particular scenario - desireable or 
absolutely not) solution is to create in Your AD  GPO which will 
distribute the certificate used by RADIUS  as trusted CA (if it's self 
signed) or distribute the whole chain that signed this certificate as 
trusted to Your windows workstation.

I'm not saying it's the best way, as scenarios vary a lot, but it would 
probably be a step up and solve Your direct issue.

I myself am using EJBCA community edition as PKI, and I just distribute 
my root CA and all intermediate  via GPO to workstations and I have no 
problems with windows 10 verifying server identity. As a sidenote - when 
configuring 802.1x with server identity verification You have a list of 
"known" CA's to be used as "trusted" - tick only the checkbox of CA that 
actually issued the certificate for Your RADIUS server, not all.e.

It's probably much easier with microsoft PKI setup, but I can't comment 
on it, as I never touched it.



W dniu 10.11.2020 o 11:51, mj via samba pisze:
> Hi,
> We are running a 3 DC samba AD domain, and use 802.1x authentication 
> for the win10 workstations to access the wired network.
> We are facing the issue where, following windows updates, our windows 
> clients keep changing back the 802.1x settings to the windows default, 
> namely: to verify the server identity and do computer authentication 
> only.
> The latter is no problem, but the first one (verify server identity) 
> breaks the config, as our radius server does not run with a 
> certificate that is trusted by our domain joined win10 clients.
> It was suggested to us to issue a trusted certificate to our 802.1x 
> radius server, for example from a MS PKI for example AD CS.
> This is new territory for us. Therefore I'm asking here: did anyone 
> happen to keep notes for a configuration like that?
> Perhaps we are not the only ones, who want to secure a radius server 
> with a AD trusted certificate?
> Searching the samba archives does not help much.
> Thanks!
> MJ

Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.

More information about the samba mailing list