Hi,
with Radius in UCS and our Unifi Wifi Infrastructure I can now successfully login to the wifi on my Xubuntu client using a UCS User Account/Credentials.
But what I’d like to have is something I deploy on the machine so that the machine authenticates before the user logs in.
So I’d like to hace every client having it’s own credentials so I can disable one of them centraly without touching all the others (like I had to do when I use PSK). I guess it’ll be a certificate that I’m going to need for each client?!
Since I’m a noob on this topic I don’t have any clue what to google for…
Clients will only be linux machines that are already part of the ucs domain.
Any hint which direction to look at?
If i need that, i add for each client an extra user like “-wifi”. But with minimal rights. That is working fine. And no, certificate is not needed, but recommended, because of an honeypot. I use for that the UCS certificate with clientveryfication.
Well, if no certificate is requested by the client, someone could offer the same wifi and, depending on the access method, user data could be transmitted unencrypted and read out. Therefore, always request a certificate from the client.
I use the UCS Radiosextensension, maintained from ITEAS IT Services Gmbh.: https://apt.iteas.at
ucs-iteas-radius
ucs-iteas-radius-schema
ucs-iteas-radius-wlan
With that you can setup easy radius with usergroups for wifi. I add an user for example: “nb-josef-wifi”, this user in an special realm, and an wifi-group. This is done for Notebook, scanner, printers… that is all.