[Samba] samba AD trusted certificate for RADIUS server (MS PKI, for example AD CS)
Kacper Wirski
kacper.wirski at gmail.com
Tue Nov 10 11:45:10 UTC 2020
Setting up PKI from scratch is a pretty big task on it's own. Since
You're asking about microsoft tools I'm pretty certain there is a ton of
documentation on official micrososft sites.
The simplest (depending on Your particular scenario - desireable or
absolutely not) solution is to create in Your AD GPO which will
distribute the certificate used by RADIUS as trusted CA (if it's self
signed) or distribute the whole chain that signed this certificate as
trusted to Your windows workstation.
I'm not saying it's the best way, as scenarios vary a lot, but it would
probably be a step up and solve Your direct issue.
I myself am using EJBCA community edition as PKI, and I just distribute
my root CA and all intermediate via GPO to workstations and I have no
problems with windows 10 verifying server identity. As a sidenote - when
configuring 802.1x with server identity verification You have a list of
"known" CA's to be used as "trusted" - tick only the checkbox of CA that
actually issued the certificate for Your RADIUS server, not all.e.
It's probably much easier with microsoft PKI setup, but I can't comment
on it, as I never touched it.
Regards,
Kacper
W dniu 10.11.2020 o 11:51, mj via samba pisze:
> Hi,
>
> We are running a 3 DC samba AD domain, and use 802.1x authentication
> for the win10 workstations to access the wired network.
>
> We are facing the issue where, following windows updates, our windows
> clients keep changing back the 802.1x settings to the windows default,
> namely: to verify the server identity and do computer authentication
> only.
>
> The latter is no problem, but the first one (verify server identity)
> breaks the config, as our radius server does not run with a
> certificate that is trusted by our domain joined win10 clients.
>
> It was suggested to us to issue a trusted certificate to our 802.1x
> radius server, for example from a MS PKI for example AD CS.
>
> This is new territory for us. Therefore I'm asking here: did anyone
> happen to keep notes for a configuration like that?
>
> Perhaps we are not the only ones, who want to secure a radius server
> with a AD trusted certificate?
>
> Searching the samba archives does not help much.
>
> Thanks!
>
> MJ
>
--
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
https://www.avast.com/antivirus
More information about the samba
mailing list