User:B2ag/Active Directory Integration/WPA-EPA-machine-auth
Joining a WiFi which uses Cisco's (machine) authentication implementation against Microsoft Active Directory.
In modern Windows a corresponding WLANProfile should look like this.
cat /mnt/ProgramData/Microsoft/Wlansvc/Profiles/Interfaces/*/*
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1"> <name>DATA</name> <SSIDConfig> <SSID> <hex>12345678</hex> <name>SSID</name> </SSID> <nonBroadcast>true</nonBroadcast> </SSIDConfig> <connectionType>ESS</connectionType> <connectionMode>auto</connectionMode> <autoSwitch>false</autoSwitch> <MSM> <security> <authEncryption> <authentication>WPA2</authentication> <encryption>AES</encryption> <useOneX>true</useOneX> </authEncryption> <OneX xmlns="http://www.microsoft.com/networking/OneX/v1"> <cacheUserData>false</cacheUserData> <authMode>machine</authMode> <EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation><ServerNames></ServerNames></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptional>false</InnerEapOptional><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>26</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1"><UseWinLogonCredentials>false</UseWinLogonCredentials></EapType></Eap><EnableQuarantineChecks>false</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtensions><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName></PeapExtensions></EapType></Eap></Config></EapHostConfig></EAPConfig> </OneX> </security> </MSM> </WLANProfile>
We need WPA-EAP and credentials of our Active Directory machine account.
We can ask Samba for the machine account password.
sudo tdbdump -k SECRETS/MACHINE_PASSWORD/**DOMAIN** /var/lib/samba/private/secrets.tdb
With that "SAMBA MACHINE ACCOUNT PASSWORD AS HEX" we can add a new wireless connection. IMPORTANT: drop last null byte (00)
sudo nmcli con add type wifi ifname WIFI-INTERFACE 802-11-wireless.ssid SSID \ 802-1x.eap peap 802-1x.identity host/MACHINE.DOMAIN \ 802-1x.password-raw "SAMBA MACHINE ACCOUNT PASSWORD AS HEX" 802-1x.phase2-auth mschapv2 \ wifi-sec.key-mgmt wpa-eap
And bring it up
sudo nmcli con up wifi-WIFI-INTERFACE
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/42)
Important: Machine Account Passwords usually changes at 30 days interval.
Todo: Find some way to copy the password from Samba on demand.
TODO: tune sed line to transform printable chars to hex