[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Two different user-names while using computer authentification with client certificate
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2020-01-29 16:01:25
Message-ID: D6919C75-18C0-4FC2-A352-923A0A14AFE7 () deployingradius ! com
[Download RAW message or body]

On Jan 29, 2020, at 10:32 AM, uj2.hahn@posteo.de wrote:
> I found a setting in Win10 WLAN profile which defines a generic username \
> (RadiusClient) which was used for the outer tunnel. The inner tunnel used the real \
> hostname (host/DESKTOP-FLOQN5Q). Once I cleared the RadiusClient field both tunnels \
> reported the real hostname.

  That's good.

> The plan is to setup some school owned Win10 clients (in opposite to private \
> devices) in a way they can connect to WLAN automatically w/o user/passwd setting. \
> This is already working with user-based authentication and client certs.

  OK.

> As an alternative way I like to try host-based authentication. This would probably \
> work when I add each hostname to AD which is a lot of work. Do you think there is a \
> way to use the anonymous outer identity name (RadiusClient) for authorization? In \
> that case each of these clients can have the same anonymous outer identity name. \
> This would minimize maintenance for new devices.

  The outer name can be anonymous, and can be the same for many machines.  The rest \
of the RADIUS packet contains MAC addresses, which lets you distinguish between \
machines, if you need that.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]