I am running a dozen assorted physical and virtual servers with Ubuntu 22-24 and one lonely Windows 11 Pro VM in my home lab behind Pfsense CE 2.7.2 and I am looking for a SIMPLE authentication method to keep all my passwords straight. Knowing my limits with Windows I decided on Freeradius.
To start, none of these servers are exposed to the interwebs. All of the Ubuntu servers were ridiculously easy to set up with a VM running Freeradius then I realized there was a version available on Pfsense. I configured Freeradius on Pfsense and dumped the VM and it was downhill from there … until I came to that one damn Windows box. I am not a Windows guy. I can stumble through most things but NPS/802.1x/Radius was completely foreign territory to me (give me Unix PAM any day over this!).
To be perfectly clear, it’s just me authenticating on my servers in my home lab I am comfortable running Freeradius in its basic default mode without AD or any other back end databases. Unfortunately I cannot find a video or doc that doesn’t have every other flavor in the mix. And if I do find something simple its not about Win 11 which, also, is apparently quite different than Win 10.
Can anyone point me to a K.I.S.S. version of how to configure 802.1x/authendication on a Windows 11 Pro VM talking to the Pfsense Freeradius service? Since it’s Winders pictures would be nice, but I’ll take whatever I can get. Thanks for reading!
Since that post I have installed Freeradius on a Proxmox/Ubuntu VM w/2GB Memory and 1 CPU. I also duplicated my small configuration on my pfSense box in case something goes poop on the VM or the Proxmox cluster. All (7) of my Ubuntu VMs and 3 other physical Ubuntu boxes authenticate through Freeradius just fine. I shutdown the FR VM and the clients authenticated through pfSense Freeradius just fine (both IP’s are listed in the client configs).
As a further test, disabling FR on pfSense allowed the local accounts on the clients to authenticate fine, too. Mission (partially) Accomplished.
Still looking for a how-to for configuring Windows 11 users to authenticate through the Freeradius VM … Anyone … anyone … Bueller?
Are you authenticating using certificates ? The link below is article from microsoft on settings for the client. Basically how I have always done it in different versions. Hope that helps.
Thanks for the link. In my home lab all laptops, desktops, servers are hard wired. There is no wifi specific authentication. From what I have read it seems that EAP wants to use a wifi network. Am I missing something? Also, as this is a home lab the radius servers are not exposed to the interwebs and I was not using certificates. Can I use a wired network for “EAP” on Windows to authenticate to my Freeradius server? Is it correct that “EAP” is now what used to be called a RADIUS client? Apologies but I am a Unix guy and I stumble through Windows …
I will try and answer based on how I am interpreting your response. Disclaimer though this subject is very large and a lot of fundamentals should be understood. To be sure the concepts play/work with each other. See below each area of your response for my thoughts maybe it will help a little.
Thanks for the link. In my home lab all laptops, desktops, servers are hard wired. There is no wifi specific authentication. From what I have read it seems that EAP wants to use a wifi network. Am I missing something?
The same article also has the wired implementation on this subject. You have to select it though and its easy to miss if you don’t know where to look. Its part of a tab section, and it will say wired.
Also, as this is a home lab the radius servers are not exposed to the interwebs and I was not using certificates. Can I use a wired network for “EAP” on Windows to authenticate to my Freeradius server?
Multiple part answer. Yes you can use a wired network for EAP on Windows. See previous answer about the tabs in the article. As far as radius servers go exposure to the internet or being used for internal situations. Should be planned and based on your use case. It should work in both settings though with no limitation.
Is it correct that “EAP” is now what used to be called a RADIUS client? Apologies but I am a Unix guy and I stumble through Windows …
EAP is a protocol used in a radius setting. Technically a radius client would be any client that wants to use radius for its authentication this also means it doesn’t have to use EAP. The caveat though nowadays its pretty much the defacto standard. From a simple thought process though, I could see how you could interpret EAP as being called a radius client. Since most articles and implementations refer to EAP in the use case kind of that way. Just be careful though because at its fundamental level the statement would be incorrect. Hope this helps you on your journey.
All this can be a complex subject. From reading what your questions and responses are. One major question to ask yourself would be, is this really necessary for you to implement. For home use or are you just wanting to learn more on the subject?