User:B2ag/Active Directory Integration/WPA-EPA-machine-auth

From ArchWiki

Joining a WiFi which uses Cisco's (machine) authentication implementation against Microsoft Active Directory.

In modern Windows a corresponding WLANProfile should look like this. 

cat /mnt/ProgramData/Microsoft/Wlansvc/Profiles/Interfaces/*/*
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
       <name>DATA</name>
       <SSIDConfig>
               <SSID>
                       <hex>12345678</hex>
                       <name>SSID</name>
               </SSID>
               <nonBroadcast>true</nonBroadcast>
       </SSIDConfig>
       <connectionType>ESS</connectionType>
       <connectionMode>auto</connectionMode>
       <autoSwitch>false</autoSwitch>
       <MSM>
               <security>
                       <authEncryption>
                               <authentication>WPA2</authentication>
                               <encryption>AES</encryption>
                               <useOneX>true</useOneX>
                       </authEncryption>
                       <OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
                               <cacheUserData>false</cacheUserData>
                               <authMode>machine</authMode>
                               <EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation><ServerNames></ServerNames></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptional>false</InnerEapOptional><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>26</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1"><UseWinLogonCredentials>false</UseWinLogonCredentials></EapType></Eap><EnableQuarantineChecks>false</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtensions><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName></PeapExtensions></EapType></Eap></Config></EapHostConfig></EAPConfig>
                       </OneX>
               </security>
       </MSM>
</WLANProfile>


We need WPA-EAP and credentials of our Active Directory machine account.

We can ask Samba for the machine account password. 

sudo tdbdump -k SECRETS/MACHINE_PASSWORD/**DOMAIN** /var/lib/samba/private/secrets.tdb

With that "SAMBA MACHINE ACCOUNT PASSWORD AS HEX" we can add a new wireless connection. IMPORTANT: drop last null byte (00) 

sudo nmcli con add type wifi ifname WIFI-INTERFACE 802-11-wireless.ssid SSID \
802-1x.eap peap 802-1x.identity host/MACHINE.DOMAIN \
802-1x.password-raw "SAMBA MACHINE ACCOUNT PASSWORD AS HEX" 802-1x.phase2-auth mschapv2 \
wifi-sec.key-mgmt wpa-eap

And bring it up 

sudo nmcli con up wifi-WIFI-INTERFACE
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/42)


Important: Machine Account Passwords usually changes at 30 days interval. Todo: Find some way to copy the password from Samba on demand.

TODO: tune sed line to transform printable chars to hex

Retrieved from "https://wiki.archlinux.org/index.php?title=User:B2ag/Active_Directory_Integration/WPA-EPA-machine-auth&oldid=585194"