September 17, 2015

join Linux to Windows domain

Use likewise-open

 PowerBroker Identity Services – Open Edition git repository: git://

Windows Machine Authentication:
A few very helpful links to me:
Many corporation deploy 802.1x machine authentication, because it's more secure than username authentication. Here's a guide of how to do such authentication.

The basic idea is that when a machine joins an AD domain, DC generates a password corresponding to that machine name. The password is transparent to administrators, but an open source software "likewise open" can get this password. So we can use machine name and password to do a 802.1x machine authentication, with PEAP-MSCHAPV2, other than EAP-TLS certificate.

The client is configured to provide some form of credentials when it connects to an 802.1x network.  These credentials could be in the form of a username/password, machine account/password, certificate, or a number of other lesser used credentials.

The RADIUS server (ISE in your case), just needs to be able to verify if the supplied credentials are accurate.  To verify username/password credentials, it can look in the local user database, or reach out to external repositories, such as AD.  To verify machine account/password credentials, it will need to reach out to AD.  To verify certificates, it need to have the CA cert of the server that signed the client certificates installed.

In short, the client is the one that decides the credentials to supply, and ISE just needs to be able to validate them.

When discussing machone or user account authentication, you can do one or the other or even do both on a per client basis.

If you only want to do machine authentication, that's fine.  A benefit to machine authentication is that it can be done before a user actually logs into the PC.  So things like login scripts can be run.  But you can only do this on a PC that is in AD (unless you want to consider enabling EAP-TLS with certificates).

If you only want to do user authentication, that's fine as well.  This will happen after the user has logged into the OS.  So your laptop will not have a network connect if it's just sitting at a login prompt.

You can also do both.  Historically how this has worked is that the PC will do machine authentication when it first boots up.  Then once a user logs in, it will do a new authentication with the user credentials.  Not very many people did this.  With the latest anyconnect client and ISE, you can actually do both at the same time now (I think they call it EAP chaining).  But again, not many people do this.

No comments:

Post a Comment