Wifi Auth per Client/Machine (not User)

Hi,
with Radius in UCS and our Unifi Wifi Infrastructure I can now successfully login to the wifi on my Xubuntu client using a UCS User Account/Credentials.
But what I’d like to have is something I deploy on the machine so that the machine authenticates before the user logs in.
So I’d like to hace every client having it’s own credentials so I can disable one of them centraly without touching all the others (like I had to do when I use PSK). I guess it’ll be a certificate that I’m going to need for each client?!
Since I’m a noob on this topic I don’t have any clue what to google for…
Clients will only be linux machines that are already part of the ucs domain.
Any hint which direction to look at?

Thanks a lot and kind Regards

am I right that it’s EAP-TLS what I’m looking for?
Any hint’s how to use this with UCS?

Hello,

Did you manage to figure this out? I’m trying to implement the same system on my company.

Thanks

If i need that, i add for each client an extra user like “-wifi”. But with minimal rights. That is working fine. And no, certificate is not needed, but recommended, because of an honeypot. I use for that the UCS certificate with clientveryfication.

Not yet, but I stopped working on the topic

Thanks for your reply. Can you point us to a more verbose explanation?
Adding a -wifi user in usc for each machine?
What do you mean by “honeypot”?

Well, if no certificate is requested by the client, someone could offer the same wifi and, depending on the access method, user data could be transmitted unencrypted and read out. Therefore, always request a certificate from the client.

I use the UCS Radiosextensension, maintained from ITEAS IT Services Gmbh.: https://apt.iteas.at

• ucs-iteas-radius
• ucs-iteas-radius-schema
• ucs-iteas-radius-wlan

With that you can setup easy radius with usergroups for wifi. I add an user for example: “nb-josef-wifi”, this user in an special realm, and an wifi-group. This is done for Notebook, scanner, printers… that is all.