samba - Nov 2020 - samba AD trusted certificate for RADIUS server (MS PKI, for example AD CS)

Hi,

We are running a 3 DC samba AD domain, and use 802.1x authentication for 
the win10 workstations to access the wired network.

We are facing the issue where, following windows updates, our windows 
clients keep changing back the 802.1x settings to the windows default, 
namely: to verify the server identity and do computer authentication only.

The latter is no problem, but the first one (verify server identity) 
breaks the config, as our radius server does not run with a certificate 
that is trusted by our domain joined win10 clients.

It was suggested to us to issue a trusted certificate to our 802.1x 
radius server, for example from a MS PKI for example AD CS.

This is new territory for us. Therefore I'm asking here: did anyone 
happen to keep notes for a configuration like that?

Perhaps we are not the only ones, who want to secure a radius server 
with a AD trusted certificate?

Searching the samba archives does not help much.

Thanks!

MJ

Setting up PKI from scratch is a pretty big task on it's own. Since 
You're asking about microsoft tools I'm pretty certain there is a ton of
documentation on official micrososft sites.

The simplest (depending on Your particular scenario - desireable or 
absolutely not) solution is to create in Your AD? GPO which will 
distribute the certificate used by RADIUS? as trusted CA (if it's self 
signed) or distribute the whole chain that signed this certificate as 
trusted to Your windows workstation.

I'm not saying it's the best way, as scenarios vary a lot, but it would 
probably be a step up and solve Your direct issue.

I myself am using EJBCA community edition as PKI, and I just distribute 
my root CA and all intermediate? via GPO to workstations and I have no 
problems with windows 10 verifying server identity. As a sidenote - when 
configuring 802.1x with server identity verification You have a list of 
"known" CA's to be used as "trusted" - tick only the
checkbox of CA that
actually issued the certificate for Your RADIUS server, not all.e.

It's probably much easier with microsoft PKI setup, but I can't comment 
on it, as I never touched it.

Regards,

Kacper

W dniu 10.11.2020 o?11:51, mj via samba pisze:
> Hi,
>
> We are running a 3 DC samba AD domain, and use 802.1x authentication 
> for the win10 workstations to access the wired network.
>
> We are facing the issue where, following windows updates, our windows 
> clients keep changing back the 802.1x settings to the windows default, 
> namely: to verify the server identity and do computer authentication 
> only.
>
> The latter is no problem, but the first one (verify server identity) 
> breaks the config, as our radius server does not run with a 
> certificate that is trusted by our domain joined win10 clients.
>
> It was suggested to us to issue a trusted certificate to our 802.1x 
> radius server, for example from a MS PKI for example AD CS.
>
> This is new territory for us. Therefore I'm asking here: did anyone 
> happen to keep notes for a configuration like that?
>
> Perhaps we are not the only ones, who want to secure a radius server 
> with a AD trusted certificate?
>
> Searching the samba archives does not help much.
>
> Thanks!
>
> MJ
>
-- 
Ta wiadomo?? zosta?a sprawdzona na obecno?? wirus?w przez oprogramowanie
antywirusowe Avast.
https://www.avast.com/antivirus