No Fancy Pictures this time.
So something I wanted to try for a long while, and I think I even tried last year during/after the Linux AD Lab was setting up a Windows NPS server to run as a Radius front-end to AD and get one of my Access points to auth to that as opposed to FreeRadius which I have been using for years.
Now there is nothing wrong with FreeRadius, I started with it back in my Pi2 testing days, and ran it off one of them for years until I migrated my main router to PF then OPNsense where it had the ability without a second device along with a nice gui, self contained Letsencrypt for certs..
I digress.
After figuring out NPS I got radtest authenticating to it from my Linux pc, Neat but not secure, FreeRadius was atleast using certs and such.
Certs… Wasnt there an AD component for Certs? Yup installed AD CA, generated up a cert for the computer and it was now able to authenticate via eapol_test.
Could I take this a step further though? currently it verified the server and used AD User name and Password for Authentication…
User certs! Yeah… In its current configuration I am setup for Cert/Smartcard login with user certs. No password. Neat and something I have never seen Freeradius do.
Next steps, I have multiple networks I want to provide separate logins for and I can see how to do this in NPS, something I dont see in Freeradius, atleast the one in Opnsense. so I will slowly migrate them over.
I think my only complaint is that either NPS or AD CA required the gui version of Windows server, I would have much preferred it to run from server core.