I setup my Unifi Controller to authenticate my Notebooks via WPA2 Enterprise through a NPS with it's own certificate. The Notebooks get authenticated with their Computer Accounts through Active Directory. The wireless network with all the information (SSID, certificate, authentication method, encryption) get pushed via GPO. This works flawlessly on all my Windows machines.
Now I tried to set this up for a Raspberry Pi running raspbian in my network. The Pi is succesfully bound to the Active Directory with SSSD and I put it in the computergroup which is allowed to authenticate in NPS and connect to the defined network.
When I try to connect with my Pi I get following log entry on the NPS:
<Event>
<Timestamp data_type="4">08/17/2022 10:57:42.514</Timestamp>
<Computer-Name data_type="1">PI_HOSTNAME</Computer-Name>
<Event-Source data_type="1">IAS</Event-Source>
<User-Name data_type="1">PI_HOSTNAME</User-Name>
<NAS-IP-Address data_type="3">IP_AccessPoint</NAS-IP-Address>
<NAS-Identifier data_type="1">IDENTIFIER_ID</NAS-Identifier>
<Called-Station-Id data_type="1">XX-XX-XX-XX-XX-XX:SSID</Called-Station-Id>
<NAS-Port-Type data_type="0">19</NAS-Port-Type>
<Service-Type data_type="0">2</Service-Type>
<Calling-Station-Id data_type="1">XX-XX-XX-XX-XX-XX</Calling-Station-Id>
<Connect-Info data_type="1">CONNECT 0Mbps 802.11b</Connect-Info>
<Acct-Session-Id data_type="1">SESSION_ID</Acct-Session-Id>
<Acct-Multi-Session-Id data_type="1">Multi_SESSION_ID</Acct-Multi-Session-Id>
<Framed-MTU data_type="0">1400</Framed-MTU>
<Client-IP-Address data_type="3">IP_AccessPoint</Client-IP-Address>
<Client-Vendor data_type="0">0</Client-Vendor>
<Client-Friendly-Name data_type="1">HOSTNAME_AccessPoint</Client-Friendly-Name>
<Proxy-Policy-Name data_type="1">POLICY_NAME</Proxy-Policy-Name>
<Provider-Type data_type="0">1</Provider-Type>
<SAM-Account-Name data_type="1">DOMAIN\PI_HOSTNAME</SAM-Account-Name>
<Fully-Qualifed-User-Name data_type="1">DOMAIN\PI_HOSTNAME</Fully-Qualifed-User-Name>
<Class data_type="1">311 1 NPS_IP 08/15/2022 06:35:36 250</Class>
<Authentication-Type data_type="0">5</Authentication-Type>
<Packet-Type data_type="0">1</Packet-Type>
<Reason-Code data_type="0">0</Reason-Code>
</Event>
<Event>
<Timestamp data_type="4">08/17/2022 10:57:42.514</Timestamp>
<Computer-Name data_type="1">NPS_HOSTNAME</Computer-Name>
<Event-Source data_type="1">IAS</Event-Source>
<Class data_type="1">311 1 NPS_IP 08/15/2022 06:35:36 250</Class>
<Authentication-Type data_type="0">5</Authentication-Type>
<Fully-Qualifed-User-Name data_type="1">DOMAIN\PI_HOSTNAME</Fully-Qualifed-User-Name>
<SAM-Account-Name data_type="1">DOMAIN\PI_HOSTNAME</SAM-Account-Name>
<Acct-Session-Id data_type="1">SESSION_ID</Acct-Session-Id>
<Provider-Type data_type="0">1</Provider-Type>
<Proxy-Policy-Name data_type="1">POLICY_NAME</Proxy-Policy-Name>
<Client-Friendly-Name data_type="1">HOSTNAME_AccessPoint</Client-Friendly-Name>
<Client-Vendor data_type="0">0</Client-Vendor>
<Client-IP-Address data_type="3">IP_AccessPoint</Client-IP-Address>
<Packet-Type data_type="0">3</Packet-Type>
<Reason-Code data_type="0">8</Reason-Code>
</Event>My /etc/wpa_supplicant/wpa_supplicant.config on the Pi is as follows:
crtl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=CH
network={
ssid="SSID"
proto=RSN
key_mgmt=WPA-EAP
pairwise=CCMP
group=CCMP
eap=TTLS
identity="PI_HOSTNAME"
ca_cert="/opt/wlan_cert/CA.pem"
priority=1
}
I am not sure how it exactly should work with the computeraccount authentication, since I only work with authentication to server but not to client. I tried to look up countless of other posts, but sadly most of them use authentication via user and are therefore not relevant for me right now. I am also curious if it is even possible to do it like I want to.
Would appreciate any help on this case and if you need any more information on my current configuration, feel free to ask.
