DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Machine-based authentication

  • nichomach
  • Topic Author
  • User
  • User
More
27 Jan 2020 10:46 #1 by nichomach
Machine-based authentication was created by nichomach
Hi, I'm having a bit of a torrid time with RADIUS authentication (and what I'm trying may not be possible anyway!). I want to use machine-based RADIUS authentication with our Drayteks (2860s and 2862s) as an alternative to pre-shared keys. We do this successfully with HPE Aruba access points internally and would like to extend this out to our Draytek equipped remote sites (basically, we've seen way too many cases of keys being handed out to inappropriate people and I don't want to use user-based RADIUS since I know that some muppet will hand Joe Contractor his flippin' AD credentials...). Has anyone tried this/got it working? Our RADIUS server is a Windows 2012R2 NPS server. I can get our test 2860 chatting happily to that, but when I try to get a machine to which the settings have been pushed via GPO to connect, it won't. Anyone got any ideas, or is my attempt doomed from the start, please?

Please Log in or Create an account to join the conversation.

  • hornbyp
  • User
  • User
More
29 Jan 2020 02:10 #2 by hornbyp
Replied by hornbyp on topic Re: Machine-based authentication
A couple of guides, that might help...

I suspect you're already beyond this stage: https://www.draytek.co.uk/support/guides/kb-windows-radius

there's a little more detail here: https://www.draytek.co.uk/support/guides/kb-centralapm-radius

If you haven't already done so, it's probably worth getting SYSLOG configured, as that's where the error messages are going to appear.

Please Log in or Create an account to join the conversation.

  • nichomach
  • Topic Author
  • User
  • User
More
29 Jan 2020 08:44 #3 by nichomach
Replied by nichomach on topic Re: Machine-based authentication
Thanks for the suggestions. I'm pretty far down the road in terms of configuring RADIUS on the Windows server and adding the clients in. I'll see what syslog says about it. It may be the case that it will only work with username and password, which would be a shame, but thanks for the information anyway!

Please Log in or Create an account to join the conversation.

  • hornbyp
  • User
  • User
More
03 Feb 2020 02:28 #4 by hornbyp
Replied by hornbyp on topic Re: Machine-based authentication

nichomach wrote:
It may be the case that it will only work with username and password, which would be a shame...


That may well be the case ...

I came across this (more comprehensive) guide, while looking for something else: Office Wireless with 802.1X Authentication

But I noticed,

They wrote:
When users connect to a DrayTek Vigor network with 802.1X authentication, their wireless client will need to be aware of these settings:

Phase 1 / EAP Method: PEAP
Phase 2: MS-CHAPv2
CA Certificate / Certificate Validation: Not enabled / Do Not Validate

Please Log in or Create an account to join the conversation.